This will block some types of traceroute, but a client can always use
different ports.
Why do you want to block traceroute?
On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:
Atif,
Try to apply a filter to loop-back interface with somthing like
term traceroute { /* permit traceroute udp packets */
from {
protocol udp;
destination-port 33434-33678;
}
then {
count traceroute;
discard;
}
term default
then {
accept
}
}
Regards,
iftikhar Ahmed
On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola <pek...@netcore.fi>
wrote:
On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
I want to block traceroute transit traffic on router but I want to
allow
ping transit traffic. Kindly let me know ICMP Type and Code for
traceroute
and kindly let me know procedure to block traceroute but allow ping.
You can't if you want to support all flavours of traceroute as some
of
those use the equivalent of ping. Maybe you could match by both
TTL and
ICMP type/code but that would be hackish. To learn more about how
traceroute works, see:
http://en.wikipedia.org/wiki/Traceroute
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp