From owner-freebsd-security Mon Jun 25 22:53:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 484C737B405 for ; Mon, 25 Jun 2001 22:53:18 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 18862 invoked by uid 1000); 26 Jun 2001 05:58:04 -0000 Date: Tue, 26 Jun 2001 08:58:04 +0300 From: Peter Pentchev To: alexus Cc: Simon Rakovec , freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010626085804.E780@ringworld.oblivion.bg> Mail-Followup-To: alexus , Simon Rakovec , freebsd-security@freebsd.org References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01ec01c0fdb1$6c9cada0$9865fea9@book>; from ml@db.nexgen.com on Mon, Jun 25, 2001 at 04:00:03PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > i agree this is not a solution.. looks like tty=1 is best solution so far TTL=1 is not a general solution, because it only blocks traceroutes to this particular host, not to any machines that it is acting as a gateway for. Moreover, TTL=1 is not a real-world solution, because some *legitimate* packets might arrive with TTL=1 (yes, there are some OS's that set too low TTL's on outgoing packets, and there are some global backbone ISP's which have a *lot* of routers, so it is possible that a normal packet destined for your host should reach you with TTL=1). And just btw.. Really, why do you want to block traceroutes? G'luck, Peter -- because I didn't think of a good beginning of it. > ----- Original Message ----- > From: "Peter Pentchev" > To: "Simon Rakovec" > Cc: > Sent: Monday, June 25, 2001 2:37 AM > Subject: Re: disable traceroute to my host > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > Try this: > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > As Karsten noted in a followup, this is not proper network practice. > > There might be a LOT of things listening on those UDP ports, including > > ephemeral outgoing UDP connections. > > > > As many other people noted, this does not stop Windows traceroute, > > which goes via ICMP. > > > > As the traceroute(8) manpage notes, this does not stop people who > > know how to use the traceroute '-p port' option to select a starting > > port != 32768. > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > > a person determined to traceroute you, and in practice, there is > > no need to. > > > > G'luck, > > Peter > > > > PS. How was that now... one source: plagiarism, two sources: comparative > > study, three sources: an academic thesis.. I did even better than that! > ;) > > > > -- > > Thit sentence is not self-referential because "thit" is not a word. > > > > > alexus wrote: > > > > > > > > is it possible to disable using ipfw so people won't be able to > traceroute > > > > me? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message