traceroute via ICMP? - ripe-atlas - mailman.ripe.net

newer
Atlas main database maintenance

traceroute via ICMP?

older
Ping does no longer visualize?

Jens Weibler

10 Oct 2012 10 Oct '12

11:29 a.m.

Hi, how is the development of traceroute via ICMP going? My central firewall team doesn't like opening many udp-ports for traceroute :( -- Jens Weibler IT-Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weibler@h-da.de

Attachments:

smime.p7s (application/pkcs7-signature — 4.6 KB)

Show replies by date

Jan Hugo Prins

10 Oct 10 Oct

11:39 a.m.

On 10/10/2012 11:29 AM, Jens Weibler wrote:

Hi,

how is the development of traceroute via ICMP going? My central firewall team doesn't like opening many udp-ports for traceroute :(

As far as I know you can make traceroute work by sending ICMP Rejects on the corrent ports. So you don't have to open any firewall to make this work. I have the following rules in my ruleset to make traceroute and tracepath work: iptables -A INPUT -p udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable iptables -A INPUT -p udp --dport 44450:44500 -j REJECT --reject-with icmp-port-unreachable -- Met vriendelijke groet / Best regards, Jan Hugo Prins Infra consultant E: jprins@betterbe.com T: +31-53-4800694 M: +31-6-26358951 S: jhaprins W: www.betterbe.com

Jens Weibler

6:20 p.m.

On 10/10/2012 11:39 AM, Jan Hugo Prins wrote:

As far as I know you can make traceroute work by sending ICMP Rejects on the corrent ports. So you don't have to open any firewall to make this work. I have the following rules in my ruleset to make traceroute and tracepath work:

this only works if you're the target of the traceroute but not the source if I'm right... -- Jens Weibler IT-Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weibler@h-da.de

Jan Hugo Prins

10:11 p.m.

this only works if you're the target of the traceroute but not the source if I'm right...

True, this only works until the edge of your secure zone, and you have to open up the ports to be able to traceroute behind this edge. -- Met vriendelijke groet / Best regards, Jan Hugo Prins Infra consultant E: jprins@betterbe.com T: +31-53-4800694 M: +31-6-26358951 S: jhaprins W: www.betterbe.com

4456

Age (days ago)

4456

Last active (days ago)

Download

3 comments

2 participants

tags

participants (2)

Jan Hugo Prins
Jens Weibler