Tom Eastep
2016-12-20 23:37:12 UTC
I'm trying to run traceroute from a Raspberry Pi on one side of
shorewall through to the Internet on the other, for the purposes of
an Internet routing lesson.
I can detect some hosts on the far side of shorewall but not as
many as I was hoping (possibly due to ISP filtering), even though I
didn't think to add a rule for returning icmp timeout packets. On
reflection, perhaps I ought to have since a rule is needed for
ping. Does this indicate that shorewall passes some icmp packets by
default, and if so, which? I don't immediately see anything on this
in the documentation.
Netfilter connection tracking will classify returned icmp packets asshorewall through to the Internet on the other, for the purposes of
an Internet routing lesson.
I can detect some hosts on the far side of shorewall but not as
many as I was hoping (possibly due to ISP filtering), even though I
didn't think to add a rule for returning icmp timeout packets. On
reflection, perhaps I ought to have since a rule is needed for
ping. Does this indicate that shorewall passes some icmp packets by
default, and if so, which? I don't immediately see anything on this
in the documentation.
RELATED to the original outgoing packet, and Shorewall accepts RELATED
packets by default.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________