Helping traceroute

traceroute is another command which is quite useful when your users claim that the Internet isn't working. By default, Unix traceroute uses UDP connections according to a set formula based on destination. The rule below works with the traceroute command on all unixes I've had access to, including GNU/Linux:

# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp to port 33433 >< 33626

Experience so far indicates that traceroute implementations on other operating systems work roughly the same. Except, of course, Microsoft Windows. On that platform, TRACERT.EXE uses ICMP ECHO for this purpose. So if you want to let Windows traceroutes through, you only need the first rule. Unix traceroutes can be instructed to use other protocols as well, and will behave remarkably like its Microsoft counterpart if you use its -I command line option. You can check the traceroute man page (or its source code, for that matter) for all the details.

Under any circumstances, this solution was lifted from an openbsd-misc post. I've found that list, and the searchable list archives (accessible among other places from http://marc.info/), to be a very valuable resource whenever you need OpenBSD or PF related information.