From owner-freebsd-security Wed Jun 27 8:23:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from kcmgwp01.corp.sprint.com (parker1.sprint.com [208.18.122.165]) by hub.freebsd.org (Postfix) with ESMTP id A5B5937B401 for ; Wed, 27 Jun 2001 08:23:06 -0700 (PDT) (envelope-from steve.d.meacham@mail.sprint.com) Received: from kcmgwp02.corp.sprint.com (kcmgwp02 [10.185.6.93]) by kcmgwp01.corp.sprint.com (Switch-2.0.2/Switch-2.0.2) with ESMTP id f5RFMaV17189; Wed, 27 Jun 2001 10:22:38 -0500 (CDT) Received: from kcopmp01.corp.sprint.com (kcopmp01m.corp.sprint.com [10.74.2.72]) by kcmgwp02.corp.sprint.com (Switch-2.0.2/Switch-2.0.2) with ESMTP id f5RFMaW03514; Wed, 27 Jun 2001 10:22:36 -0500 (CDT) Received: from localhost (root@localhost) by kcopmp01.corp.sprint.com (8.8.6 (PHNE_17190)/8.8.6) with ESMTP id KAA15908; Wed, 27 Jun 2001 10:22:35 -0500 (CDT) From: steve.d.meacham@mail.sprint.com X-OpenMail-Hops: 1 Date: Wed, 27 Jun 2001 10:22:35 -0500 Message-Id: Subject: RE: disable traceroute to my host MIME-Version: 1.0 To: peter.jeremy@alcatel.com.au, peter@sysadmin-inc.com Cc: freebsd-security@FreeBSD.ORG Content-Type: multipart/mixed; boundary="openmail-part-484610c8-00000001" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --openmail-part-484610c8-00000001 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline ;Creation-Date="Wed, 27 Jun 2001 10:22:35 -0500" Content-Transfer-Encoding: 7bit Check out the book "Building Internet Firewalls" by Zwicky, Cooper & Chapman from O'Reilly. It describes ICMP types and how to filter and deal with them. It also covers most of the other protocols you're likely to encounter as a firewall administrator. Oh... ISBN 1-56592-871-7 Steven -----Original Message----- From: peter [mailto:peter@sysadmin-inc.com] Sent: Wednesday, June 27, 2001 10:14 AM To: peter.jeremy Cc: peter; freebsd-security Subject: RE: disable traceroute to my host Peter, What is a good document to get more info on ICMP types? Thanks. Peter Brezny SysAdmin Services Inc. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Peter Jeremy Sent: Tuesday, June 26, 2001 5:15 PM To: 3APA3A Cc: alexus; freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out > >0 - to stop windows traceroute and ping >3 - to stop BSD-style traceroute >11 - to prevent intermediate router to reply traceroute Blocking ICMP type 3 will break Path-MTU discovery (which relies on type 3 code 4). Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message --openmail-part-484610c8-00000001-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message