Shulou(Shulou.com)06/01 Report--

Sometimes Traceroute is needed to check the connectivity of the network, but some devices do not turn on route tracking by default, and tracert is sometimes used to determine the correctness of the route when troubleshooting.

In the computer room, there is an H3C SecPath connected to Tianrong Firewall, and there are several other routing devices. Routing is done on Tianrong letter, and access is not available. Due to the large number of routing devices, the devices that use tracert to H3C when troubleshooting are not available. SecPath does not have commands such as ip ttl-expires enable, ip unreachables enable and ip df-unreachables enable, so consider the access policy and write the following policy to be used in the direction of the host connected port of SecPath:

Rule 1 permit icmp icmp-type echo # echo request

Rule 2 permit icmp icmp-type echo-reply # echo reply

Rule 3 permit icmp icmp-type ttl-exceeded # ICMP timeout response message

Rule 4 permit icmp icmp-type port-unreachable # ICMP port unreachable

Then trace went through SecPath, but it still didn't work. I found information on the official website, and the relevant configuration said:

The firewall defend tracert command is used to open the tracert message protection function.

At that time, I was in a hurry and did not understand the meaning of this sentence. I typed this command and turned on the debug function for further investigation:

Terminal debugging

Terminal monitor

Debugging firewall packet-filter all

Found the relevant message:

The only thing that feels problematic is: rcvIfName (1023) = InLoopBack0

There is a loopback interface. Is it possible that the relevant message was dropped to InLoopBack0, and the configuration of the InLoopBack0 interface was not found in the configuration file? so I think there should be relevant settings in the graphical interface. In the most relevant "firewall management" and "* prevention", there is a "route tracking *" item, remove this item, and then try again!

By comparing the previous configuration file to find that there is a lack of firewall defend tracert, it is clear that this lifeline is to turn on the message protection function, not tracert! I made a big detour in a moment of carelessness. Now trace can also pass through the Tianrongxin firewall, which not only prevents the local route from being tracked, but also discards other messages that pass by.

At this point, the specific configuration can be as follows:

1. In the IN direction of the internal interface:

Rule 0 permit icmp source X.X.X.X 0 # IP that you want to allow

The following rules prohibit all other ping intranets

Rule 1 deny icmp destination 10.0.0.0 0.255.255.255 icmp-type echo

Rule 2 deny icmp destination 172.16.0 0.15.255.255 icmp-type echo

Rule 3 deny icmp destination 192.168.0.0 0.0.255.255 icmp-type echo

All hosts can ping the public network.

Rule 4 deny icmp icmp-type echo

Other types of ICMP messages (tracert) are prohibited.

Rule 10 deny icmp

2. The IN direction of the external interface of the device

Unlimited IP

Rule 0 permit icmp source X.X.X.X 0

Allow all hosts to echo messages from the ping public network

Rule 1 permit icmp icmp-type echo-reply

Allow echo information of Tracert

Rule 2 permit icmp icmp-type ttl-exceeded

Rule 3 permit icmp icmp-type port-unreachable # it is better to have this ICMP return package for traceroute that requires port-unreachable

Rule 10 deny icmp # other disabled

Of course, first of all, turn off the anti-routing tracking function: undo firewall defend tracert

After the above settings, only the allowed IP can use ICMP indefinitely. Other hosts can only use ping and can only ping the public network address. Internet users cannot use ICMP to communicate with public network devices, so the setting is relatively secure.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.