Unable to "traceroute" externally (firewall rule has been created)



  • I hope the learned brethren will forgive me if I am being “thick” (quite likely) but I am struggling to create a rule (that works) to allow outbound ICMP from my LAN to the Internet.

    For Egress Filtering purposes I have set a default deny all (as the default final rule) from my LAN and have setup specific allow outbound traffic rules e.g. allow 80/443/53 which work fine.

    I want to be able to “ping” and use “traceroute” to external sites and have created a specific rule to allow this. (see below)

    FirewallRules.png

    Having created and applied this rule on the LAN interface I can now successfully (as expected) “ping” external sites from a internal network client (192.168.123.250) via my pfsense firewall (192.168.123.254)

    eg

    casper@GHOST19:~$ ping bbc.co.uk
    PING bbc.co.uk (151.101.64.81) 56(84) bytes of data.
    64 bytes from 151.101.64.81 (151.101.64.81): icmp_seq=1 ttl=58 time=25.5 ms
    64 bytes from 151.101.64.81 (151.101.64.81): icmp_seq=2 ttl=58 time=25.6 ms
    64 bytes from 151.101.64.81 (151.101.64.81): icmp_seq=3 ttl=58 time=25.3 ms

    However when I try a traceroute it appears to to pause at the firewall (I am using Linux Mint 19.1 as the client)

    casper@GHOST19:~$ traceroute bbc.co.uk
    traceroute to bbc.co.uk (151.101.0.81), 30 hops max, 60 byte packets
    1 Wibble.Wobble (192.168.123.254) 0.336 ms 0.223 ms 0.293 ms
    casper@GHOST19:~$

    Undertaking a simultaneous packet capture on the firewall shows multiple UDP packets blocked

    14:39:27.482157 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33435 unreachable, length 36
    14:39:27.482177 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33434 unreachable, length 36
    14:39:27.482193 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33436 unreachable, length 36
    14:39:27.482206 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33438 unreachable, length 36
    14:39:27.482219 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33437 unreachable, length 36
    14:39:27.482231 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33441 unreachable, length 36
    14:39:27.482245 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33439 unreachable, length 36
    14:39:27.482258 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33442 unreachable, length 36
    14:39:27.482273 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33440 unreachable, length 36
    14:39:27.482286 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33443 unreachable, length 36
    14:39:27.482304 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33444 unreachable, length 36
    14:39:27.482319 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33445 unreachable, length 36
    14:39:27.482333 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33448 unreachable, length 36
    14:39:27.482346 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33446 unreachable, length 36
    14:39:27.482376 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33449 unreachable, length 36
    14:39:27.482391 IP 192.168.123.254 > 192.168.123.250: ICMP 151.101.0.81 udp port 33447 unreachable, length 36

    and my Firewall Logs show multiple blocked UDP packets destined for the subject traceroute target site blocked (see below).

    FirewallLog.png

    I have a number of firewall LAN rules configured, so to eliminate this issue being caused by a prior rule I have tried ordering this ICMP allow rule at the top of the tree but without success.

    Disabling the Allow ICMP firewall LAN rule (as expected) stops "ping" working externally, but I am at a loss as to why traceroute is not functional.

    I would be most grateful if anyone could review the above and see if they can identify what I might be doing wrong.

    Finally I should add I have rebooted the firewall (just in case!).

    Thanks



  • @farrina said in Unable to "traceroute" externally (firewall rule has been created):

    However when I try a traceroute it appears to to pause at the firewall (I am using Linux Mint 19.1 as the client)

    Undertaking a simultaneous packet capture on the firewall shows multiple UDP packets blocked

    Well there is your answer, the traceroute binary on your Linux distribution is using UPD instead of ICMP for the traceroute. Check it's man page to see if there is a option to use ICMP or use a different traceroute binary. Do some RTFM for Linux Mint.



  • Thank you Mr Grimson for taking the trouble to respond to my query.

    I think the appropriate expression (well I did say I was "thick" in my original post) is I could not "see the wood for the trees" ...

    I have to confess that I am a relatively recent convert to Linux and still rather unfamiliar with the concept of differing software sources offering the same functionality.

    I have located and installed an alternative package - tcptraceroute which (as the name implies) uses TCP and resolves my issue.

    Once again my thanks


Log in to reply