From owner-freebsd-net  Mon Jul 16 23: 0:27 2001
Delivered-To: freebsd-net@freebsd.org
Received: from femail13.sdc1.sfba.home.com (femail13.sdc1.sfba.home.com [24.0.95.140])
	by hub.freebsd.org (Postfix) with ESMTP id 218ED37B406
	for <freebsd-net@FreeBSD.ORG>; Mon, 16 Jul 2001 23:00:23 -0700 (PDT)
	(envelope-from btdang@home.com)
Received: from home.com ([24.248.85.196]) by femail13.sdc1.sfba.home.com
          (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP
          id <20010717060022.MSZB20529.femail13.sdc1.sfba.home.com@home.com>
          for <freebsd-net@FreeBSD.ORG>; Mon, 16 Jul 2001 23:00:22 -0700
Message-ID: <3B53D5AF.8D004696@home.com>
Date: Mon, 16 Jul 2001 23:05:35 -0700
From: Bruce Dang <btdang@home.com>
Organization: Boys & Girls Clubs
X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-net@FreeBSD.ORG
Subject: Re: traceroute filter.
References: <20010717082431.N47897-100000@blade.elitsat.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Alex,

The last 'traceroute blocking' thread went on for a few weeks, so I
think you should look into that.  In addition to that, I think blocking
ICMP packets, especially type 3 and 11 would allow you to traceroute. 
traceroute(8) works by sending UDP datagrams to destination,
incrementing TTLs after every hop.  If you block all ICMP packets, the
intermediate routers will not be able to send back ICMP packets, which
makes traceroute(8) almost useless ;(.

Bruce Dang
www.tbug.org

i wonder how long this thread will go on...

Alexander wrote:
> 
> Hello.
> I was wondering if anyone knows how can I set ipfw rules to allow myself
> to traceroute anywhere but noone to be able to ping or traceroute me.
> 
> I saw few examples in the ipfw tutorial on www.defcon1.org for filtering
> external pings but these examples don't allow me to traceroute somewhere.
> 
> thanks.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message