Can traceout command work across the firewall? If No then why? If Yes then why?

Traceroute uses ICMP(type 30) under Windows and UDP under UNIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set to 1 and will target the final destination, the first device in the path (the gateway) will send back an echo replay, packet 2 will target the same final destination but will have ttl set to 2, when a firewall will be hit in the path to final destination most firewall are configured this to drop the packet by default. Going further, the source will send a ICMP-type-30-traceroute packet to the final destination with a ttl = with previous ttl (the one dropped by the firewall) + 1; the device behind the firewall will answer IF the firewall is allowing ICMP(type 30) to pass-though and similarly the source will receive the reply IF the firewall is allowing echo reply to pass-through.