bdragomir

 Profile Answers by bdragomir 

• Dec 9th, 2007

 

Short question ...long answer...
Traceroute is using ICMP(type 30) under Windows and UDP under *NIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set to 1 and will target the final destination, the first device in the path (the gateway) will send back an echo replay, packet 2 will target the same final destination but will have ttl set to 2 ... when a firewall will be hit in the path to final destination if properly configured this should drop the packet and not answer back. Going further, the source will send a ICMP-type-30-traceroute packet to the final destination with a ttl = with previous ttl (the one dropped by the firewall) + 1; the device behind the firewall will answer IF the firewall is allowing ICMP(type 30) to pass-though and similarly the source will receive  the reply IF  the firewall is allowing echo reply to pass-through.

bdragomir

 Profile Answers by bdragomir 

• Dec 9th, 2007

 

Traceroute is based on ICMP type 30 under Windows and UDP under *NIX; traceroute pacjets that would hit the firewall should be dropped similarly any echo replay coming from inside the firewall should be restricted outbound. The answer: traceroute can work via a firewall is firewall is allowing inbound ICMP type 30 and outbound echo reply.  !! this should be allowed via internal firewalls ONLY!!
a seconde case is allowing traceroute via firewall outbound with this I do not see any real problem as it can not be used for any device discovery or facilitate any malicious activity, unless being used for an attack coming from inside...