From owner-freebsd-security Sun Jun 24 8:10:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BB7A037B406 for ; Sun, 24 Jun 2001 08:10:32 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA82473; Sun, 24 Jun 2001 17:10:31 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> From: Dag-Erling Smorgrav Date: 24 Jun 2001 17:10:31 +0200 In-Reply-To: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Message-ID: Lines: 52 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Kris Anderson" writes: > You can put in a rule like > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > [...] AUUUUGH! First - the only one who got it right is Brooks Davis: no, it can't be done. The best you can hope for is to prevent your own box (and anything behind it, if it's a gateway) from responding to certain specific types of traces, but the tracer will still be able to see most of the route between you and him, and there are ways of tracing a route that you can't block without also blocking a lot of legitimate traffic. Second - traceroute is pretty harmless, and not really the corner- stone of 3v1l h4ckd0m you people seem to think it is, so even if you could prevent anyone from tracerouting you it wouldn't make much (or even any) difference to an attacker's ability to harm you. Third - if you set up ipfw to unconditionally block ICMP (whether in the mistaken belief that it will prevent route tracing or for some other lameass reason), I will personally buy a very heavy baseball bat, hop on a plane, and pay you a visit you'll remember for the rest of your very short lives. Although some ICMP types are admittedly not very useful, that doesn't mean none of them are, and you should at the very least let types 3 and 11 through or you'll be very sorry. I usually set up my filters to let 0, 3, 8 and 11 through and block everything else. Fourth - this subject has been discussed to death on this very list several times in the past. We keep searchable archives for a reason. Fifth - someone mentioned stealth routing. There's no such thing in FreeBSD, but there's something called stealth forwarding, which I wrote*, and which makes the TCP/IP stack neither decrement nor even inspect the TTL on forwarded packets, so if someone traceroutes a host behind you you won't show up in the trace, but if someone traceroutes you it'll be business as usual. You need to add the IPSTEALTH option to your kernel to enable support for this (and toggle a sysctl variable to actually turn stealth forwarding on). DES -- Dag-Erling Smorgrav - des@ofug.org * It went a bit like this: Friend: "Sun have this new firewall product that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No it can't, because blah blah blah" - Me: "Oh, I see" "Now FreeBSD can do that too" - Friend: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message