designetwork(EN)

IT technical memo of networking

Allow the Cisco and Linux traceroute in Firewall

f:id:daichi703n:20160425003404j:plain

In order to allow the traceroute to be used in the communication confirmation of the network in the FW is passed, it is necessary one time.
Traceroute : command to check the network path by utilizing a TTL expired

Specification of traceroute

To say that the traceroute In a word, there is the following pattern.

Windows tracert

On Windows, you can confirm the route of the network by the tracert.
In this command to use the ICMP as the protocol.
Therefore, there is no problem if you let ICMP as well as the ping in FW.

UNIX/Linux traceroute

In the UNIX system which is representative to Linux to use the UDP to traceroute.
However, the ICMP You can use the option -I.
Such as Cisco and F5, many of the NW equipment are classified to this.
This is to send a packet is incremented from the UDP port number 33434.

This looks like a FW connection log.

UDP connection 4392765 for outside:8.8.8.8/33434 (8.8.8.8/33434) to management:192.168.1.xx/47503 (x.x.x.x/47503)
UDP connection 4392766 for outside:8.8.8.8/33435 (8.8.8.8/33435) to management:192.168.1.xx/37236 (x.x.x.x/37236)
UDP connection 4392767 for outside:8.8.8.8/33436 (8.8.8.8/33436) to management:192.168.1.xx/33682 (x.x.x.x/33682)
UDP connection 4392768 for outside:8.8.8.8/33437 (8.8.8.8/33437) to management:192.168.1.xx/43481 (x.x.x.x/43481)
UDP connection 4392769 for outside:8.8.8.8/33438 (8.8.8.8/33438) to management:192.168.1.xx/44631 (x.x.x.x/44631)
UDP connection 4392770 for outside:8.8.8.8/33439 (8.8.8.8/33439) to management:192.168.1.xx/40003 (x.x.x.x/40003)
UDP connection 4392771 for outside:8.8.8.8/33440 (8.8.8.8/33440) to management:192.168.1.xx/47200 (x.x.x.x/47200)
<snip>

Allow traceroute in FW

As described above, since it is cumbersome to increment the UDP port, of taking into account the clarity in the permit rules set aside in about 33434-33499 is considered good.
Because you can use the 66 port number, it can be traced 22 hop unless otherwise specified options.
Further, since the high-port non-Well-the Known, does not suffer unless used explicitly in its own system.

※ Since the drilling of FW can be a security risk, thank you enough consideration in advance.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork