> I know of no ping proxy (please enlighten me if you know of any), so
> traceroute probably needs to be done from the bastion. It ought to be
> an infrequent enough of a need to not make that such a burden.
There is a pseudo-ping application that uses TCP instead of ICMP to probe
the reachability of a remote host, by trying to connect to its time port.
It's called newping.c, and can be found in the SOCKS area on ftp.nec.com
(home of SOCKS.CSTC).
Since it uses TCP instead of ICMP, newping will fail in some cases where a
real ping would have succeeded, since ICMP responses can be generated by a
network interface card without the OS or higher layers of the TCP protocol
stack, but that distinction is probably moot for hosts across the firewall.
Traceroute (Van Jacobsen's BSD version, anyway) needs ICMP, raw IP and root
privileges on the originating host; I'd not consider this a good candidate
for a firewall proxy application. Our network diagnosticians have access
to it, on both sides of our firewall, but no one else has expressed a need
for it here.