[j-nsp] Block traceroute and Allow Ping
Iftikhar Ahmed
iftikhar.khan at gmail.com
Tue Sep 29 06:42:19 EDT 2009
Atif,
Try to apply a filter to loop-back interface with somthing like
term traceroute { /* permit traceroute udp packets */
from {
protocol udp;
destination-port 33434-33678;
}
then {
count traceroute;
discard;
}
term default
then {
accept
}
}
Regards,
iftikhar Ahmed
On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola <pekkas at netcore.fi> wrote:
> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>
>> I want to block traceroute transit traffic on router but I want to allow
>> ping transit traffic. Kindly let me know ICMP Type and Code for traceroute
>> and kindly let me know procedure to block traceroute but allow ping.
>>
>
> You can't if you want to support all flavours of traceroute as some of
> those use the equivalent of ping. Maybe you could match by both TTL and
> ICMP type/code but that would be hackish. To learn more about how
> traceroute works, see:
>
> http://en.wikipedia.org/wiki/Traceroute
>
> --
> Pekka Savola "You each name yourselves king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list