From owner-freebsd-security Mon Jun 25 12:52:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 27C1C37B401 for ; Mon, 25 Jun 2001 12:52:39 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14186 invoked from network); 25 Jun 2001 19:53:27 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:53:27 -0000 Message-ID: <018601c0fdb0$6c00b130$9865fea9@book> From: "alexus" To: "Peter Pentchev" , "Fernando Gleiser" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <20010622221554.K5703-100000@cactus.fi.uba.ar> <20010623143419.A29940@ringworld.oblivion.bg> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:52:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i can't just block whole icmp .. or udp.. i just can't.. i only wanted to block certain range,type whatever was that just for traceroute .. but i was thinking .. and yes I won't gain much (infact nothing) so ... the max thing i'll do is disable ttl=1.. this should cover the trick.. ----- Original Message ----- From: "Peter Pentchev" To: "Fernando Gleiser" Cc: "alexus" ; Sent: Saturday, June 23, 2001 7:34 AM Subject: Re: disable traceroute to my host > On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote: > > On Fri, 22 Jun 2001, alexus wrote: > > > > > is it possible to disable using ipfw so people won't be able to traceroute > > > me? > > > > I don't know if it is posible with ipfw, but with ip filter you can add > > a rule to block any packets with ttl=1: > > > > block in log quick on xl0 ttl 1 proto ip all > > > > That will stop windows traceroute (icmp based) as well as unix traceroute > > (udp based). > > > > Unix traceroute uses udp packets with destination port > 33434, but this can > > be changed. As far as I know, the only way to stop traceroute is to drop > > any packet with ttl=1. This might block legitimate trafic, but I haven't > > seen any packet in the wild with ttl=1 wich was not a traceroute. > > This shall only stop traceroutes destined for this particular machine. > If you tried this on a firewall/gateway machine, it would block the response > from the gateway itself, but the internal machines would still respond. > > The response from Igor Podlesny in the thread contains a much more > effective approach, which might block a bit too much, but it would > certainly block traceroutes. > > Oh and BTW, blocking all packets with ttl=1 could block some legitimate > packets that have simply gone down the long and winding road, and stopped > at too many auberges to rest along the way :) > > G'luck, > Peter > > -- > If wishes were fishes, the antecedent of this conditional would be true. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message