Re: Allowing outgoing traceroutes through NAT
On Fri, May 02, 2003 at 02:47:23PM -0700, Talon wrote:
> Blocking traceroute
> Traceroute typically uses udp ports 33435 to 33524 for the first 30 hops (for
> additional hops beyond that add 3 ports per hop). You need to allow these
> through firewalls or packet filters. Do not allow any vulnerable servers to use
> this port range inside your net.
> (Taken from http://www.freelabs.com/~whitis/isp_mistakes.html)
traceroute can also use ICMP ECHO instead of UDP datagrams ( -I option
in debian's traceoute).
You can also specify the UDP port used by traceroute (-p option).
see man traceroute for more info.