Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Tony Rall (trallalmaden.ibm.com)
Date: Thu Oct 04 2001 - 16:05:43 CDT
On Thursday, 2001/10/04 at 16:20 AST, "Bilotti, Matthew"
> Does anyone know what the correct response a Firewall should have when
> blocking a traceroute.
> I assume it should not reply with a port unreachable.
You're right - it shouldn't respond with "port unreachable".
A firewall doesn't really know when a traceroute is being done - it only
sees the individual packets involved in the traceroute sequence.
There are 2 types of traceroute probes commonly used:
UDP packets to high ports (the original traceroute implementations did
this) - A firewall blocking this can either send back nothing or "ICMP
destination unreachable, administratively prohibited".
ICMP echo request packets - Normally nothing would be sent back (in the
spirit of "don't send ICMP packets in response to ICMP packets"), but
since this is an echo request I think it would also be ok to send back
"ICMP destination unreachable, administratively prohibited".
Responses (by other systems) to traceroute probes are ICMP packets ("dest.
unreachable") - if blocking these, nothing should be sent back to the
Firewalls mailing list