From owner-freebsd-security Tue Jun 26 16: 2:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from comp1.mastery.ca (comp1.mastery.ca [209.202.88.60]) by hub.freebsd.org (Postfix) with ESMTP id 59A7C37B409 for ; Tue, 26 Jun 2001 16:02:13 -0700 (PDT) (envelope-from mail@max-info.net) Received: from 78kw954 (dyn216-8-131-5.ADSL.mnsi.net [216.8.131.5]) (authenticated) by comp1.mastery.ca (8.11.3/8.11.1) with ESMTP id f5QN1fQ01294; Tue, 26 Jun 2001 19:01:41 -0400 (EDT) (envelope-from mail@max-info.net) Message-ID: <003401c0fe93$a3f405e0$3200a8c0@Home> From: "Ryan Masse" To: "alexus" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> Subject: Re: disable traceroute to my host Date: Tue, 26 Jun 2001 18:59:20 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org did u get my post about blackhole? man blackhole In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behaviour will prevent remote systems from running traceroute(8) to your system. The following would enable the use of backhole of your system; sysctl -w net.inet.tcp.blackhole=2 sysctl -w net.inet.udp.blackhole=1 The above would block *nix traceroutes using the udp method. Simply use ipfw icmptype to block all MS attempts Ryan > someone else using ttl=1? that's sux.. oh well i guess its imposible to > disable it.. cuz i dont want to block something that should work.. > > thanks everyone > > ----- Original Message ----- > From: "Peter Pentchev" > To: "alexus" > Cc: "Simon Rakovec" ; > Sent: Tuesday, June 26, 2001 1:58 AM > Subject: Re: disable traceroute to my host > > > > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > > > i agree this is not a solution.. looks like tty=1 is best solution so > far > > > > TTL=1 is not a general solution, because it only blocks traceroutes to > this > > particular host, not to any machines that it is acting as a gateway for. > > > > Moreover, TTL=1 is not a real-world solution, because some *legitimate* > > packets might arrive with TTL=1 (yes, there are some OS's that set too > > low TTL's on outgoing packets, and there are some global backbone ISP's > > which have a *lot* of routers, so it is possible that a normal packet > > destined for your host should reach you with TTL=1). > > > > And just btw.. Really, why do you want to block traceroutes? > > > > G'luck, > > Peter > > > > -- > > because I didn't think of a good beginning of it. > > > > > ----- Original Message ----- > > > From: "Peter Pentchev" > > > To: "Simon Rakovec" > > > Cc: > > > Sent: Monday, June 25, 2001 2:37 AM > > > Subject: Re: disable traceroute to my host > > > > > > > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > > > Try this: > > > > > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > > > > > As Karsten noted in a followup, this is not proper network practice. > > > > There might be a LOT of things listening on those UDP ports, including > > > > ephemeral outgoing UDP connections. > > > > > > > > As many other people noted, this does not stop Windows traceroute, > > > > which goes via ICMP. > > > > > > > > As the traceroute(8) manpage notes, this does not stop people who > > > > know how to use the traceroute '-p port' option to select a starting > > > > port != 32768. > > > > > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to disable > > > > a person determined to traceroute you, and in practice, there is > > > > no need to. > > > > > > > > G'luck, > > > > Peter > > > > > > > > PS. How was that now... one source: plagiarism, two sources: > comparative > > > > study, three sources: an academic thesis.. I did even better than > that! > > > ;) > > > > > > > > -- > > > > Thit sentence is not self-referential because "thit" is not a word. > > > > > > > > > alexus wrote: > > > > > > > > > > > > is it possible to disable using ipfw so people won't be able to > > > traceroute > > > > > > me? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message