From owner-freebsd-isp Mon Jun 25 12:55:56 2001 Delivered-To: freebsd-isp@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id CCEA637B407 for ; Mon, 25 Jun 2001 12:55:39 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 14256 invoked from network); 25 Jun 2001 19:56:28 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 25 Jun 2001 19:56:28 -0000 Message-ID: <01a401c0fdb0$d790b3f0$9865fea9@book> From: "alexus" To: "Jewfish" , "Igor Podlesny" Cc: , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> Subject: Re: disable traceroute to my host Date: Mon, 25 Jun 2001 15:55:53 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A1_01C0FD8F.505F08D0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_01A1_01C0FD8F.505F08D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable is there any place on internet where all protocols desicrbed .. like = icmp and all types of icmps? i'd love to read about that ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 3:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to disable = tracerouting and pinging (something which might not be for everybody), = but allows me to traceroute and pring from the host and recieve all the = responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork quite = well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_01A1_01C0FD8F.505F08D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
is there any place on internet where all protocols = desicrbed=20 .. like icmp and all types of icmps?  i'd love to read about=20 that
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 3:32=20 PM
Subject: Re: disable traceroute = to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for = everybody),=20 but allows me to traceroute and pring from the host and recieve all = the=20 responses:

allow icmp from any to any in recv ep0 icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This seems = to qork=20 quite well for me.  Some other ideas were brought up about = denying the=20 "time-to-live-exceeded" icmptype (11) because of packets that may take = a long=20 time to reach the host.  However, this is the easiest method I = could come=20 up with using firewall rules.

Obviously, these rules also deny = ping=20 traffic, which is not recommended for everyone.  However, I have = recently=20 gotten a lot of ping floods, so I enacted this (possibly on a = temporary basis)=20 to deal with this, while still allowing me to ping out (icmptype 8) = and=20 recieve the replies (icmptype 0).

James

Igor Podlesny = wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_01A1_01C0FD8F.505F08D0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message