Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
743 Views 4 Replies Latest reply: Mar 28, 2013 9:43 AM by russel RSS
russel Newcomer 20 posts since
Mar 18, 2013
Currently Being Moderated

Mar 26, 2013 10:26 AM

Trace Route

Hello all, I am having trouble getting the firewall to respond to Trace Route. Could someone help me figure out how to get this to work?

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Mar 26, 2013 11:34 AM (in response to russel)
    Re: Trace Route

    One of the McAfee guys on this forum may well correct me if I am wrong. But, going back 14 years to my first exposure to the Sidewinder Firewall product that eventually became McAfee Firewall Enterprise, it has never responded to traceroute requests - or never allowed these requests to pass through.

     

    You can traceroute from the Firewall command line, however.

     

    There is a setting in the Network --> Zone Configuration (or Burb Configuration if you are pre-v8) on each zone to "Respond to ICMP Echo and Timestamp", but I have always associated this with being able to ping the Firewall.

     

    -Phil.

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    3. Mar 27, 2013 3:06 PM (in response to PhilM)
    Re: Trace Route

    Hello,

     

    Yes traceroute is just ICMP with a gradually increasing TTL.

     

    That's interesting that you can't traceroute by default. Unless I'm mistaken I think this is just not enabled out the box for security, but could be made to work with the right rules. I do remember something in the distant past (5.2) where the Sidewinder had a bug that caused issues if ICMP was used past a certain date (yes really!). Think this was an issue with the undelying BSDOS that was used. I don't think you can ping through the Sidewinder by default either, but again I think it might be possible again with the right rules.

     

    I alway ensure that ""Respond to ICMP Echo and Timestamp" is disabled on WAN interfaces as nobody needs to know you are there! I let internal users ping the LAN IP though.

     

    All the best,

     

    on 27/03/13 15:06:58 CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points