On Thu, 17 Jan 2002, David Laight wrote:
> > How about a udp keep state rule? e.g
> > 
> > pass out out quick on ppp0 proto udp all keep state 
> 
> But that lets out ALL udp, I don't want my firewall that open.

By default, traceroute sends the first packet to UDP destination port
33434, and increments the port number for each packet sent (and there
are typically 3 packets per hop).  If you open a range of 60 UDP
ports (from 33434 to 33493 inclusive) then your users will be able to
traceroute up to 20 hops with 3 probes per hop.

--apb (Alan Barrett)