[SOLVED] Need Help: tracert command


(Gabriel GHEORGHIU) #1

Hello everybody,

Please help me to add rule for “tracert” in shorewall.
I wish to run “tracert” from GREEN, ORANGE and BLUE.

I’m not a programmer so please treat me like a “monkey” who want to use NS!

Thank you in advance!

Gabriel


(Artem Fedai) #2

Hi, what do you mean? in linux it is traceroute command
-i interface
Specifies the interface through which traceroute should send packets. By default, the interface is selected according to the routing table.


(Gabriel GHEORGHIU) #3

Hi Nas,

I cannot tracert from GREEN. Ping is allowed.

I just read here how, but …

http://shorewall.net/ping.html

http://shorewall.net/ports.htm#Traceroute


(Artem Fedai) #4

it is simple to implement, make custom template in shorewall


(Gabriel GHEORGHIU) #5

I know it is simple. For you.
I give :beers: & :pizza:


(Artem Fedai) #6

so make a trick :
mkdir -p /etc/e-smith/templates-custom/etc/shorewall/rules
touch /etc/e-smith/templates-custom/etc/shorewall/rules/90icmp_green
vi /etc/e-smith/templates-custom/etc/shorewall/rules/90icmp_green

90icmp_green

{
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
if ($ndb->green()) {
$OUT.="?COMMENT Allow ICMP from green\n";
$OUT.=“Trcrt/ACCEPT loc net\n”;
}
}
Finally run
signal-event firewall-adjust


(Gabriel GHEORGHIU) #7

I think I did something wrong.
Not working.


(Gabriel GHEORGHIU) #8

Is not e-smith instead of esmith ?


(Artem Fedai) #9

Look at /etc/shorewall/rules you should see section 90icmp after you run signal-event firewall-adjust. Or you could run shorewall check and after it Try to make tracert command.


(Gabriel GHEORGHIU) #10

Hi,

Still not working.


(Gabriel GHEORGHIU) #11

Hi Nas,

I think I did something wrong before to ask for help and maybe that be the cause.

I tried to create a service according this doc: http://docs.nethserver.org/projects/nethserver-devel/en/latest/services.html#add-a-new-service

The service was created but I could not make it to run.

After that I saw ping under shorewall …

Now I disabled the service but I don’t know how can I remove it. How can I remove the service?


(Artem Fedai) #12

db configuration delete tracert
singnal-event firewall-adjust

and put TAB in template beetwen Accept loc net icmp, you see you should have enrty like 90dns_blue


(Gabriel GHEORGHIU) #13
  1. db configuration delete tracert - OK!
  2. put TAB in template beetwen Accept loc net icmp, you see you should have enrty like 90dns_blue - OK!
  3. signal-event firewall-adjust - Done
  4. tracert - Fail


(Gabriel GHEORGHIU) #14

Hi Nas,

Stupid question: for tracert isn’t need that the port UDP 33434 to be specified … somewhere?


(Artem Fedai) #15

First show what is in /var/log/messages while you making tacert
try to add
ACCEPT:info $FW net icmp

i have no way to reproduce, you could wrtie me on skype


(Gabriel GHEORGHIU) #16

Thank you Nas but I don’t want to waste your time with me!

I use this configuration of NethServer at my home for tests (I was on vacation till yesterday and I spent some time to learn NS better).
From Monday I will be at my office and I’ll test NS as e-mail server in DMZ to replace Zentyal.

Anyway, I think that tracert must be enabled by default, for all “inside” zones (GREEN, ORANGE, BLUE). I use this for many times. It’s a very usefull tool.

Thank you again!

PS
I found one contact “fedai” from Ukraine on Skype. Is that you?


(Artem Fedai) #17

my skype nassir_911
and we should investigate the issues and build Feature or fork on GIT


(Artem Fedai) #18

If U have zentyal could you pls export ldap user by phpldapadmin?


(Gabriel GHEORGHIU) #19

I will try.

My Zentyal (4.0.9 version) is a standalone multi-domain email server only, placed in DMZ.
The users and their email account are local (on Zentyal), not related to the windows PDC/AD server.
(nassir911 ?)


(Artem Fedai) #20

yep Brazil is mine :slight_smile: skype :slight_smile: