allow traceroute in SRX or not

If you have a restricted policy that you have enforced for your internal clients but you want to allow traceroute requests from your internal clients towards another network you can do it as follows I suppose. You can create the following application and apply it on your security policy.

I took port range from wikipedia for traceroute. When you test from a linux client (I think windows is using icmp instead), you will see UDP requests destination port of which start from 33434. So far good. Once you set this application inside the policy, clients are allowed to use traceroute from their linux clients but should we really allow this? I think no. Look what happens in the session flow if you allow this traceroute:

In my linux client, I saw 13 hops after my traceroute which itself created 27 flow sessions in my SRX as it is UDP, session timeout is 60 seconds but anyway. It is better not to allow traceroute even from internal clients! or you can reduce the inactivity-timeout of this custom traceroute application.

You have a feedback?