Date: Mon, 25 Jun 2001 15:56:21 -0400 From: "alexus" <ml@db.nexgen.com> To: "Brian" <bri@sonicboom.org>, "Jewfish" <jewfish@jewfish.net>, "Igor Podlesny" <poige@morning.ru> Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG> Subject: Re: disable traceroute to my host Message-ID: <01ae01c0fdb0$e7eb8fe0$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
well basically i wanted to block all traceroute .. wither its windows or unix
----- Original Message -----
From: Brian
To: Jewfish ; Igor Podlesny
Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG
Sent: Saturday, June 23, 2001 6:01 PM
Subject: Re: disable traceroute to my host
Arent u leaving out some details, like for example windows tracert is icmp based, whereas unix traces are udp..
Bri
----- Original Message -----
From: Jewfish
To: Igor Podlesny
Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG
Sent: Saturday, June 23, 2001 12:32 PM
Subject: Re: disable traceroute to my host
These are the rules I have come up with on my own firewall to disable tracerouting and pinging (something which might not be for everybody), but allows me to traceroute and pring from the host and recieve all the responses:
allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype 8
ep0 being, of course, my external interface. This seems to qork quite well for me. Some other ideas were brought up about denying the "time-to-live-exceeded" icmptype (11) because of packets that may take a long time to reach the host. However, this is the easiest method I could come up with using firewall rules.
Obviously, these rules also deny ping traffic, which is not recommended for everyone. However, I have recently gotten a lot of ping floods, so I enacted this (possibly on a temporary basis) to deal with this, while still allowing me to ping out (icmptype 8) and recieve the replies (icmptype 0).
James
Igor Podlesny wrote:
is it possible to disable using ipfw so people won't be able to tracerouteme?
Yes, of course.You should know how do traceroute-like utilities work.The knowledge can be easily extracted from a lot of sources, for e.g.from Internet, cause you seem to be connected ;) but, it also shouldbe mentioned that man pages coming with FreeBSD (I guess as well aswith other *NIX-likes OSes) also describe the algo.so man traceroute says, that it uses udp ports starting with 33434 andgoes up with every new hop. but this could be easily changed with -poption. Besides, windows' tracert works using icmp proto, so thedecision isn't here. It lies in what does the box do when answering tothem. It does send 'time exceeded in-transit' icmp message cause TTLvalue is set too low to let the packet jump forward. So it is theanswer -- you should disallow it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any icmptype 11(yeah, you shou!
ld carefully think about whether or not to use ANYcause if you're box is a gateway other people will notice yourcutting-edge knowledge cause it will hide not only your host ;)This is not the end, alas. unix traceroute will wait for port unreachicmp so after meeting, it stops and displays the end-point of yourtrace. Windows' tracert will wait for normal icmp-echo-reply for thesame purpose. So if you also wish to hide the end point, you need todisallow this also. I bet you can figure out the way how by yourself,now.P.S. there are also other ways (even more elegant) of doing that inpractice... they called 'stealth routing' and can be implemented viaFreeBSD kernel mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read the man pages, man, they are freely available...
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4616.200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>well basically i wanted to block all traceroute .. wither its
windows or unix</FONT></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=bri@sonicboom.org href="mailto:bri@sonicboom.org">Brian</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=jewfish@jewfish.net
href="mailto:jewfish@jewfish.net">Jewfish</A> ; <A title=poige@morning.ru
href="mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=ml@db.nexgen.com
href="mailto:ml@db.nexgen.com">alexus</A> ; <A
title=freebsd-security@FreeBSD.ORG
href="mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG</A> ;
<A title=freebsd-isp@FreeBSD.ORG
href="mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 6:01
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute to my
host</DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Arent u leaving out some details, like for
example windows tracert is icmp based, whereas unix traces are
udp..</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2> Bri</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=jewfish@jewfish.net href="mailto:jewfish@jewfish.net">Jewfish</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=poige@morning.ru
href="mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A title=ml@db.nexgen.com
href="mailto:ml@db.nexgen.com">alexus</A> ; <A
title=freebsd-security@FreeBSD.ORG
href="mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG</A>
; <A title=freebsd-isp@FreeBSD.ORG
href="mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 12:32
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute to my
host</DIV>
<DIV><BR></DIV>These are the rules I have come up with on my own firewall to
disable tracerouting and pinging (something which might not be for
everybody), but allows me to traceroute and pring from the host and recieve
all the responses:<BR><BR>allow icmp from any to any in recv ep0 icmptype
0,3,11,14,16,18<BR>allow icmp from any to any out xmit ep0 icmptype
8<BR><BR>ep0 being, of course, my external interface. This seems to
qork quite well for me. Some other ideas were brought up about denying
the "time-to-live-exceeded" icmptype (11) because of packets that may take a
long time to reach the host. However, this is the easiest method I
could come up with using firewall rules.<BR><BR>Obviously, these rules also
deny ping traffic, which is not recommended for everyone. However, I
have recently gotten a lot of ping floods, so I enacted this (possibly on a
temporary basis) to deal with this, while still allowing me to ping out
(icmptype 8) and recieve the replies (icmptype 0).<BR><BR>James<BR><BR>Igor
Podlesny wrote:<BR>
<BLOCKQUOTE type="cite" cite="mid:13760134158.20010623111308@morning.ru">
<BLOCKQUOTE type="cite"><PRE wrap="">is it possible to disable using ipfw so people won't be able to traceroute<BR>me?<BR></PRE></BLOCKQUOTE><PRE wrap=""><!----><BR>Yes, of course.<BR><BR>You should know how do traceroute-like utilities work.<BR><BR>The knowledge can be easily extracted from a lot of sources, for e.g.<BR>from Internet, cause you seem to be connected ;) but, it also should<BR>be mentioned that man pages coming with FreeBSD (I guess as well as<BR>with other *NIX-likes OSes) also describe the algo.<BR><BR>so man traceroute says, that it uses udp ports starting with 33434 and<BR>goes up with every new hop. but this could be easily changed with -p<BR>option. Besides, windows' tracert works using icmp proto, so the<BR>decision isn't here. It lies in what does the box do when answering to<BR>them. It does send 'time exceeded in-transit' icmp message cause TTL<BR>value is set too low to let the packet jump forward. So it is the<BR>answer -- you should disallow it with your ipfw. for e.g. using such<BR>syntax:<BR><BR>deny icmp from any to any icmptype 11<BR><BR>(yeah, you shou!
ld carefully think about whether or not to use ANY<BR>cause if you're box is a gateway other people will notice your<BR>cutting-edge knowledge cause it will hide not only your host ;)<BR><BR>This is not the end, alas. unix traceroute will wait for port unreach<BR>icmp so after meeting, it stops and displays the end-point of your<BR>trace. Windows' tracert will wait for normal icmp-echo-reply for the<BR>same purpose. So if you also wish to hide the end point, you need to<BR>disallow this also. I bet you can figure out the way how by yourself,<BR>now.<BR><BR>P.S. there are also other ways (even more elegant) of doing that in<BR>practice... they called 'stealth routing' and can be implemented via<BR>FreeBSD kernel mechanism (sysctl + built-in kernel support) or with<BR>ipf (ipfilter)<BR><BR>read the man pages, man, they are freely available...<BR><BR></PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01ae01c0fdb0$e7eb8fe0$9865fea9>