On 10/10/2012 11:29 AM, Jens Weibler wrote:
Hi,
how is the development of traceroute via ICMP going? My central firewall team doesn't like opening many udp-ports for traceroute :(
As far as I know you can make traceroute work by sending ICMP Rejects on the corrent ports. So you don't have to open any firewall to make this work. I have the following rules in my ruleset to make traceroute and tracepath work: iptables -A INPUT -p udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p udp --dport 44450:44500 -j REJECT --reject-with icmp-port-unreachable -- Met vriendelijke groet / Best regards, Jan Hugo Prins Infra consultant E: jprins@betterbe.com T: +31-53-4800694 M: +31-6-26358951 S: jhaprins W: www.betterbe.com