Solved

for The--Captain

Posted on 2002-06-03
3
233 Views
Last Modified: 2010-04-11
Jon,
could you please post the comments about traceroute/trcroute.
I'm learning ...
0
Comment
Question by:ahoffmann
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 50 total points
ID: 7084231
No prob - took me a sec to remember what you were talking about.  The following is a re-post, nearly verbatim

ahoffman - you are a bit off, methinks

1.  Most unices allow you to specify options to traceroute which can select UDP or ICMP - then again, you can get tcptraceroute and do whatever you want...  Also, it is not ICMP-unreachable (type 3), but ICMP-TTL-expired (type 11) packets that are returned.  What exactly did you think was unreachable? (sorry, cheap shot).

2.  Solaris has a configurable number of tries (As do most unices) - I've seen Solaris wanna do infinite tries by default, like many unices.  And BTW, I think M$ is 4, not 3, by default, but it may vary by OS.

(deleted) - you say:

>Can I filter tracert service on xxx
>firewall brand ? If so , which port or how?

Easy - only allow connections to public services (filter everything else), and forward nothing that does not correspond to client requested traffic or public services.  I guess what I'm saying is to respect the age-old firewall wisdom - only allow/accept traffic that you recognize as legitimate traffic to legitamate destinations from legitmate sources - drop everything else.  Since, given this wisdom, you will not have a rule to specifically allow traceroute (OK, well ICMP TTL-expireds), your firewall should by default, drop such traffic.

If you're talking about restricting your clients that are behind your firewall from tracerouting in general, forget it - there are way too many public traceroute web gateways to block them all, unless you just want to block all web traffic.

Cheers,
-Jon
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 7086193
1. ok, I found the -I option to toggle UDV vs. ICMP (RTFM is now tapped on my screen:)
  about tcptraceroute: where can I get it (I'm just to lazy to search google, when there is someone who knows)

2. didn't find something about the retries in Solaris' man-pages

About the firewall:
  nowerdays most firewalls are configured to discard/drop ICMP packets, ICMP is no longer essential for internet access
  This, unfortunately, results in a strange behaviour about traceroute, 'cause it might not get the expected ICMP-TTL-expired message (yes, I was wrong with the ICMP unreachable).
  When I use iptables on Linux, a simple "ACCEPT related" does the trick, even when UDP packets are send and ICMP comes back (they did a well job here, but you need to know it).
  And tunneling a firewall is as easy as switching your computer on, at least for those people who need to do it.
  It's the firewall admin's nightmare, but some people really nead it: http://www.htthost.com/, or if you have access to a outside server: DeleGate (sorry, don't have a link handy)

> .. forget it .. unless you just want to block all web traffic.

hmm, see comment above: you need to block any traffic ;-)
or force clients to use an adaptive proxy

Thanks for comments, hints and discussion ..

Achim (ah  at   secure-net.de)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7090864
I saw that reference to htthost in one of your other posts - yikes.  I guessing snort or one of the other tools like it could filter this stuff, though.

Cheers,
-Jon
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now