Re: Allowing outgoing traceroutes through NAT

To: debian-firewall@lists.debian.org
Subject: Re: Allowing outgoing traceroutes through NAT
From: Nicolas François <nicolas.francois@centraliens.net>
Date: Mon, 12 May 2003 01:38:35 +0200
Message-id: <[🔎] 20030511233835.GB2792@nekral.homelinux.net>
In-reply-to: <[🔎] 1051912043.3eb2e76b0cb9b@www.heritage.sd57.bc.ca>
References: <[🔎] 20030502210446.GC10427@hank.org> <[🔎] 1051912043.3eb2e76b0cb9b@www.heritage.sd57.bc.ca>

On Fri, May 02, 2003 at 02:47:23PM -0700, Talon wrote:
> Hi,
> 
> Blocking traceroute
> Traceroute typically uses udp ports 33435 to 33524 for the first 30 hops (for 
> additional hops beyond that add 3 ports per hop). You need to allow these 
> through firewalls or packet filters. Do not allow any vulnerable servers to use 
> this port range inside your net. 
> 
> (Taken from http://www.freelabs.com/~whitis/isp_mistakes.html)

traceroute can also use ICMP ECHO instead of UDP datagrams ( -I option
in debian's traceoute).

You can also specify the UDP port used by traceroute (-p option).

see man traceroute for more info.

hth
-- 
Nekral

Reply to:

References:
- Allowing outgoing traceroutes through NAT
  - From: Bill Moseley <moseley@hank.org>
- Re: Allowing outgoing traceroutes through NAT
  - From: Talon <megglestone@heritage.sd57.bc.ca>

Prev by Date: Re: Gnomemeeting+firewall
Next by Date: i need some basic help...
Previous by thread: Re: Allowing outgoing traceroutes through NAT
Next by thread: What is a good firewall tool?
Index(es):
- Date
- Thread