Firewall Wizards mailing list archives

Re: Traceroute

From: Paul Robertson <proberts () patriot net>
Date: Mon, 20 Oct 2003 18:39:48 -0400 (EDT)

On Sat, 18 Oct 2003, Jim McAtee wrote:

Is it generally considered safe to permit incoming UDP ports 33434+ through the
firewall to enable traceroute to reach destination machines?  Or should it be
limited to a finite range of ports, or not permitted at all?


I wouldn't permit it at all, UDP is too easy to spoof.  In the past, I've
had luck with setting up a traceroute CGI externally for users who just
*had* to have the functionality.  Reporting usage on that script got us
quickly past the next request ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Traceroute Jim McAtee (Oct 20)
- Re: Traceroute Paul Robertson (Oct 20)
  - Re: Traceroute Luca Berra (Oct 22)
- Re: Traceroute Michael C. Toren (Oct 22)