Firewall Wizards mailing list archives
Re: Traceroute
From: Luca Berra <bluca () comedia it>
Date: Tue, 21 Oct 2003 09:03:39 +0200
On Mon, Oct 20, 2003 at 06:39:48PM -0400, Paul Robertson wrote:
On Sat, 18 Oct 2003, Jim McAtee wrote:Is it generally considered safe to permit incoming UDP ports 33434+ through the firewall to enable traceroute to reach destination machines? Or should it be
do you mean traceroute to internal machines?
limited to a finite range of ports, or not permitted at all?
what do you mean finite: traceroute usually is 33434 - 33463 (due to most traceroute implementation stopping after 30 hosts)
I wouldn't permit it at all, UDP is too easy to spoof. In the past, I've had luck with setting up a traceroute CGI externally for users who just *had* to have the functionality. Reporting usage on that script got us quickly past the next request ;)
actually traceroute to outside destination only requires inbound icmp
(ttl-exceeded and port-unreachable). You just have to forget about state
on traceroute :)))
traceroute to inside should stop at the firewall with a reject.
regards,
L.
--
Luca Berra -- bluca () comedia it
Communication Media & Services S.r.l.
/"\
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Traceroute Jim McAtee (Oct 20)
- Re: Traceroute Paul Robertson (Oct 20)
- Re: Traceroute Luca Berra (Oct 22)
- Re: Traceroute Michael C. Toren (Oct 22)
- Re: Traceroute Paul Robertson (Oct 20)