[j-nsp] Block traceroute and Allow Ping
Truman Boyes
truman at suspicious.org
Wed Sep 30 01:34:26 EDT 2009
This will block some types of traceroute, but a client can always use
different ports.
Why do you want to block traceroute?
On 29/09/2009, at 8:42 PM, Iftikhar Ahmed wrote:
> Atif,
>
> Try to apply a filter to loop-back interface with somthing like
>
>
> term traceroute { /* permit traceroute udp packets */
> from {
> protocol udp;
> destination-port 33434-33678;
> }
> then {
> count traceroute;
> discard;
> }
> term default
> then {
> accept
> }
> }
>
>
>
> Regards,
> iftikhar Ahmed
>
> On Tue, Sep 29, 2009 at 3:23 PM, Pekka Savola <pekkas at netcore.fi>
> wrote:
>
>> On Tue, 29 Sep 2009, Muhammad Atif Jauahar wrote:
>>
>>> I want to block traceroute transit traffic on router but I want to
>>> allow
>>> ping transit traffic. Kindly let me know ICMP Type and Code for
>>> traceroute
>>> and kindly let me know procedure to block traceroute but allow ping.
>>>
>>
>> You can't if you want to support all flavours of traceroute as some
>> of
>> those use the equivalent of ping. Maybe you could match by both
>> TTL and
>> ICMP type/code but that would be hackish. To learn more about how
>> traceroute works, see:
>>
>> http://en.wikipedia.org/wiki/Traceroute
>>
>> --
>> Pekka Savola "You each name yourselves king, yet the
>> Netcore Oy kingdom bleeds."
>> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list