Re: [fw-wiz] Traceroute
From: Paul Robertson (proberts_at_patriot.net)
Date: 10/21/03
- Previous message: Christopher L. Everett: "[fw-wiz] Recommendation needed for a firewall appliance"
- In reply to: Jim McAtee: "[fw-wiz] Traceroute"
- Next in thread: Luca Berra: "Re: [fw-wiz] Traceroute"
- Reply: Luca Berra: "Re: [fw-wiz] Traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jim McAtee <jmcatee@mediaodyssey.com> Date: Mon, 20 Oct 2003 18:39:48 -0400 (EDT)
On Sat, 18 Oct 2003, Jim McAtee wrote:
> Is it generally considered safe to permit incoming UDP ports 33434+ through the
> firewall to enable traceroute to reach destination machines? Or should it be
> limited to a finite range of ports, or not permitted at all?
I wouldn't permit it at all, UDP is too easy to spoof. In the past, I've
had luck with setting up a traceroute CGI externally for users who just
*had* to have the functionality. Reporting usage on that script got us
quickly past the next request ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Christopher L. Everett: "[fw-wiz] Recommendation needed for a firewall appliance"
- In reply to: Jim McAtee: "[fw-wiz] Traceroute"
- Next in thread: Luca Berra: "Re: [fw-wiz] Traceroute"
- Reply: Luca Berra: "Re: [fw-wiz] Traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
