[j-nsp] Difficulty with traceroute and
stateful-firewall services...
Erik Haagsman
erik at we-dare.net
Mon Apr 11 12:34:39 EDT 2005
On Mon, 2005-04-11 at 10:26 -0600, Michael Loftis wrote:
> I have a final 'then reject' in the rules in the service set....I didn't
> want to include the rules because they get so long-winded but here goes...
have you tried explicitly allowing UDP ports >30000 (officially UDP
ports 33434 - 33523, but there appear to be a few slightly broken
traceroute implementations out there that use UDP ports higher than
30000) and ICMP types 0 (echo reply) and 11 (time exceeded)...? AFAIK,
those are the only ports and protocols traceroute uses which could be
blocked by your default then reject rule.
Cheers,
--
---
Erik Haagsman
Network Architect
We Dare BV
Tel: +31(0)10-7507008
Fax: +31(0)10-7507005
http://www.we-dare.nl
More information about the juniper-nsp
mailing list