From owner-freebsd-security Sun Jun 24 23:39:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6808E37B401 for ; Sun, 24 Jun 2001 23:39:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 7865 invoked by uid 1000); 25 Jun 2001 06:37:31 -0000 Date: Mon, 25 Jun 2001 09:37:31 +0300 From: Peter Pentchev To: Simon Rakovec Cc: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010625093731.A934@ringworld.oblivion.bg> Mail-Followup-To: Simon Rakovec , freebsd-security@freebsd.org References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B36267B.5B5FDBE@inforta.com>; from simon@inforta.com on Sun, Jun 24, 2001 at 07:42:19PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > Try this: > > ipfw add deny udp from any 32769-65535 to 33434-33523 As Karsten noted in a followup, this is not proper network practice. There might be a LOT of things listening on those UDP ports, including ephemeral outgoing UDP connections. As many other people noted, this does not stop Windows traceroute, which goes via ICMP. As the traceroute(8) manpage notes, this does not stop people who know how to use the traceroute '-p port' option to select a starting port != 32768. As Dag-Erling Smoerdgrav noted, in general it is impossible to disable a person determined to traceroute you, and in practice, there is no need to. G'luck, Peter PS. How was that now... one source: plagiarism, two sources: comparative study, three sources: an academic thesis.. I did even better than that! ;) -- Thit sentence is not self-referential because "thit" is not a word. > alexus wrote: > > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message