Solved

for The--Captain

Posted on 2002-06-03
3
242 Views
Last Modified: 2010-04-11
Jon,
could you please post the comments about traceroute/trcroute.
I'm learning ...
0
Comment
Question by:ahoffmann
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 50 total points
ID: 7084231
No prob - took me a sec to remember what you were talking about.  The following is a re-post, nearly verbatim

ahoffman - you are a bit off, methinks

1.  Most unices allow you to specify options to traceroute which can select UDP or ICMP - then again, you can get tcptraceroute and do whatever you want...  Also, it is not ICMP-unreachable (type 3), but ICMP-TTL-expired (type 11) packets that are returned.  What exactly did you think was unreachable? (sorry, cheap shot).

2.  Solaris has a configurable number of tries (As do most unices) - I've seen Solaris wanna do infinite tries by default, like many unices.  And BTW, I think M$ is 4, not 3, by default, but it may vary by OS.

(deleted) - you say:

>Can I filter tracert service on xxx
>firewall brand ? If so , which port or how?

Easy - only allow connections to public services (filter everything else), and forward nothing that does not correspond to client requested traffic or public services.  I guess what I'm saying is to respect the age-old firewall wisdom - only allow/accept traffic that you recognize as legitimate traffic to legitamate destinations from legitmate sources - drop everything else.  Since, given this wisdom, you will not have a rule to specifically allow traceroute (OK, well ICMP TTL-expireds), your firewall should by default, drop such traffic.

If you're talking about restricting your clients that are behind your firewall from tracerouting in general, forget it - there are way too many public traceroute web gateways to block them all, unless you just want to block all web traffic.

Cheers,
-Jon
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 7086193
1. ok, I found the -I option to toggle UDV vs. ICMP (RTFM is now tapped on my screen:)
  about tcptraceroute: where can I get it (I'm just to lazy to search google, when there is someone who knows)

2. didn't find something about the retries in Solaris' man-pages

About the firewall:
  nowerdays most firewalls are configured to discard/drop ICMP packets, ICMP is no longer essential for internet access
  This, unfortunately, results in a strange behaviour about traceroute, 'cause it might not get the expected ICMP-TTL-expired message (yes, I was wrong with the ICMP unreachable).
  When I use iptables on Linux, a simple "ACCEPT related" does the trick, even when UDP packets are send and ICMP comes back (they did a well job here, but you need to know it).
  And tunneling a firewall is as easy as switching your computer on, at least for those people who need to do it.
  It's the firewall admin's nightmare, but some people really nead it: http://www.htthost.com/, or if you have access to a outside server: DeleGate (sorry, don't have a link handy)

> .. forget it .. unless you just want to block all web traffic.

hmm, see comment above: you need to block any traffic ;-)
or force clients to use an adaptive proxy

Thanks for comments, hints and discussion ..

Achim (ah  at   secure-net.de)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7090864
I saw that reference to htthost in one of your other posts - yikes.  I guessing snort or one of the other tools like it could filter this stuff, though.

Cheers,
-Jon
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change administrator password on server 13 113
save browser passwords 11 81
FSRREMOS 7 53
Verifying if VA scan's vulnerabilities are false positives 3 49
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question