Firewall Wizards mailing list archives

Re: Traceroute

From: "Michael C. Toren" <mct () toren net>
Date: Mon, 20 Oct 2003 23:01:41 -0400

On Sat, Oct 18, 2003 at 04:51:56PM -0600, Jim McAtee wrote:

Is it generally considered safe to permit incoming UDP ports 33434+
through the firewall to enable traceroute to reach destination machines?
Or should it be limited to a finite range of ports, or not permitted at
all?


If you're not going to permit it, my recommendation would be to reject the
inbound packets with an ICMP port-unreachable response rather than simply
dropping them on the floor.  This way, at least a traceroute will terminate
cleanly as opposed to timing out.

-mct
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Traceroute Jim McAtee (Oct 20)
- Re: Traceroute Paul Robertson (Oct 20)
  - Re: Traceroute Luca Berra (Oct 22)
- Re: Traceroute Michael C. Toren (Oct 22)