From owner-freebsd-security  Mon Jun 25 12:56:28 2001
Delivered-To: freebsd-security@freebsd.org
Received: from db.nexgen.com (db.nexgen.com [64.81.208.78])
	by hub.freebsd.org (Postfix) with SMTP id 2B8D437B407
	for <freebsd-security@FreeBSD.ORG>; Mon, 25 Jun 2001 12:56:07 -0700 (PDT)
	(envelope-from ml@db.nexgen.com)
Received: (qmail 14281 invoked from network); 25 Jun 2001 19:56:55 -0000
Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1)
  by localhost.nexgen.com with SMTP; 25 Jun 2001 19:56:55 -0000
Message-ID: <01ae01c0fdb0$e7eb8fe0$9865fea9@book>
From: "alexus" <ml@db.nexgen.com>
To: "Brian" <bri@sonicboom.org>, "Jewfish" <jewfish@jewfish.net>,
	"Igor Podlesny" <poige@morning.ru>
Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG>
References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org>
Subject: Re: disable traceroute to my host
Date: Mon, 25 Jun 2001 15:56:21 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_01AB_01C0FD8F.60AF3660"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.

------=_NextPart_000_01AB_01C0FD8F.60AF3660
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

well basically i wanted to block all traceroute .. wither its windows or =
unix
  ----- Original Message -----=20
  From: Brian=20
  To: Jewfish ; Igor Podlesny=20
  Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20
  Sent: Saturday, June 23, 2001 6:01 PM
  Subject: Re: disable traceroute to my host


  Arent u leaving out some details, like for example windows tracert is =
icmp based, whereas unix traces are udp..

      Bri
    ----- Original Message -----=20
    From: Jewfish=20
    To: Igor Podlesny=20
    Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20
    Sent: Saturday, June 23, 2001 12:32 PM
    Subject: Re: disable traceroute to my host


    These are the rules I have come up with on my own firewall to =
disable tracerouting and pinging (something which might not be for =
everybody), but allows me to traceroute and pring from the host and =
recieve all the responses:

    allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
    allow icmp from any to any out xmit ep0 icmptype 8

    ep0 being, of course, my external interface.  This seems to qork =
quite well for me.  Some other ideas were brought up about denying the =
"time-to-live-exceeded" icmptype (11) because of packets that may take a =
long time to reach the host.  However, this is the easiest method I =
could come up with using firewall rules.

    Obviously, these rules also deny ping traffic, which is not =
recommended for everyone.  However, I have recently gotten a lot of ping =
floods, so I enacted this (possibly on a temporary basis) to deal with =
this, while still allowing me to ping out (icmptype 8) and recieve the =
replies (icmptype 0).

    James

    Igor Podlesny wrote:

is it possible to disable using ipfw so people won't be able to =
tracerouteme?
Yes, of course.You should know how do traceroute-like utilities work.The =
 knowledge can be easily extracted from a lot of sources, for e.g.from  =
Internet,  cause you seem to be connected ;) but, it also shouldbe  =
mentioned  that  man pages coming with FreeBSD (I guess as well aswith =
other *NIX-likes OSes) also describe the algo.so man traceroute says, =
that it uses udp ports starting with 33434 andgoes  up  with every new =
hop. but this could be easily changed with -poption.  Besides,  windows' =
 tracert  works  using  icmp proto, so thedecision isn't here. It lies =
in what does the box do when answering tothem.  It  does send 'time =
exceeded in-transit' icmp message cause TTLvalue  is  set  too  low  to =
let the packet jump forward. So it is theanswer  --  you should disallow =
it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any =
icmptype 11(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANYcause  if  you're  =
box  is  a  gateway  other  people will notice yourcutting-edge =
knowledge cause it will hide not only your host ;)This  is not the end, =
alas. unix traceroute will wait for port unreachicmp  so  after  =
meeting,  it stops and displays the end-point of yourtrace.  Windows'  =
tracert will wait for normal icmp-echo-reply for thesame  purpose.  So =
if you also wish to hide the end point, you need todisallow  this also. =
I bet you can figure out the way how by yourself,now.P.S.  there  are  =
also other ways (even more elegant) of doing that inpractice...  they  =
called 'stealth routing' and can be implemented viaFreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or withipf (ipfilter)read =
the man pages, man, they are freely available...



------=_NextPart_000_01AB_01C0FD8F.60AF3660
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>well basically i wanted to block all traceroute .. =
wither its=20
windows or unix</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dbri@sonicboom.org =
href=3D"mailto:bri@sonicboom.org">Brian</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Djewfish@jewfish.net=20
  href=3D"mailto:jewfish@jewfish.net">Jewfish</A> ; <A =
title=3Dpoige@morning.ru=20
  href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Dml@db.nexgen.com =

  href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20
  title=3Dfreebsd-security@FreeBSD.ORG=20
  =
href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG=
</A> ;=20
  <A title=3Dfreebsd-isp@FreeBSD.ORG=20
  href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> =
</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 =
6:01=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute =
to my=20
  host</DIV>
  <DIV><BR></DIV>
  <DIV><FONT face=3DArial size=3D2>Arent u leaving out some details, =
like for=20
  example windows tracert is icmp based, whereas unix traces are=20
  udp..</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; Bri</FONT></DIV>
  <BLOCKQUOTE=20
  style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
    <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
    <DIV=20
    style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
    <A title=3Djewfish@jewfish.net =
href=3D"mailto:jewfish@jewfish.net">Jewfish</A>=20
    </DIV>
    <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dpoige@morning.ru=20
    href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
    <DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A =
title=3Dml@db.nexgen.com=20
    href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20
    title=3Dfreebsd-security@FreeBSD.ORG=20
    =
href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG=
</A>=20
    ; <A title=3Dfreebsd-isp@FreeBSD.ORG=20
    href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> =
</DIV>
    <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 =
12:32=20
    PM</DIV>
    <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable =
traceroute to my=20
    host</DIV>
    <DIV><BR></DIV>These are the rules I have come up with on my own =
firewall to=20
    disable tracerouting and pinging (something which might not be for=20
    everybody), but allows me to traceroute and pring from the host and =
recieve=20
    all the responses:<BR><BR>allow icmp from any to any in recv ep0 =
icmptype=20
    0,3,11,14,16,18<BR>allow icmp from any to any out xmit ep0 icmptype=20
    8<BR><BR>ep0 being, of course, my external interface. &nbsp;This =
seems to=20
    qork quite well for me. &nbsp;Some other ideas were brought up about =
denying=20
    the "time-to-live-exceeded" icmptype (11) because of packets that =
may take a=20
    long time to reach the host. &nbsp;However, this is the easiest =
method I=20
    could come up with using firewall rules.<BR><BR>Obviously, these =
rules also=20
    deny ping traffic, which is not recommended for everyone. =
&nbsp;However, I=20
    have recently gotten a lot of ping floods, so I enacted this =
(possibly on a=20
    temporary basis) to deal with this, while still allowing me to ping =
out=20
    (icmptype 8) and recieve the replies (icmptype =
0).<BR><BR>James<BR><BR>Igor=20
    Podlesny wrote:<BR>
    <BLOCKQUOTE type=3D"cite" =
cite=3D"mid:13760134158.20010623111308@morning.ru">
      <BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">is it possible to disable =
using ipfw so people won't be able to =
traceroute<BR>me?<BR></PRE></BLOCKQUOTE><PRE wrap=3D""><!----><BR>Yes, =
of course.<BR><BR>You should know how do traceroute-like utilities =
work.<BR><BR>The  knowledge can be easily extracted from a lot of =
sources, for e.g.<BR>from  Internet,  cause you seem to be connected ;) =
but, it also should<BR>be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as<BR>with other *NIX-likes OSes) also describe =
the algo.<BR><BR>so man traceroute says, that it uses udp ports starting =
with 33434 and<BR>goes  up  with every new hop. but this could be easily =
changed with -p<BR>option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the<BR>decision isn't here. It lies in what does the box =
do when answering to<BR>them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL<BR>value  is  set  too  low  to let the packet =
jump forward. So it is the<BR>answer  --  you should disallow it with =
your ipfw. for e.g. using such<BR>syntax:<BR><BR>deny icmp from any to =
any icmptype 11<BR><BR>(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY<BR>cause  if  =
you're  box  is  a  gateway  other  people will notice =
your<BR>cutting-edge knowledge cause it will hide not only your host =
;)<BR><BR>This  is not the end, alas. unix traceroute will wait for port =
unreach<BR>icmp  so  after  meeting,  it stops and displays the =
end-point of your<BR>trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the<BR>same  purpose.  So if you also wish to hide =
the end point, you need to<BR>disallow  this also. I bet you can figure =
out the way how by yourself,<BR>now.<BR><BR>P.S.  there  are  also other =
ways (even more elegant) of doing that in<BR>practice...  they  called =
'stealth routing' and can be implemented via<BR>FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with<BR>ipf =
(ipfilter)<BR><BR>read the man pages, man, they are freely =
available...<BR><BR></PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BO=
DY></HTML>

------=_NextPart_000_01AB_01C0FD8F.60AF3660--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message