Fwd: [Techtalk] Firewall blocking traceroute

Terri Oda terri at zone12.com
Wed Aug 4 14:15:39 EST 2004 

Whoops.  I did indeed mean to send my original to techtalk.  Here's 
Devdas' reply, which includes my post:

Begin forwarded message:

> From: Devdas Bhagat <devdas at dvb.homelinux.org>
> Date: August 4, 2004 10:04:04 AM EDT
> To: Terri Oda <terri at zone12.com>
> Subject: Re: [Techtalk] Firewall blocking traceroute
> Reply-To: Devdas Bhagat <devdas at dvb.homelinux.org>
>
> On 03/08/04 21:22 -0400, Terri Oda wrote:
>
> Please bounce this to techtalk if you really meant to send this to the
> list.
>
>> On Aug 2, 2004, at 5:51 AM, Devdas Bhagat wrote:
>>> Unix traceroute uses UDP by default. Windows traceroute uses ICMP 
>>> both
>>> ways.
>>
>> I'm on Mac OS X, which would be BSD traceroute, which would be unixy.
>> The man page claims that when I traceroute, outgoing is UDP, but
>> incoming will be ICMP.
>
> Which is correct.
> Traceroute works by sending out packets with low TTLs. When the TTL
> expires, an ICMP error message packet is returned from the router 
> where the
> packet reached a TTL of 0.
> Unix systems use UDP packets on the outbound route, while Windows
> systems use ICMP on the outbound route.
>
>>> You can use the -I option to traceroute(8) to have it use ICMP 
>>> instead
>>> of UDP.
>>
>> This option doesn't exist in the Mac version of traceroute.  However,
>> it *does* work when I try it with the linux box, and traceroute then
>> works.
>>
>> So now the question is, what is actually incoming as UDP?  And how 
>> safe
>> would it be to unblock that?  I don't really need traceroute 
>> regularly,
>> so I'll probably leave it blocked except on those days when I need it,
>> but I'm curious now!
>
> There should be no incoming UDP traffic. You will have outgoing packets
> with a source port of 33434 by default, and incrementing by one for 
> each
> hop. Return traffic is ICMP port unreachable errors.
>
> Does your router block UDP on high ports?
>
>>> If Linux, the iptables tutorial at
>>> http://iptables-tutorial.frozentux.net/ is recommended if a packet
>>> filter makes you feel safe enough.
>>
>> This does beg the question -- what do you do if a packet filter 
>> doesn't
>> make you feel safe enough?  Do you have something firewall-related in
>> mind, or are you implying other security precautions?
>
> I usually recommend an application level gateway (aka proxy).
> A packet filter blocks a lot of noise, but it doesn't protect a
> vulnerable application exposed to the Internet.
> A proxy removes this exposure.
>
> For example, Squid as a reverse proxy in front of IIS, Postfix as a 
> SMTP
> gateway in front of Exchange/Lotus Notes, etc.
>
> For a lot of noise about this, see the archives of the firewall-wizards
> mailing list from May onwards.
>
>> But actually, I'd prefer a tutorial unlinked to particular software.  
>> I
>> can figure out the software on my own, but I'm curious as to what
>> rulesets are usually used, what ports are needed by common bits of
>> software, etc.
> This reminds me again that I have a course to finsh :).
>
> Devdas Bhagat
>

More information about the Techtalk mailing list