Actually, Windows uses destination unreachables, the Unix traceroute uses
several methods one of which is "time-exceeded" or UDP port 33000 and above
to reply to the UDP messages. Take a look at www.phoneboy.com and search for
traceroute.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Larry Pingree
Sr. Security Engineer/Check Point Instructor
CCSA, CCSE, CCSI, ICE, ICI, NSA
Website: http://www.SiegeWorks.com <http://www.siegeworks.com/>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Larry Pingree
Sent: Tuesday, August 21, 2001 11:55 AM
To: [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [FW1] Unable to tracert
Windows Traceroute uses destination Unreachable messages coming back from
each router hop. You'd need to allow this back into your network for
Traceroute to work.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Larry Pingree
Sr. Security Engineer/Check Point Instructor
CCSA, CCSE, CCSI, ICE, ICI, NSA
Website: http://www.SiegeWorks.com <http://www.siegeworks.com/>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Rusdyanto Tardjono
Sent: Friday, August 17, 2001 9:25 PM
To: [EMAIL PROTECTED]
Subject: [FW1] Unable to tracert
Dear lists,
I am using Checkpoint FW-1 4.1 still SP1 under Windows NT 4.0 Server SP 6.
I 'm wondering that I can't do traceroute from the FW module itself to any
but I can ping to any with no problem from FW module.
In my rule base, I have the following rule:
Source Destination Service Action
Any FW ICMP Echo Reply Accept
I have also tried to open built-in Traceroute service, but still unable to
do so.
>From ANY, I purposely block any ICMP so outsiders can't ping and traceroute
to my FW and DMZ.
Under Policy menu -> Properties -> Security Policy tab, I deselect Accept
ICMP. Only if I select Accept ICMP, I can traceroute from FW as well as
from outside can ping and traceroute to my FW which I don't want it this
way.
I remember the traceroute used to work. My rulebase is about the same when
it used to work. Any help will be appreciated.
Thanks.
Rusdy
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
