Re: [fw-wiz] Traceroute
From: Michael C. Toren (mct_at_toren.net)
Date: 10/21/03
- Previous message: Mark Tinberg: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- In reply to: Jim McAtee: "[fw-wiz] Traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jim McAtee <jmcatee@mediaodyssey.com> Date: Mon, 20 Oct 2003 23:01:41 -0400
On Sat, Oct 18, 2003 at 04:51:56PM -0600, Jim McAtee wrote:
> Is it generally considered safe to permit incoming UDP ports 33434+
> through the firewall to enable traceroute to reach destination machines?
> Or should it be limited to a finite range of ports, or not permitted at
> all?
If you're not going to permit it, my recommendation would be to reject the
inbound packets with an ICMP port-unreachable response rather than simply
dropping them on the floor. This way, at least a traceroute will terminate
cleanly as opposed to timing out.
-mct
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mark Tinberg: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- In reply to: Jim McAtee: "[fw-wiz] Traceroute"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
