|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tony Rall (trall
almaden.ibm.com)Date: Thu Oct 04 2001 - 16:05:43 CDT
On Thursday, 2001/10/04 at 16:20 AST, "Bilotti, Matthew"
<mbilottilucent.com> wrote:
> Does anyone know what the correct response a Firewall should have when
> blocking a traceroute.
> I assume it should not reply with a port unreachable.
You're right - it shouldn't respond with "port unreachable".
A firewall doesn't really know when a traceroute is being done - it only
sees the individual packets involved in the traceroute sequence.
There are 2 types of traceroute probes commonly used:
UDP packets to high ports (the original traceroute implementations did
this) - A firewall blocking this can either send back nothing or "ICMP
destination unreachable, administratively prohibited".
ICMP echo request packets - Normally nothing would be sent back (in the
spirit of "don't send ICMP packets in response to ICMP packets"), but
since this is an echo request I think it would also be ok to send back
"ICMP destination unreachable, administratively prohibited".
Responses (by other systems) to traceroute probes are ICMP packets ("dest.
unreachable") - if blocking these, nothing should be sent back to the
responder.
Tony Rall
_______________________________________________
Firewalls mailing list
Firewallslists.gnac.net
http://lists.gnac.net/mailman/listinfo/firewalls
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]