Very Computer

I can ping external addresses no problem, but no external traceroutes can
get through.  Traceroutes to internal addresses are fine though, of course
they are only one or two hops :-)

I am pretty sure that traceroute uses UDP packets by default, but NTPDate
can get through just fine and that also is set to use UDP packets.

Does this originate with my router or with the firewall settings of my
system itself?  Do I need to open a certain port on my router for UDP
traffic to allow traceroute probes to come back?  Or perhaps modify ipchains
on this system?

Anyone have any clues or ideas as to what the issue is here?

TIA!

[followups set to c.o.l.a.]

--
rapskat -  11:10pm  up 2 days, 23:04,  4 users,  load average: 0.14, 0.25, 0.26
111 processes: 109 sleeping, 1 running, 1 zombie, 0 stopped
CPU states:  1.0% user,  0.7% system,  0.0% nice,  0.8% idle

In a museum in Havana, there are two skulls of Christopher Columbus,
"one when he was a boy and one when he was a man."
                -- Mark Twain

        traceroute does use UDP (the return packets are ICMP though). If the
timeouts are originating from the first hop, then that machine is very
likely restricting UDP ports. In order for traceroute to work, the UDP
packets are sent to a very high port number that typically is not used
by other applications. If the first hop is a firewall which doesnt allow
traffic for those ports to go through, traceroute wont work even though
other UDP applications (which may be explicitly permitted by that
machine) work.

Regards,
Kenneth

Traceroute uses UDP packets. By default it starts with port 33434 and
increments it by one each probe. As the default maximum hop count is 30
and the default number of probes per hop is three, you probably want to
open 90 ports from 33434 outbound. Note that the man page is misleading
on this point. You also need to ensure that the ICMP port unreachable
responses can get back in.

As you can traceroute to internal addresses but not external, I suspect
that the block is on your router, or you have a firewall rule which
allows ICMP port unreachables from your LAN but not the Internet.

Regards, Ian

I can ping external addresses no problem, but no external traceroutes can
get through.  Traceroutes to internal addresses are fine though, of course
they are only one or two hops :-)

I am pretty sure that traceroute uses UDP packets by default, but NTPDate
can get through just fine and that also is set to use UDP packets.

Does this originate with my router or with the firewall settings of my
system itself?  Do I need to open a certain port on my router for UDP
traffic to allow traceroute probes to come back?  Or perhaps modify ipchains
on this system?

Anyone have any clues or ideas as to what the issue is here?

TIA!

[followups set to c.o.l.a.]

--
rapskat -  11:10pm  up 2 days, 23:04,  4 users,  load average: 0.14, 0.25, 0.26
111 processes: 109 sleeping, 1 running, 1 zombie, 0 stopped
CPU states:  1.0% user,  0.7% system,  0.0% nice,  0.8% idle

In a museum in Havana, there are two skulls of Christopher Columbus,
"one when he was a boy and one when he was a man."
                -- Mark Twain

Quote:> Do I need to open a certain port on my router for UDP
> traffic to allow traceroute probes to come back?

A generic approach is to set your system up in a very normal,
non-specialized way, confirm that traceroute works, than add the more
restrictive elements of your present configuration one by one until the
problem arises.

--
Paul Lutus
www.arachnoid.com

Quote:> Whenever I try to do a traceroute to any external address, all of the probes
> timout from the first.

> I can ping external addresses no problem, but no external traceroutes can
> get through.  Traceroutes to internal addresses are fine though, of course
> they are only one or two hops :-)

> I am pretty sure that traceroute uses UDP packets by default, but NTPDate
> can get through just fine and that also is set to use UDP packets.

To do traceroutes, I now use "MTR", which combines the
functionality of ping and traceroute into a single program.

MTR -- <http://www.bitwizard.nl/mtr>

--
Tokra

Quote:> Whenever I try to do a traceroute to any external address, all of the
> probes timout from the first.

Hey, how'd this get reposted?

Please ignore.  Situation resolved.

--
rapskat -  12:38pm  up 4 days, 12:32,  3 users,  load average: 6.83, 5.35, 2.96
128 processes: 116 sleeping, 12 running, 0 zombie, 0 stopped
CPU states:  0.1% user,  0.9% system,  0.0% nice,  1.0% idle

hubub, hubub, HUBUB, hubub, hubub, hubub, HUBUB, hubub, hubub, hubub.

Quote:> There are documented problems with some Cable/DSL routers and doing
> traceroutes, some of which are solved by updating firmware. No matter what
> firmware version I installed in my Linksys BEFSR41 router, I have not been
> able to do any UDP traceroutes (outside the LAN) even if the machine doing
> them is in a DMZ.

Quote:> To do traceroutes, I now use "MTR", which combines the functionality of
> ping and traceroute into a single program.

> MTR -- <http://www.bitwizard.nl/mtr>

--
rapskat -   1:04pm  up 4 days, 12:58,  3 users,  load average: 0.64, 0.54, 1.21
113 processes: 110 sleeping, 3 running, 0 zombie, 0 stopped
CPU states:  0.2% user,  1.0% system,  0.0% nice,  0.2% idle

The more things change, the more they stay insane.