IPFW traceroute sendto: Permission denied

Hi all,

I've noticed that with IPFW enabled I'm not able to use traceroute, I see the following errors:

Code:
# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
traceroute: sendto: Permission denied
 1 traceroute: wrote 8.8.8.8 52 chars, ret=-1

I have ICMP allowed from any to any, full rule set is as follows:

Code:
00001 unreach port ip from table(1) to me
00002 unreach port ip from table(3) to me
00003 unreach port ip from table(4) to me
00004 unreach port ip from table(2) to me
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 allow ip from 172.31.252.207 to 255.255.255.255
01200 allow ip from me to 172.31.252.207
01300 allow ip from 172.31.252.207 to me
01400 allow tcp from any to any established
01500 allow ip from any to any frag
65000 allow tcp from any to me dst-port 25 setup
65001 allow tcp from any to me dst-port 465 setup
65002 allow tcp from any to me dst-port 587 setup
65003 allow tcp from any to me dst-port 110 setup
65004 allow tcp from any to me dst-port 995 setup
65005 allow tcp from any to me dst-port 143 setup
65006 allow tcp from any to me dst-port 993 setup
65007 allow tcp from any to me dst-port 4190 setup
65107 allow tcp from any to me dst-port 22 setup
65207 allow tcp from me to any setup
65307 deny tcp from any to any setup
65407 allow udp from me to any dst-port 53 keep-state
65507 allow icmp from any to any keep-state
65535 deny ip from any to any

I guess I've done something wrong, any help gratefully received!

thanks, Andy.

PS ping works fine
 
traceroute(8) uses UDP packets with an increasing TTL. Use -I if you want to use ICMP echo.

Code:
     -I      Use ICMP ECHO instead of UDP datagrams.  (A synonym for "-P
             icmp").
 
Back
Top