Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

for The--Captain

Posted on 2002-06-03
3
Medium Priority
?
248 Views
Last Modified: 2010-04-11
Jon,
could you please post the comments about traceroute/trcroute.
I'm learning ...
0
Comment
Question by:ahoffmann
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
The--Captain earned 200 total points
ID: 7084231
No prob - took me a sec to remember what you were talking about.  The following is a re-post, nearly verbatim

ahoffman - you are a bit off, methinks

1.  Most unices allow you to specify options to traceroute which can select UDP or ICMP - then again, you can get tcptraceroute and do whatever you want...  Also, it is not ICMP-unreachable (type 3), but ICMP-TTL-expired (type 11) packets that are returned.  What exactly did you think was unreachable? (sorry, cheap shot).

2.  Solaris has a configurable number of tries (As do most unices) - I've seen Solaris wanna do infinite tries by default, like many unices.  And BTW, I think M$ is 4, not 3, by default, but it may vary by OS.

(deleted) - you say:

>Can I filter tracert service on xxx
>firewall brand ? If so , which port or how?

Easy - only allow connections to public services (filter everything else), and forward nothing that does not correspond to client requested traffic or public services.  I guess what I'm saying is to respect the age-old firewall wisdom - only allow/accept traffic that you recognize as legitimate traffic to legitamate destinations from legitmate sources - drop everything else.  Since, given this wisdom, you will not have a rule to specifically allow traceroute (OK, well ICMP TTL-expireds), your firewall should by default, drop such traffic.

If you're talking about restricting your clients that are behind your firewall from tracerouting in general, forget it - there are way too many public traceroute web gateways to block them all, unless you just want to block all web traffic.

Cheers,
-Jon
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 7086193
1. ok, I found the -I option to toggle UDV vs. ICMP (RTFM is now tapped on my screen:)
  about tcptraceroute: where can I get it (I'm just to lazy to search google, when there is someone who knows)

2. didn't find something about the retries in Solaris' man-pages

About the firewall:
  nowerdays most firewalls are configured to discard/drop ICMP packets, ICMP is no longer essential for internet access
  This, unfortunately, results in a strange behaviour about traceroute, 'cause it might not get the expected ICMP-TTL-expired message (yes, I was wrong with the ICMP unreachable).
  When I use iptables on Linux, a simple "ACCEPT related" does the trick, even when UDP packets are send and ICMP comes back (they did a well job here, but you need to know it).
  And tunneling a firewall is as easy as switching your computer on, at least for those people who need to do it.
  It's the firewall admin's nightmare, but some people really nead it: http://www.htthost.com/, or if you have access to a outside server: DeleGate (sorry, don't have a link handy)

> .. forget it .. unless you just want to block all web traffic.

hmm, see comment above: you need to block any traffic ;-)
or force clients to use an adaptive proxy

Thanks for comments, hints and discussion ..

Achim (ah  at   secure-net.de)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7090864
I saw that reference to htthost in one of your other posts - yikes.  I guessing snort or one of the other tools like it could filter this stuff, though.

Cheers,
-Jon
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question