From: Henrik Kramshøj <none@henrik.kramshoj--vigilante.com.lh.bsd-dk.dk> To: "'bsd-dk@BSD-Dk.dk'" <none@bsd-dk--BSD-Dk.dk.lh.bsd-dk.dk> Subject: traceroute ICMP/UDP (was RE: ... going slightly mad... tun0, ppp, ipfw, life and everythin g...) Date: Thu, 19 Apr 2001 17:01:07 +0200
Hi All
Traceroute is funny !
On Linux the default is to use UDP packets
traceroute www.bsd-dk.dk
but you can just specify -I to use ICMP
traceroute -I www.bsd-dk.dk
On Wirus NT and friends it uses only ICMP (I think, try sniffing it)
Don't know about BSD (will check when I need it)
At work I often see one or the other blocked by firewalls, but most times
I get lucky using the other :-)
BTW my opinion is that UDP should NOT go through a firewall, except perhaps
for DNS
queries :-) (UDP port 53)
Best regards
Henrik Lund Kramshøj
henrik.kramshoj@vigilante.com
Security Engineer
___________________
VIGILANTe - Assuring Internet Security
www.vigilante.com
Company Phone +45 7020 6565
Direct Phone +45 7731 6584
Mobile Phone +45 2026 6000
-----Original Message-----
From: Jimi Jørgensen [mailto:jj@syntax.dk]
Sent: 19. april 2001 14:37
To: 'bsd-dk@BSD-Dk.dk'
Subject: SV: ... going slightly mad... tun0, ppp, ipfw, life and
everythin g...
Hmm..
> men forstår det ikke når de zillioner HOWTO's jeg har læst siger at
> '$fwcmd add allow icmp from any to any' skulle være nok for
> at få ping og
> traceroute til at virke.
Er Traceroute ikke UDP ??
>
> Et simpelt problem med en simpel løsning (er der nogen
> problemer ved at
> lade alle udp-pakker igennem? Eller findes der en mere
> elegant løsning?)
> som stadig giver mig hovedpine.
Jeg mener ikke at ICMP er ikke det samme som UDP.
Normalt er der ikke noget forgjort ved at lade UDP slippe igennem, men
muligvis bør du begrænse det til port 7 (echo), 37 (time), 500 (isakmp) og
525 (timed) for trafik som kommer fra iNet og ind..
- med mindre du kører NAT, så er der i de fleste tilfælde vel ikke noget
problem (FJ ??)
/Jimi
- I do not fear computers, I fear the lack of them..
>>>> VIGILANTe.com NOTICE - AUTOMATICALLY INSERTED <<<<
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.
Any opinions expressed in this email are those of the individual and not
necessarily the Company.
If you receive this transmission in error, please email to
postmaster@vigilante.com, including a copy of this message. Please then
delete this email and destroy any copies of it.
>>>>>>>>>>>>>>>>>>>>>>>>>> DISCLAIMER END <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:06 CET