From owner-freebsd-security Wed Jun 27 12: 2:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from d170h113.resnet.uconn.edu (d170h113.resnet.uconn.edu [137.99.170.113]) by hub.freebsd.org (Postfix) with SMTP id 2BC0437B405 for ; Wed, 27 Jun 2001 12:02:31 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 40296 invoked by uid 1001); 27 Jun 2001 19:05:15 -0000 Message-ID: <20010627190515.40295.qmail@d170h113.resnet.uconn.edu> References: <006a01c0fb6b$2d64d830$9865fea9@book> <771487721300.20010623150519@SECURITY.NNOV.RU> <009201c0fdad$57c2af00$9865fea9@book> <3181060651.20010626150813@SECURITY.NNOV.RU> <20010627071504.P95583@gsmx07.alcatel.com.au> <79255173079.20010627114324@SECURITY.NNOV.RU> <003701c0ff37$e229faa0$01000001@book> In-Reply-To: <003701c0ff37$e229faa0$01000001@book> From: "Peter C. Lai" To: "alexus" Cc: freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Date: Wed, 27 Jun 2001 19:05:15 GMT Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org alexus writes: > from someone earlier post.. i suggest to check this out > > http://www.isi.edu/in-notes/iana/assignments/icmp-parameters > > ----- Original Message ----- > From: "3APA3A" <3APA3A@SECURITY.NNOV.RU> > To: "Peter Jeremy" > Cc: "alexus" ; > Sent: Wednesday, June 27, 2001 3:43 AM > Subject: Re[2]: disable traceroute to my host > > >> Hello Peter, >> >> >> >> --Wednesday, June 27, 2001, 1:15:04 AM, you wrote to > 3APA3A@SECURITY.NNOV.RU: >> >> PJ> On 2001-Jun-26 15:08:13 +0400, 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote: >> >>deny ICMP from (YOURNETWORK) to any icmptypes 0,3,11 out >> >> >> >>0 - to stop windows traceroute and ping >> >>3 - to stop BSD-style traceroute >> >>11 - to prevent intermediate router to reply traceroute >> >> PJ> Blocking ICMP type 3 will break Path-MTU discovery (which relies on >> PJ> type 3 code 4). >> >> It's possible to combine - deny incoming UDP and outgoing ICMP types >> 0, 11. >> >> In any case - there are thousand ways to discover route. Use NAT to >> hide internal network. >> >> PJ> Peter >> >> PJ> To Unsubscribe: send mail to majordomo@FreeBSD.org >> PJ> with "unsubscribe freebsd-security" in the body of the message >> >> >> -- >> ~/3APA3A >> Всегда будем рады послушать ваше чириканье (Твен) >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message There's no significant reason to block traceroute (and ICMP types). First, it doesn't improve your "security" (well maybe your false sense of security). Second, blocking ICMP types breaks the RFC(s), which means that in some cases, routing breaks etc. This has been discussed in length on the list before; you can read it yourself. Third, please try to read all the mail in a thread before posting 11 times to 11 messages in a row. ----------- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant/Honors Program http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message