Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: traceroute

From: Kevin Steves <stevesk () pobox com>
Date: Sun, 1 Jul 2001 09:36:44 -0700 (PDT)
On Mon, 25 Jun 2001 Bill_Royds () pch gc ca wrote:
:Traceroute doesn't just use one port but many so a simple port allowed rule
:won't work.
:There are 2 major flavours to traceroute.
:  The Unix one uses a series of UDP packets with increasing port numbers to
:trace. You would need to allow these ports out, although you should only get
:Time Exceeded/Port Not Available ICMP messages in reply.
:   The Windows one uses ICMP echo packets with unique ID's for tracing. This is
:more of a problem because you are lettting ICMP echo out and both ICMP echo
:reply and Time Exceeded back in.

Note that modern Unix traceroutes (LBL version from 1998 or so) have an -I
option to generate ICMP echo request probes vs. the default UDP probes.
In fact, the first traceroute used ICMP echo.  See:
        http://www.kohala.com/start/papers.others/vanj.99feb08.txt

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: