Re: [fw-wiz] Traceroute

From: Luca Berra (bluca_at_comedia.it)
Date: 10/21/03

  • Next message: Rafael Teixeira: "[fw-wiz] One Time Password Tokens"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 21 Oct 2003 09:03:39 +0200
    
    

    On Mon, Oct 20, 2003 at 06:39:48PM -0400, Paul Robertson wrote:
    >On Sat, 18 Oct 2003, Jim McAtee wrote:
    >
    >> Is it generally considered safe to permit incoming UDP ports 33434+ through the
    >> firewall to enable traceroute to reach destination machines? Or should it be
    do you mean traceroute to internal machines?
    >> limited to a finite range of ports, or not permitted at all?
    what do you mean finite: traceroute usually is 33434 - 33463 (due to
    most traceroute implementation stopping after 30 hosts)

    >I wouldn't permit it at all, UDP is too easy to spoof. In the past, I've
    >had luck with setting up a traceroute CGI externally for users who just
    >*had* to have the functionality. Reporting usage on that script got us
    >quickly past the next request ;)
    actually traceroute to outside destination only requires inbound icmp
    (ttl-exceeded and port-unreachable). You just have to forget about state
    on traceroute :)))
    traceroute to inside should stop at the firewall with a reject.

    regards,
    L.

    -- 
    Luca Berra -- bluca@comedia.it
            Communication Media & Services S.r.l.
     /"\
     \ /     ASCII RIBBON CAMPAIGN
      X        AGAINST HTML MAIL
     / \
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Rafael Teixeira: "[fw-wiz] One Time Password Tokens"

    Relevant Pages

    • Re: Apache 1.3 Problems
      ... Did the server restart at all and if so are the ... >>>Sounds like a firewall issue. ... >> shows any tcp packets at all getting through except when lynx is run ... Can you show us a 'traceroute bbrb-isp.Stanford.EDU' from your machine? ...
      (freebsd-questions)
    • Re: tracert from A to B dies just before reaching B -- and vice versa?
      ... traceroute died just before reaching 67.43.158.218. ... the default is to use UDP packets. ... come as a surprise to you, but neither ICMP or UDP is used for SSH ... Dozens of explanations - most probably is the fact that firewall rules ...
      (comp.os.linux.networking)
    • ICMP pokes holes in firewalls...
      ... Traceroute uses two protocols: UDP and ICMP ... A system inside a firewall performs a traceroute to a system ... Traceroute chooses the next available UDP port. ...
      (Bugtraq)
    • Re: port 0 not stealth
      ... > traceroute - and sometimes seen using the windoze TRACERT). ... > always confirms that the target computer exists and is being operated ... > firewall is in use. ... port scans are not done by six year old skript ...
      (comp.security.firewalls)
    • Re: cannot ping from subnet A to subnet B for a specific host
      ... On your office router, do you have 192.168.5.x set up as a /24 network ... Failed to resolve Hop#1 [DNS Servers Reports Query Name Error] ... Traceroute from 192.168.11.65 to 192.168.5.10 ... The diagram makes it look like the firewall and the router are two ...
      (comp.dcom.sys.cisco)