[THIN] Re: Tracert

• From: Henry Sieff <hsieff@xxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>,windows2000@xxxxxxxxxxxxx
• Date: Fri, 27 Jun 2003 11:15:04 -0500

traceroute (tracert to windows world) uses icmp, but the message types are
different.

Ping uses  ICMP 8 outgoing and 0 incoming. ICMP 8 requests the response,
ICMP 0 is the response. So on a firewall, you would

permit $int_add $ext_add icmp 8 outgoing
permit $ext_add $int_add icmp 0 incoming.

Traceroute is differnt. It actually uses UDP and ICMP: packets are sent out
via udp with a TTL of 1. Thus, when it gets to the next hop, an ICMP 11
(Time exceeded) is sent back, allowing the program to identitfy the IP
address of the hop. It is then sent again, with a TTL of 2, etc. etc. etc.
until destination is reached.

Thus you would want

permit $int_add $ext_add udp > 1023 outgoing
permit $ext_add $int_add icmp 11 incoming
permit $ext_add $int_add icmp 3 incoming (the last is dest. unreachable,
which improves performance).

This prevents outsiders from tracing you or pinging you, provided default
deny all is in effect (which it really should be).


HTH

Henry

> -----Original Message-----
> From: bbeckett2000@xxxxxxxxx [mailto:bbeckett2000@xxxxxxxxx]
> Sent: Friday, June 27, 2003 10:55 AM
> To: windows2000@xxxxxxxxxxxxx; thin@xxxxxxxxxxxxx
> Subject: [THIN] Tracert
> 
> 
> Stupid question but when you want to prevent anyone pinging 
> you boxes from the 
> outside world, you block ICMP packets. Does tracert also use 
> ICMP packets or 
> something else? In other words, if you block ICMP, you block 
> the ability for 
> others to ping you, does this also block a tracert?
> ********************************************************
> This weeks sponsor - RTOSoft TScale 
> Complaints about applications response time - DO SOMETHING ABOUT IT!
> TScale 2.0 improves applications response time and increases terminal
> server capacity. Really get MORE from your existing servers! 
> Free eval:
> http://www.rtosoft.com/enter.asp?id=130
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
> 
> For Archives, to Unsubscribe, Subscribe or 
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> 
********************************************************
This weeks sponsor - RTOSoft TScale 
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] Tracert
• » [THIN] Re: Tracert
• » [THIN] Re: Tracert
• » [THIN] Re: Tracert
• » [THIN] Re: Tracert

1. Home
2. thin
3. Archive
4. 06-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---