Making Traceroutes Work with a Firewall (Windows)
Hi!
Even though I've had software firewalls in action for years now, I haven't really come across too many instances where I'd need traceroutes. The few times I did, however, I noticed that I only got output like the following:
>tracert example.com Tracing route to example.com [123.123.123.123] over a maximum of 30 hops: 1 * * * Request timed out. 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 50 ms 50 ms 50 ms example.com [123.123.123.123] Trace complete.
The number of hops would of course vary for the specific host / IP address.
Today I had to use traceroute in order to analyze a couple of networking problems. That was the incentive I needed to look up why it didn't work.
The fact that not even my router was showing up was a big indicator that something was wrong with my local firewall settings.
After searching the web for a couple of minutes, I found out what I was looking for at this page: http://www.phildev.net/ipf/IPFques.html#ques34
Traceroute is using ICMP packets (plus UDP on Linux systems, but that's outside the scope of this blog entry. You can read more about it on the page I linked above). But even for an outgoing traceroute you need to accept incoming ICMP packets.
Which ones? These:
- ICMP TTL Expired (Type 11, Code 0)
- ICMP Port Unreachable (Type 3, Code 3)
Once you've enabled these types of packets for incoming traffic in your firewall(s), you'll see that your traceroute will now function as it should.
If your firewall does not allow you to configure accepting specific types of ICMP packets, try allowing incoming ICMP packets altogether (if that's not too much of a compromise for you).
Anyway, long-ish story short: It's working now 🙂
Thanks to the webmaster of the page I linked above! And thanks to you for reading.