Date: Wed, 27 Jun 2001 19:05:15 GMT From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: "alexus" <ml@db.nexgen.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010627190515.40295.qmail@d170h113.resnet.uconn.edu> In-Reply-To: <003701c0ff37$e229faa0$01000001@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> <20010627071504.P95583@gsmx07.alcatel.com.au> <79255173079.20010627114324@SECURITY.NNOV.RU> <003701c0ff37$e229faa0$01000001@book>
next in thread | previous in thread | raw e-mail | index | archive | help
alexus writes: > from someone earlier post.. i suggest to check this out > > http://www.isi.edu/in-notes/iana/assignments/icmp-parameters > > ----- Original Message ----- > From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> > To: "Peter Jeremy" <peter.jeremy@alcatel.com.au> > Cc: "alexus" <ml@db.nexgen.com>; <freebsd-security@FreeBSD.ORG> > Sent: Wednesday, June 27, 2001 3:43 AM > Subject: Re[2]: disable traceroute to my host > > >> Hello Peter, >> >> >> >> --Wednesday, June 27, 2001, 1:15:04 AM, you wrote to > 3APA3A@SECURITY.NNOV.RU: >> >> PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >> >>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out >> >> >> >>0 - to stop windows traceroute and ping >> >>3 - to stop BSD-style traceroute >> >>11 - to prevent intermediate router to reply traceroute >> >> PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on >> PJ> type 3 code 4). >> >> It's possible to combine - deny incoming UDP and outgoing ICMP types >> 0, 11. >> >> In any case - there are thousand ways to discover route. Use NAT to >> hide internal network. >> >> PJ> Peter >> >> PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org >> PJ> with "unsubscribe freebsd-security" in the body of the message >> >> >> -- >> ~/3APA3A >> Всегда будем рады послушать ваше чириканье (Твен) >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message There's no significant reason to block traceroute (and ICMP types). First, it doesn't improve your "security" (well maybe your false sense of security). Second, blocking ICMP types breaks the RFC(s), which means that in some cases, routing breaks etc. This has been discussed in length on the list before; you can read it yourself. Third, please try to read all the mail in a thread before posting 11 times to 11 messages in a row. ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010627190515.40295.qmail>