Um, define "safe and reliable"...
AFAIK for traceroute to work you need to allow ICMP time exceeded and port
unreachable messages back to the host that's running the traceroute. The
outgoing traffic is normally actually UDP, which you can control with packet
filters.
If it is against your policy to allow ICMP in to your internal network, then
this is unsafe.
Personally, I don't tend to stress too much about incoming ICMP. Sure people
can do Ping of Discomfort attacks etc - but NAT actually takes care of a lot
of that. My normal approach is to allow most reasonable ICMP messages to
come back into the network. Outgoing ICMP is another matter.
I haven't really thought too hard about this, but surely it would be trivial
to write a traceroute proxy that would run on an application level firewall?
Has anyone seen / done this?
OT: I'd love to get a definitive answer on this damn MTU discovery thing. I
don't let 'em in, and I've never seen problems - I've seen lots of posts
from people warning of the dangers, and a few from people who claim that, in
the real world, they've never had problems...Could someone give me a moron's
version of The Wonderful World of Fragmentation?
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Matthew G. Harrigan [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 1 September 1999 3:41 AM
> To: Sweeney, Patrick; 'Sujeet Nayak'; [EMAIL PROTECTED]
> Subject: Re: ICMP filtering
>
>
>
> > I believe Axent Raptor firewall blocks ICMP.
>
> By default, this is true. On Raptor 5.0, there aren't really
> any provisions
> to allow usage of inbound ping or outbound traceroute, aside
> from creating
> a GSP for the various icmp types. 6.0 has a "ping daemon"
> which enables
> directionally controlled ping, but still no traceroute. My
> question is: has
> anyone
> found a way to safely and reliably allow traceroute sessions for the
> protected
> portion of the network?
>
> Matt
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
