RE: ICMP and Traceroute

["Frank W. Keeney" <FKeeney () hsa com>]

My view of the Internet is the content and services that it provides.
ICMP and traceroute are only tools to verify network connectivity. Day
to day testing of connectivity to the Internet should be done with the
applications.

Users and technician often what to ping and traceroute in/out of the
internal network. Let them ping and traceroute internally but not
outside the firewall(s). If they can browse the web then they can be
assured that the Internet connection is working. If they really want to
traceroute let them use a traceroute server. 



+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frank Keeney, Network Services, Home Savings of America
+1 626-814-5080 mailto:fkeeney () hsa com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++


        ----------
        From:  Deepak Vaidya [SMTP:dvaidya () clark net]
        Sent:  Monday, May 17, 1999 10:27 AM
        To:  firewall-wizards () nfr net
        Subject:  ICMP and Traceroute


        Two more questions that came from the same group who need access
to dns
        outbound.  They would like to be able to ping and traceroute
external
        hosts from all the clients.

        We currently do not allow icmp and traceroute packets in or out
bound.  We
        block all those at the router level.  The group is responsible
for
        client network and security design and they would like ping and
        traceroute for troubleshooting networks.

        Thanks
        - Deepak