Date: Fri, 24 Nov 2000 14:08:47 +0100 From: Massimo Fubini <supermax@aexis-telecom.it> To: Dag-Erling Smorgrav <des@ofug.org> Cc: security@FreeBSD.ORG Subject: Re[2]: ipf - icmp Message-ID: <18813810961.20001124140847@aexis-telecom.it> In-Reply-To: <xzpvgtdsi35.fsf@flood.ping.uio.no> References: <Pine.BSF.4.21.0011231431360.18361-100000@tmd.df.ru> <xzp66ldtz6k.fsf@flood.ping.uio.no> <20001124134218.A17181@nevermind.kiev.ua> <xzpvgtdsi35.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Dag-Erling and all the group, Friday, November 24, 2000, 12:52:14 PM, you wrote: DES> Nevermind <never@nevermind.kiev.ua> writes: >> > No. There is no way to completely prevent someone from tracerouting >> > you. You can make it slightly harder by blocking incoming UDP (which >> > your ruleset does not), but that's about it. Traceroute is based on ttl expiration.... What you can do is blocking all the packet with a small ttl, so you will never have a ttl == 0 in your internal network. If you have no more than 3 hops in your internal network, and you discard all the packet with a ttl < 4 you will never have ttl expiration, and this will make very hard for program like traceroute, or firewalk to map your internal network. Something can be done to understand if a port is closed at the firewall or at the host... but it is an other topic. Best regards, Massimo PS It is my first post in *@freebsd.org, I'm a beginner with freebsd, and hope I will learn a lot from this lists. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18813810961.20001124140847>