Why is traceroute so unique when dealing with firewalls?
So, I understand the dynamic port changes that happen for TFTP and Traceroute, but why does CBAC have a specific inspect rule for TFTP, but not for Traceroute? This means we have to use a combination of CBAC and applying an ACL statically allowing Traceroute time-exceeded and port-unreachable. Why isn't there a Traceroute inspection rule so there can be some consistency in the configuration?
The same applies to Zone Based Firewalls.
When defining the class-map:
class-map type inspect INSPECT
match protocol tftp
(Why is there no "match protocol traceroute"?)
This means you have to go outside the Zone Based Firewall configuration and statically allow traceroute by applying an ACL on the interface.