[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Unable to tracert
Actually, Windows uses destination unreachables, the Unix traceroute uses several methods one of which is "time-exceeded" or UDP port 33000 and above to reply to the UDP messages. Take a look at www.phoneboy.com and search for traceroute. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Larry Pingree Sr. Security Engineer/Check Point Instructor CCSA, CCSE, CCSI, ICE, ICI, NSA Website: http://www.SiegeWorks.com <http://www.siegeworks.com/> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Larry Pingree Sent: Tuesday, August 21, 2001 11:55 AM To: [email protected]; [email protected] Subject: RE: [FW1] Unable to tracert Windows Traceroute uses destination Unreachable messages coming back from each router hop. You'd need to allow this back into your network for Traceroute to work. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Larry Pingree Sr. Security Engineer/Check Point Instructor CCSA, CCSE, CCSI, ICE, ICI, NSA Website: http://www.SiegeWorks.com <http://www.siegeworks.com/> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Rusdyanto Tardjono Sent: Friday, August 17, 2001 9:25 PM To: [email protected] Subject: [FW1] Unable to tracert Dear lists, I am using Checkpoint FW-1 4.1 still SP1 under Windows NT 4.0 Server SP 6. I 'm wondering that I can't do traceroute from the FW module itself to any but I can ping to any with no problem from FW module. In my rule base, I have the following rule: Source Destination Service Action Any FW ICMP Echo Reply Accept I have also tried to open built-in Traceroute service, but still unable to do so. >From ANY, I purposely block any ICMP so outsiders can't ping and traceroute to my FW and DMZ. Under Policy menu -> Properties -> Security Policy tab, I deselect Accept ICMP. Only if I select Accept ICMP, I can traceroute from FW as well as from outside can ping and traceroute to my FW which I don't want it this way. I remember the traceroute used to work. My rulebase is about the same when it used to work. Any help will be appreciated. Thanks. Rusdy ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|