Firewall Wizards mailing list archives
Re: Traceroute
From: Paul Robertson <proberts () patriot net>
Date: Mon, 20 Oct 2003 18:39:48 -0400 (EDT)
On Sat, 18 Oct 2003, Jim McAtee wrote:
Is it generally considered safe to permit incoming UDP ports 33434+ through the firewall to enable traceroute to reach destination machines? Or should it be limited to a finite range of ports, or not permitted at all?
I wouldn't permit it at all, UDP is too easy to spoof. In the past, I've had luck with setting up a traceroute CGI externally for users who just *had* to have the functionality. Reporting usage on that script got us quickly past the next request ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Traceroute Jim McAtee (Oct 20)
- Re: Traceroute Paul Robertson (Oct 20)
- Re: Traceroute Luca Berra (Oct 22)
- Re: Traceroute Michael C. Toren (Oct 22)
- Re: Traceroute Paul Robertson (Oct 20)