From owner-freebsd-security  Wed Jun 27  0:55:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2])
	by hub.freebsd.org (Postfix) with ESMTP id AD59E37B405
	for <freebsd-security@FreeBSD.ORG>; Wed, 27 Jun 2001 00:55:04 -0700 (PDT)
	(envelope-from 3APA3A@SECURITY.NNOV.RU)
Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.40]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1-AGK-0.5) with ESMTP id LAA25626; Wed, 27 Jun 2001 11:43:25 +0400 (MSD)
Date: Wed, 27 Jun 2001 11:43:24 +0400
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
X-Mailer: The Bat! (v1.51)
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Organization: http://www.security.nnov.ru
X-Priority: 3 (Normal)
Message-ID: <79255173079.20010627114324@SECURITY.NNOV.RU>
To: Peter Jeremy <peter.jeremy@alcatel.com.au>
Cc: alexus <ml@db.nexgen.com>, freebsd-security@FreeBSD.ORG
Subject: Re[2]: disable traceroute to my host
In-Reply-To: <20010627071504.P95583@gsmx07.alcatel.com.au>
References: <006a01c0fb6b$2d64d830$9865fea9@book>
 <771487721300.20010623150519@SECURITY.NNOV.RU>
 <009201c0fdad$57c2af00$9865fea9@book>
 <3181060651.20010626150813@SECURITY.NNOV.RU>
 <20010627071504.P95583@gsmx07.alcatel.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hello Peter,



--Wednesday, June 27, 2001, 1:15:04 AM, you wrote to 3APA3A@SECURITY.NNOV.RU:

PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
>>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out
>>
>>0 - to stop windows traceroute and ping
>>3 - to stop BSD-style traceroute
>>11 - to prevent intermediate router to reply traceroute

PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on
PJ> type 3 code 4).

It's  possible  to combine - deny incoming UDP and outgoing ICMP types
0, 11.

In  any  case  - there are thousand ways to discover route. Use NAT to
hide internal network.

PJ> Peter

PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org
PJ> with "unsubscribe freebsd-security" in the body of the message


-- 
~/3APA3A
Всегда будем рады послушать ваше чириканье (Твен)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message