Can traceout command work across the firewall? If No then why? If Yes then why?

Showing Answers 1 - 2 of 2 Answers

bdragomir

  • Dec 9th, 2007
 

Short question ...long answer...
Traceroute is using ICMP(type 30) under Windows and UDP under *NIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set to 1 and will target the final destination, the first device in the path (the gateway) will send back an echo replay, packet 2 will target the same final destination but will have ttl set to 2 ... when a firewall will be hit in the path to final destination if properly configured this should drop the packet and not answer back. Going further, the source will send a ICMP-type-30-traceroute packet to the final destination with a ttl = with previous ttl (the one dropped by the firewall) + 1; the device behind the firewall will answer IF the firewall is allowing ICMP(type 30) to pass-though and similarly the source will receive  the reply IF  the firewall is allowing echo reply to pass-through.

bdragomir

  • Dec 9th, 2007
 

Traceroute is based on ICMP type 30 under Windows and UDP under *NIX; traceroute pacjets that would hit the firewall should be dropped similarly any echo replay coming from inside the firewall should be restricted outbound. The answer: traceroute can work via a firewall is firewall is allowing inbound ICMP type 30 and outbound echo reply.  !! this should be allowed via internal firewalls ONLY!!
a seconde case is allowing traceroute via firewall outbound with this I do not see any real problem as it can not be used for any device discovery or facilitate any malicious activity, unless being used for an attack coming from inside...

Give your answer:

If you think the above answer is not correct, Please select a reason and add your answer below.

 

Related Answered Questions

 

Related Open Questions