Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: ping/traceroute over proxy?
From: dmurphy @ cwa . com (Dan Murphy)
Date: Mon, 7 Nov 94 12:03:20 PST
To: ken @ bridge . com
Cc: firewalls @ greatcircle . com

ken @
 bridge .
 com wrote:

> I know of no ping proxy (please enlighten me if you know of any), so
> traceroute probably needs to be done from the bastion.  It ought to be
> an infrequent enough of a need to not make that such a burden.

There is a pseudo-ping application that uses TCP instead of ICMP to probe
the reachability of a remote host, by trying to connect to its time port.
It's called newping.c, and can be found in the SOCKS area on 
(home of SOCKS.CSTC).

Since it uses TCP instead of ICMP, newping will fail in some cases where a
real ping would have succeeded, since ICMP responses can be generated by a
network interface card without the OS or higher layers of the TCP protocol 
stack, but that distinction is probably moot for hosts across the firewall.

Traceroute (Van Jacobsen's BSD version, anyway) needs ICMP, raw IP and root 
privileges on the originating host; I'd not consider this a good candidate
for a firewall proxy application.  Our network diagnosticians have access
to it, on both sides of our firewall, but no one else has expressed a need
for it here.

Dan Murphy

Indexed By Date Previous: Re: assurance for firewalls
From: ks @ netcom . com (Kurt F. Sauer)
Next: Request for performance Information on IPX
From: "Glassey, Todd @ ITD Ma" <TGLASSEY @ MSM . EPRI . COM>
Indexed By Thread Previous: FW: assurance for firewalls
From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>
Next: Re: ping/traceroute over proxy?
From: "J. Adams" <jna @ concorde . com>

Search Internet Search