From owner-freebsd-security Wed Jun 27 12:17:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id A408637B401 for ; Wed, 27 Jun 2001 12:17:08 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 82049 invoked from network); 27 Jun 2001 19:18:03 -0000 Received: from localhost.nexgen.com (HELO book) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 27 Jun 2001 19:18:03 -0000 Message-ID: <001101c0ff3d$ca013aa0$01000001@book> From: "alexus" To: "Ryan Masse" Cc: References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> Subject: Re: disable traceroute to my host Date: Wed, 27 Jun 2001 15:17:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org sounds good.. although what is tcp there for? ----- Original Message ----- From: "Ryan Masse" To: "alexus" Cc: Sent: Tuesday, June 26, 2001 6:59 PM Subject: Re: disable traceroute to my host > did u get my post about blackhole? > > man blackhole > > In the UDP instance, enabling blackhole behaviour turns off the sending > of an ICMP port unreachable message in response to a UDP datagram which > arrives on a port where there is no socket listening. It must be noted > that this behaviour will prevent remote systems from running > traceroute(8) to your system. > > > The following would enable the use of backhole of your system; > sysctl -w net.inet.tcp.blackhole=2 > sysctl -w net.inet.udp.blackhole=1 > > The above would block *nix traceroutes using the udp method. Simply use ipfw > icmptype to block all MS attempts > > Ryan > > > > someone else using ttl=1? that's sux.. oh well i guess its imposible to > > disable it.. cuz i dont want to block something that should work.. > > > > thanks everyone > > > > ----- Original Message ----- > > From: "Peter Pentchev" > > To: "alexus" > > Cc: "Simon Rakovec" ; > > Sent: Tuesday, June 26, 2001 1:58 AM > > Subject: Re: disable traceroute to my host > > > > > > > On Mon, Jun 25, 2001 at 04:00:03PM -0400, alexus wrote: > > > > i agree this is not a solution.. looks like tty=1 is best solution so > > far > > > > > > TTL=1 is not a general solution, because it only blocks traceroutes to > > this > > > particular host, not to any machines that it is acting as a gateway for. > > > > > > Moreover, TTL=1 is not a real-world solution, because some *legitimate* > > > packets might arrive with TTL=1 (yes, there are some OS's that set too > > > low TTL's on outgoing packets, and there are some global backbone ISP's > > > which have a *lot* of routers, so it is possible that a normal packet > > > destined for your host should reach you with TTL=1). > > > > > > And just btw.. Really, why do you want to block traceroutes? > > > > > > G'luck, > > > Peter > > > > > > -- > > > because I didn't think of a good beginning of it. > > > > > > > ----- Original Message ----- > > > > From: "Peter Pentchev" > > > > To: "Simon Rakovec" > > > > Cc: > > > > Sent: Monday, June 25, 2001 2:37 AM > > > > Subject: Re: disable traceroute to my host > > > > > > > > > > > > > On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote: > > > > > > Try this: > > > > > > > > > > > > ipfw add deny udp from any 32769-65535 to 33434-33523 > > > > > > > > > > As Karsten noted in a followup, this is not proper network practice. > > > > > There might be a LOT of things listening on those UDP ports, > including > > > > > ephemeral outgoing UDP connections. > > > > > > > > > > As many other people noted, this does not stop Windows traceroute, > > > > > which goes via ICMP. > > > > > > > > > > As the traceroute(8) manpage notes, this does not stop people who > > > > > know how to use the traceroute '-p port' option to select a starting > > > > > port != 32768. > > > > > > > > > > As Dag-Erling Smoerdgrav noted, in general it is impossible to > disable > > > > > a person determined to traceroute you, and in practice, there is > > > > > no need to. > > > > > > > > > > G'luck, > > > > > Peter > > > > > > > > > > PS. How was that now... one source: plagiarism, two sources: > > comparative > > > > > study, three sources: an academic thesis.. I did even better than > > that! > > > > ;) > > > > > > > > > > -- > > > > > Thit sentence is not self-referential because "thit" is not a word. > > > > > > > > > > > alexus wrote: > > > > > > > > > > > > > > is it possible to disable using ipfw so people won't be able to > > > > traceroute > > > > > > > me? > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message