[tcptra-dev] tracing through stateless firewalls

Michael C. Toren on Wed, 15 Aug 2001 14:41:03 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[tcptra-dev] tracing through stateless firewalls

From: "Michael C. Toren" <mct@toren.net>

To: tcptraceroute-dev@netisland.net

Subject: [tcptra-dev] tracing through stateless firewalls

Date: Wed, 15 Aug 2001 14:40:59 -0400

Reply-to: tcptraceroute-dev@lists.netisland.net

Sender: tcptraceroute-dev-admin@lists.netisland.net

User-agent: Mutt/1.2.5i

Two quick examples of using tcptraceroute-1.3beta1 to trace through stateless firewalls, with the new -S and -A flags. The targets are both hosts which are sitting behind firewalls that permit outgoing TCP connections, but are not permitting inbound connections. The first example is a Linux 2.2 ipchains firewall: # ./tcptraceroute -q1 argo.starforce.com Selected device eth0, address 207.8.132.210, port 3738 for outgoing packets Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max [..] 7 voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30) 69.252 ms 8 node-150-eth3-0-local.oldcity.dca.net (207.245.82.150) 16.216 ms 9 * 10 * 11 * # ./tcptraceroute -q1 -A argo.starforce.com Selected device eth0, address 207.8.132.210, port 3747 for outgoing packets Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max [..] 7 voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30) 11.030 ms 8 node-150-eth3-0-local.oldcity.dca.net (207.245.82.150) 24.488 ms 9 argo.starforce.com (216.158.56.82) [closed] 1514.142 ms The second example consists of the following Cisco access-list: access-list 100 permit tcp any any established access-list 100 deny ip any any applied to outbound packets on the interface used to reach the host falkland: # ./tcptraceroute -q1 falkland Selected device eth0, address 207.8.132.210, port 3771 for outgoing packets Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max 1 jumpgate.townhouse.blue-bell.pa.us (207.106.130.81) 2.111 ms 2 * 3 * 4 * # ./tcptraceroute -q1 -A falkland Selected device eth0, address 207.8.132.210, port 3773 for outgoing packets Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max 1 jumpgate.townhouse.blue-bell.pa.us (207.106.130.81) 2.044 ms 2 falkland.townhouse.blue-bell.pa.us (207.106.130.86) [closed] 4.635 ms By setting the TCP ACK flag, stateless firewalls assume that the probe packet is part of an established TCP stream, and let it pass right through. :-) -mct _______________________________________________ tcptraceroute-dev mailing list tcptraceroute-dev@lists.netisland.net http://lists.netisland.net/mailman/listinfo/tcptraceroute-dev

Prev by Date: [tcptra-dev] tcptraceroute-1.3beta1

Next by Date: [tcptra-dev] Tcptraceroute portability?

Previous by thread: [tcptra-dev] tcptraceroute-1.3beta1

Next by thread: [tcptra-dev] Tcptraceroute portability?

Index(es):

Date

Thread