Traceroute
Traceroute is a service used for examining the routing from a client computer to a server. Traceroute is an excellent tool for tracing errors in a computer network. Traceroute finds failures and loops in the network. As traceroute often is used to examine the structure of a network, it is not advisable to allow this service into an internal network.
To explore the route to a server, traceroute first sends a packet to the first router or other network equipment in the network. The router sends a reply packet to the client computer. Then traceroute sends a packet to the second router, which also replies to the client. This is repeated until traceroute reaches the server, which also sends a reply packet to the client.
For traceroute to be able to query names in a DNS, services and rules for DNS traffic is required, see the DNS section. The name queries are made by the client.
Traceroute sends data using the UDP protocol. Client and server ports differ from different versions of traceroute, but usually both are high ports (a number higher than 32768), and the server port with few exceptions is in the interval 33434 to 33523, inclusive.
Routers and other network equipment reply by sending a type 11 ICMP packet.
The destination server replies with a type 3 ICMP packet.
This corresponds to the following service definition for UDP traffic:
| Services | ||||
|---|---|---|---|---|
| Name | Protocol | Firewall type | Client ports | Server ports |
| traceroute | UDP | Packet filter | 1024-65535 | 33434-33523 |
The reply traffic will need this service definition:
Traceroute in Windows
In Microsoft Windows and some other operating systems traceroute works differently. The client computer sends ICMP packets of type 8, echo-request, instead of UDP packets. Routers reply with type 11 ICMP packets as before.
The destination server replies with an ICMP packet of type 0, echo-reply, the same type as ping uses.
This corresponds to the following service definitions:
| Services | |||
|---|---|---|---|
| Name | Protocol | Firewall type | ICMP type |
| traceroute | ICMP | Packet filter | 8 |
| traceroute-reply | ICMP | Packet filter | 0, 11 |
The traceroute service defined above is usually called echo-request, but to simplify we use the name traceroute for this service.
Outgoing traceroute configuration
Using Rules (no NAT)
Allow the traceroute service from the computers which should be able to run traceroute (e. g., the Inside) to the computers whose route you want to examine (e. g., Internet). A firewall rule allowing traceroute-reply in the opposite direction is needed for the replies to reach the client computers.
Using Rules (NAT)
Allow the traceroute service from the computers which should be able to run traceroute (e. g., the Inside) to the computers whose route you want to examine (e. g., Internet). The replies need no rules as the NAT system handles this automatically.
Incoming traceroute configuration
Using Rules (no NAT)
Allow the traceroute service from the computers which should be able to run traceroute (e. g., Internet) to the computers whose route you want to examine (e. g., the Inside). A firewall rule allowing traceroute-reply in the opposite direction is needed for the replies to reach the client computers.
As traceroute often is used to examine the structure of a network, it is not advisable to allow this service into an internal network.
There is no alternative for incoming traceroute to a NAT:ed network, as it is supposed to be hidden for the outside network.