Traceroute uses ICMP(type 30) under Windows and UDP under UNIX. To be able to use traceroute via a firewall the firewall needs to allow echo replies/requests. The way traceroute works is by sending packets toward the final destination and incrementing ttl with each packet sent. As such, the first packet will have a ttl set to 1 and will target the final destination, the first device in the path (the gateway) will send back an echo replay, packet 2 will target the same final destination but will have ttl set to 2, when a firewall will be hit in the path to final destination most firewall are configured this to drop the packet by default. Going further, the source will send a ICMP-type-30-traceroute packet to the final destination with a ttl = with previous ttl (the one dropped by the firewall) + 1; the device behind the firewall will answer IF the firewall is allowing ICMP(type 30) to pass-though and similarly the source will receive the reply IF the firewall is allowing echo reply to pass-through.