Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Masood Shah
@puck.nether.net; Pekka Savola Subject: Re: [j-nsp] Block traceroute and Allow Ping This will block some types of traceroute, but a client can always use different ports. Why do you want to block traceroute? On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote: Atif, Try to apply a filter to loop-back

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant
On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah masoods...@juniper.net wrote: If you are REALLY paranoid, you can DROP all UDP traffic and then only open the ports that you have services running on. Sometimes this is easier said than done though. I wouldn't call this paranoia. I would call

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Jared Mauch
Any blind filtering will have side-effects. Setting the bar correctly can be difficult. It is important to regularly review filtering policies, remove the ones that are not of value and place new ones in. If it's just something where people pile on block-more, MORE,

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-30 Thread Stefan Fouant
On Wed, Sep 30, 2009 at 11:44 AM, David Ball davidtb...@gmail.com wrote: If I'm not mistaken, this year's migration to DNS servers supporting randomized source UDP ports (based on the Kaminsky thing) may throw a wrench into some notions of filtering UDP traffic across their network. I know

[j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Muhammad Atif Jauahar
Hi, I want to block traceroute transit traffic on router but I want to allow ping transit traffic. Kindly let me know ICMP Type and Code for traceroute and kindly let me know procedure to block traceroute but allow ping. ___ juniper-nsp mailing list

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Pekka Savola
On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote: I want to block traceroute transit traffic on router but I want to allow ping transit traffic. Kindly let me know ICMP Type and Code for traceroute and kindly let me know procedure to block traceroute but allow ping. You can't if you want to

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Iftikhar Ahmed
Atif, Try to apply a filter to loop-back interface with somthing like term traceroute { /* permit traceroute udp packets */ from { protocol udp; destination-port 33434-33678; } then { count

Re: [j-nsp] Block traceroute and Allow Ping

2009-09-29 Thread Truman Boyes
This will block some types of traceroute, but a client can always use different ports. Why do you want to block traceroute? On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote: Atif, Try to apply a filter to loop-back interface with somthing like term traceroute { /* permit