HPE Community
Operating System - HP-UX
1834150 Members
2568 Online
110064 Solutions
New Discussion

Re: traceroute and firewall

 
Michael_33
Regular Advisor

‎01-02-2003 12:33 AM

‎01-02-2003 12:33 AM

traceroute and firewall

Hi all,

There are 2 servers, A in US, B is in
Singapore. we can use ssh2 to login A from B.
but we can not traceroute from A to B, or B to A.
is it normal?

traceroute can come across firewall or not?
which tool can do it?
thanks!
0 Kudos
Reply
7 REPLIES 7
CHRIS_ANORUO
Honored Contributor

‎01-02-2003 12:48 AM

‎01-02-2003 12:48 AM

Re: traceroute and firewall

First quest is, do you have a VPN?,
2 . Is the ip address routeable,
3. Are the address of the servers nat on the firewall.
4. You have to check the rules on the firewall
5. Do you have ssh2 properly configured?
These are the answers you have to look into and eliminate to help you resolve the issues.
When We Seek To Discover The Best In Others, We Somehow Bring Out The Best In Ourselves.
0 Kudos
Reply
Michael_33
Regular Advisor

‎01-02-2003 12:58 AM

‎01-02-2003 12:58 AM

Re: traceroute and firewall

ssh2 is setup correctly.
others i am not sure. but can traceroute some node, but stop at an ISP.
for sure, B server is behind firewall.
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎01-02-2003 01:19 AM

‎01-02-2003 01:19 AM

Re: traceroute and firewall

Hi,

Unix traceroute is done with high-port UDP packets ( incrementing port numbers) with a short TTL.

Windows traceroute depends on ICMP echo requests and replies. In order to run traceroute tests across a firewall, ICMP echo requests and replies must be opened at the firewall. If your firewall is configured not to let ICMP echo requests into your network .

you will have open up ICMP echo and ICMP reply in your firewall to allow traceroute with windows or UDP ports over a high range in your firewall to traceroute in unix .

Both are dangerous to security in my opinion.

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Michael_33
Regular Advisor

‎01-02-2003 01:34 AM

‎01-02-2003 01:34 AM

Re: traceroute and firewall

A and B are unix box.
any other idea?
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎01-02-2003 01:40 AM

‎01-02-2003 01:40 AM

Re: traceroute and firewall

Hi ,
all firewalls will block UDP ports as a security measure by default.

The only solution for you is to open udp port traffic in the firewall for unix traceroute to work.

I strongly recommend not to do that...

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

‎01-02-2003 06:32 AM

‎01-02-2003 06:32 AM

Re: traceroute and firewall

Many firewalls block ping and traceroute through the firewall by default.

It is possible to selectively allow ping and traceroute on many firewalls. For example, you could craft a rule that said "allow traceroute for inside hosts, allow replies from outside hosts".

Post the make & model of your firewall. Maybe we can help with appropriate configs.
0 Kudos
Reply
Anthony deRito
Respected Contributor

‎01-02-2003 06:58 AM

‎01-02-2003 06:58 AM

Re: traceroute and firewall

My guess is that somewhere along the path there is a device, probebly a firewall, blocking ICMP. ICMP is a messaging protocol.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.