From owner-freebsd-security Mon Jun 25 12:49:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 3D66337B405 for <freebsd-security@FreeBSD.ORG>; Mon, 25 Jun 2001 12:49:12 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14093 invoked from network); 25 Jun 2001 19:50:00 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:50:00 -0000 Message-ID: <016a01c0fdaf$f0aeb720$9865fea9@book> From: "alexus" <ml@db.nexgen.com> To: <freebsd-security@FreeBSD.ORG>, "Dag-Erling Smorgrav" <des@ofug.org> References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> <xzpr8w97w2g.fsf@flood.ping.uio.no> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:49:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: <freebsd-security.FreeBSD.ORG> List-Archive: <http://docs.freebsd.org/mail/> (Web Archive) List-Help: <mailto:majordomo?subject=help> (List Instructions) List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security> List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security> X-Loop: FreeBSD.org i'm thinkin to disable ttl=1 .. would that be ok with you? ----- Original Message ----- From: "Dag-Erling Smorgrav" <des@ofug.org> To: <freebsd-security@FreeBSD.ORG> Sent: Sunday, June 24, 2001 11:10 AM Subject: Re: disable traceroute to my host > "Kris Anderson" <ohshutup@zdnetmail.com> writes: > > You can put in a rule like > > > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > > [...] > > AUUUUGH! > > First - the only one who got it right is Brooks Davis: no, it can't be > done. The best you can hope for is to prevent your own box (and > anything behind it, if it's a gateway) from responding to certain > specific types of traces, but the tracer will still be able to see > most of the route between you and him, and there are ways of tracing a > route that you can't block without also blocking a lot of legitimate > traffic. > > Second - traceroute is pretty harmless, and not really the corner- > stone of 3v1l h4ckd0m you people seem to think it is, so even if you > could prevent anyone from tracerouting you it wouldn't make much (or > even any) difference to an attacker's ability to harm you. > > Third - if you set up ipfw to unconditionally block ICMP (whether in > the mistaken belief that it will prevent route tracing or for some > other lameass reason), I will personally buy a very heavy baseball > bat, hop on a plane, and pay you a visit you'll remember for the rest > of your very short lives. Although some ICMP types are admittedly not > very useful, that doesn't mean none of them are, and you should at the > very least let types 3 and 11 through or you'll be very sorry. I > usually set up my filters to let 0, 3, 8 and 11 through and block > everything else. > > Fourth - this subject has been discussed to death on this very list > several times in the past. We keep searchable archives for a reason. > > Fifth - someone mentioned stealth routing. There's no such thing in > FreeBSD, but there's something called stealth forwarding, which I > wrote*, and which makes the TCP/IP stack neither decrement nor even > inspect the TTL on forwarded packets, so if someone traceroutes a host > behind you you won't show up in the trace, but if someone traceroutes > you it'll be business as usual. You need to add the IPSTEALTH option > to your kernel to enable support for this (and toggle a sysctl > variable to actually turn stealth forwarding on). > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > * It went a bit like this: Friend: "Sun have this new firewall product > that's really cool, it can do blah blah blah" - Me: "Oh, FreeBSD can > do that" - Friend: "No, it can't" - Me: "Yes, it can" - Friend: "No > it can't, because blah blah blah" - Me: "Oh, I see" <clicketyclick> > "Now FreeBSD can do that too" - Friend: <boggle> > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message