RE: [FW1] Ping vs traceroute

Fri, 21 Jul 2000 09:50:34 -0700 



Ping uses an ICMP echo request and echo reply

On Windows NT a tracert uses echo requests and time exceeded whereas Unix
(most flavors) use a udp response for trace route.

Thus you could shut off ICPM in properties and create a rule to let ping
through by allowing ICMP Echo-request out and Echo-replies in.  This would
not, however let any trace route through as you would need ICMP time
exceeded for Windows and the service traceroute (udp port 33000 for Unix.
).

In Stevens or Comer's coverage of  TCP/IP  there is an explanation of ping
and traceroute.



Rob Cryan
Solutions Integration Manager
infinitespace.com
Two Westborough Business Park
Westborough, MA 01581
Office: 508.870.4714


        -----Original Message-----
        From:   David Wong [SMTP:[EMAIL PROTECTED]]
        Sent:   Friday, July 21, 2000 12:02 PM
        To:     'Simon Guo'; [EMAIL PROTECTED]
        Subject:        RE: [FW1] Ping vs traceroute


        It depends on which traceroute client you use. Most unix clients
        use udp packet to traceroute, and thus it doesn't "work". You can
        use traceroute -I for it to use ICMP packets, and it'll probably
        go through.

        On Windows, it uses ICMP by default (I think) but you'll have to
check.

        Dave

        -----Original Message-----
        From: Simon Guo [mailto:[EMAIL PROTECTED]]
        Sent: Friday, July 21, 2000 11:47 AM
        To: [EMAIL PROTECTED]
        Subject: [FW1] Ping vs traceroute



        Hi, Firwallers:

        I have a firewall-1 that allows "ping" but not "traceroute". Is this
a
        normal expected behavior? Is the rule accepting "icmp" supposted to
allow
        both "piong" and "traceroute".
        I am a little confused. I appreciate all your help to understand
this
        phenomena.

        Simon 


        
============================================================================
        ====
             To unsubscribe from this mailing list, please see the
instructions at
                       http://www.checkpoint.com/services/mailing.html
        
============================================================================
        ====


        
============================================================================
====
             To unsubscribe from this mailing list, please see the
instructions at
                       http://www.checkpoint.com/services/mailing.html
        
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to