Re: [fw-wiz] Traceroute

• Previous message: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
• In reply to: Paul Robertson: "Re: [fw-wiz] Traceroute"
• Next in thread: Michael C. Toren: "Re: [fw-wiz] Traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 21 Oct 2003 09:03:39 +0200

On Mon, Oct 20, 2003 at 06:39:48PM -0400, Paul Robertson wrote:
>On Sat, 18 Oct 2003, Jim McAtee wrote:
>
>> Is it generally considered safe to permit incoming UDP ports 33434+ through the
>> firewall to enable traceroute to reach destination machines? Or should it be
do you mean traceroute to internal machines?
>> limited to a finite range of ports, or not permitted at all?
what do you mean finite: traceroute usually is 33434 - 33463 (due to
most traceroute implementation stopping after 30 hosts)

>I wouldn't permit it at all, UDP is too easy to spoof. In the past, I've
>had luck with setting up a traceroute CGI externally for users who just
>*had* to have the functionality. Reporting usage on that script got us
>quickly past the next request ;)
actually traceroute to outside destination only requires inbound icmp
(ttl-exceeded and port-unreachable). You just have to forget about state
on traceroute :)))
traceroute to inside should stop at the firewall with a reject.

regards,
L.

-- 
Luca Berra -- bluca@comedia.it
        Communication Media & Services S.r.l.
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
• In reply to: Paul Robertson: "Re: [fw-wiz] Traceroute"
• Next in thread: Michael C. Toren: "Re: [fw-wiz] Traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]