Hello Olivier, On Thursday 01 March 2001 16:22, Olivier Mueller wrote:
On Thu, Mar 01, 2001 at 03:57:25PM +0100, Martin Leweling wrote:
Any idea of what I could change to allow these icpm packets to come in ?
The last item in your log entries (#3) should indicate the offending rule. It's rule no. 3 in your output chain.
I know that :) But this is the original susefirewall script, and I don't see which one it is. If I see correctely, it's one of the first chains, the one with DENY everything...
Ah, I see ... Well, I think I found it in /sbin/SuSEfirewall: look for the following lines (I have SuSE 7.0 here, so I don't know about changes in SuSE 7.1): -------------------------------------------------------- for i in $DEV_WORLD; do .... test "$FW_ALLOW_FW_TRACEROUTE" = yes || { $IPCHAINS -A output -j "$DENY" -p icmp -s $i 11 $LDC # Time exceeded $IPCHAINS -A output -j "$DENY" -p icmp -s $i 3 $LDC # Unreachable } done -------------------------------------------------------- So the FW_ALLOW_FW_TRACEROUTE variable is set to yes in /etc/rc.config.d/firewall.rc.config. Ha! It's in the "expert section". You knew what you were doing, now didn't you ... ;-) Ok, forgive me ... ;-) You could either set it to "no" or uncomment the second $IPCHAINS line above and see what happens when you restart your firewall. Hope this helps ...
Olivier
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de