From owner-freebsd-hackers@FreeBSD.ORG Tue Jul 8 22:52:35 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC8E737B401 for ; Tue, 8 Jul 2003 22:52:35 -0700 (PDT) Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net [207.217.120.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 349B843F3F for ; Tue, 8 Jul 2003 22:52:35 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from user-38ldtos.dialup.mindspring.com ([209.86.247.28] helo=mindspring.com) by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 19a7sU-0004F7-00; Tue, 08 Jul 2003 22:52:31 -0700 Message-ID: <3F0BAD5C.65895290@mindspring.com> Date: Tue, 08 Jul 2003 22:51:24 -0700 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Socketd References: <20030707012205.3103dfc8.db@traceroute.dk> <20030707153314.GA1695@webboy.soth.at> <20030707180252.44036c61.db@traceroute.dk> <3F0A9A1C.25E6EB35@mindspring.com> <20030708131339.16da151f.db@traceroute.dk> <20030708140012.0fd685c8.db@traceroute.dk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a427eef195cc1545f3125410b109b1a6842601a10902912494350badd9bab72f9c350badd9bab72f9c cc: hackers@freebsd.org Subject: Re: 5 "Advanced" networking questions X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 05:52:36 -0000 Socketd wrote: > On Tue, 08 Jul 2003 04:17:04 -0700 > Terry Lambert wrote: > > > I don't want to disable ICMP, just don't want to respond when ttl=0, > > > meaning when my firewall/gateway is on a "traceroute path". > > > > You should specifically modify the ICMP code to not respond > > to echo datagrams, or when ttl == 0, then, and work it that > > way. In other words, it's time to hack your network stack > > to specifically add that "feature". > > Hmm, why not just use a firewall? Because most firewalls, even commercial ones, don't block the ICMP messages you appear to be interested in blocking. You appeared to want to turn your FreeBSD box into what's normally called a "stealth" system: one that doesn't respond at all to external probe attempts. So it looked like you were trying to *write* a firewall, or at least find a set of rules that would let your FreeBSD box act as a "stealth" one. The current FreeBSD doesn't support "stealth"; it's generally something you do to stop network finger-printing and/or to use as a base for launching your own attacks and/or in an attempt to protect a Windows box that can't protect itself very well. If you want the feature in FreeBSD, you are going to need to hack some code. If you are willing to go out ans spend money on a "stealth" firewall box, well, you should feel free to do that, too; if you do, I reccomend "SunScreen" from Sun Microsystems, though in general, I don't recommend using "stealth" firewalls, since they break a number of end-to-end guarantees: http://wwws.sun.com/software/securenet/index.html If you want a real firewall, I recommend the Cisco PIX: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/ I also recommend reading about the drawbacks of using "stealth" firewalls, to help decide whether you want to avoid attackers by hiding from them, or avoid attackers by having working firewall software which has been usefully auidted, instead. 8-). http://web.proetus.com/reference/stealthfw/ If you just want to avoid ICMP echo datagrams, I'd change my filter criteria from what you are asking (TTL==0) to ICMP type, and filter packets of type 11 and 0 using the ipfw "icmptypes" option on your filter type. It's not the same thing as a "stealth" firewall, but it is good enough to handle your initial complaint, which was the ability to traceroute. Then you wouldn't need to buy another machine. -- Terry