>Thanks Glenn, I've enabled all UDP again, and now this happens:

>traceroute to mint.ts.co.nz (202.49.92.17), 30 hops max, 40 byte packets
> 1 10.254.254.254 1.366 ms 0.937 ms 0.968 ms
> 2 192.168.1.254 3.899 ms 2.096 ms 2.069 ms
> 3 * * *

>I wonder if this is something to do with the NAT in the DSL box. Its still
weird
>cause I can traceroute OK from the firewall, but not hosts behind it.

This indicates a bug in the M11, I use two firewalls and tracert also broke
when we installed an M11.

In order to route the ICMP messages back, the NAT box must look at the first
64 bytes of the returning ICMP message to find the IP and UDP headers of the
outgoing packet (to whom this ICMP message relates). The NAT table can then
be used to find the translation info which will contain the IP address of
the inside host that sent the packet out. Now the NAT box knows which inside
host to forward the ICMP message back to.

However what the NAT box should also do is change those first 64 bytes of
the ICMP message to what the outgoing headers looked like before NAT was
applied - some NAT implementations do, some don't.

What appears to be happening in your case is the M11 is not updating the 64
byte payload of the ICMP message, thus when the Linux box gets the ICMP
message, that payload contains header information that is valid "outside"
the M11. Obviously the Linux box won't be able to match this header
information with any outgoing sockets, so it will drop the ICMP packet.

JUFM11Bug.

######################################################################
This e-mail message has been virus scanned by our
outgoing email gateway (mx2.pcx.co.nz)
######################################################################

This message is part of the NZ Broadband mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Mon Nov 20 16:34:01 2000