From owner-freebsd-security Mon Jun 25 12:21:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id D6A8237B406 for ; Mon, 25 Jun 2001 12:21:35 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 13698 invoked from network); 25 Jun 2001 19:22:23 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:22:23 -0000 Message-ID: <005f01c0fdac$15221010$9865fea9@book> From: "alexus" To: , References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:21:49 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org the thing is that windows based machines they using icmp for traceroute and unix uses udp.. what i'd like to know is: which type of icmp uses for traceroute? (for example by deny icmp for incoming icmptype 8 i was able to deny any pinging of my box from outside *BUT* i can ping everyone myself from my box) also i'd like to know which standard range of ports udp uses in unix's traceroute? ----- Original Message ----- From: "Kris Anderson" To: Sent: Friday, June 22, 2001 7:02 PM Subject: Re: disable traceroute to my host > You can put in a rule like > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > > change FF.FF.FF.FF to the ip address of your outside ip address > change F0 to the interface name of said outside interface > > now I don't know about directly blocking traceroutes only but traceroute > does an icmp thing somewhat like ping. > > Problem is that this will stop all ICMP from coming into the interface > from the outside, even ICMP responses. > > For example, you can traceroute out, but traceroute responses now get > blocked (This includes anything that uses ICMP) does not get back in > because it is being blocked by the above rule. Think of it as one way > mirror. > > Now, if anybody knows of a more subtler way to allow ICMP out and back > in, but keep any externals from coming in I certainly am one who would > like to know. > -- > Kris Anderson > ohshutup@zdnetonebox.com - email > (408) 514-2611 ext. 1178 - voicemail/fax > > > > ---- "alexus" wrote: > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message