[CentOS] 2 questions on CentOS firewall

Wed Jul 20 21:12:07 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

Timothy Murphy wrote:
> Timothy Murphy wrote:
> 
>> So I assume the modem is rejecting the ICMP packets.
>> As I said, I don't see anything about this
>> in the modem documentation or on the modem web-site.
> 
> I suppose another possibility is that some site along the way
> rejects ICMP packets?
> 
> traceroute seems to timeout in Milan:
> -----------------------------------
> [root at helen tim]# traceroute anghiari.homelinux.com
> traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
> packets
>  1  netopia (192.168.1.254)  0.951 ms  1.132 ms  1.389 ms
>  2  isp (159.134.155.19)  37.238 ms  39.560 ms  42.027 ms
> ...
> 12  telecomitalia.par02.atlas.cogentco.com (130.117.14.82)  67.140 ms 
> telecomitalia.par02.atlas.cogentco.com (130.117.15.138)  92.952 ms ibs-
> resid.milano50.mil.seabone.net (93.186.128.246)  87.098 ms
> 13  * * *
> ...
> 30  * * *
> -----------------------------------
> tcptraceroute gets to the modem, but after some timeouts:
> -----------------------------------
> [root at helen tim]# tcptraceroute anghiari.homelinux.com
> traceroute to anghiari.homelinux.com (79.46.6.203), 30 hops max, 40 byte 
> packets
>  1  netopia (192.168.1.254)  1.491 ms  1.534 ms  1.784 ms
>  2  isp (159.134.155.19)  36.195 ms  38.794 ms  41.328 ms
> ...
> 12  ibs-resid.milano50.mil.seabone.net (93.186.128.246)  85.084 ms  84.599 
> ms  86.881 ms
> 13  * * *
> 14  * * *
> 15  * * *
> 16  * * *
> 17  * * *
> 18  host203-6-dynamic.46-79-r.retail.telecomitalia.it (79.46.6.203)  115.381 
> ms  107.416 ms  114.875 ms
> -----------------------------------
> 
> If anyone can interpret these for me, I shall be grateful.
> 
Those timeouts are normal occurrence. Some/most heavily loaded routers 
are configured to ignore traceroute requests, possibly even ICMP except 
for certain whitelisted IP's but cant remember of the top of my head.

Blocking ICMP's for customer IP's is not something ISP's do, for various 
reasons.

I take a look at Billion manual. It seams that you have to use it's 
firewall to add an allow rule for protocol icmp? and source IP 0.0.0.0. 
Destination might be also 0.0.0.0, haven't had the time to study it. 
This should allow pings from outside.

-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant