From owner-freebsd-isp  Sat Jun 23 12:33:17 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from frosty.jewfish.net (cc773863-a.flushing1.mi.home.com [65.10.192.33])
	by hub.freebsd.org (Postfix) with ESMTP
	id DE49137B406; Sat, 23 Jun 2001 12:33:05 -0700 (PDT)
	(envelope-from jewfish@jewfish.net)
Received: from jewfish.net (lucy.jewfish.net [172.17.254.15])
	by frosty.jewfish.net (8.11.3/8.11.3) with ESMTP id f5NJWRF43757;
	Sat, 23 Jun 2001 15:32:28 -0400 (EDT)
	(envelope-from jewfish@jewfish.net)
Message-ID: <3B34EEC8.9010606@jewfish.net>
Date: Sat, 23 Jun 2001 15:32:24 -0400
From: Jewfish <jewfish@jewfish.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.1) Gecko/20010607 Netscape6/6.1b1
X-Accept-Language: en-us
MIME-Version: 1.0
To: Igor Podlesny <poige@morning.ru>
Cc: alexus <ml@db.nexgen.com>, freebsd-security@FreeBSD.ORG,
	freebsd-isp@FreeBSD.ORG
Subject: Re: disable traceroute to my host
References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru>
Content-Type: multipart/alternative;
 boundary="------------060909000703080703070904"
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org


--------------060909000703080703070904
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

These are the rules I have come up with on my own firewall to disable 
tracerouting and pinging (something which might not be for everybody), 
but allows me to traceroute and pring from the host and recieve all the 
responses:

allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype 8

ep0 being, of course, my external interface.  This seems to qork quite 
well for me.  Some other ideas were brought up about denying the 
"time-to-live-exceeded" icmptype (11) because of packets that may take a 
long time to reach the host.  However, this is the easiest method I 
could come up with using firewall rules.

Obviously, these rules also deny ping traffic, which is not recommended 
for everyone.  However, I have recently gotten a lot of ping floods, so 
I enacted this (possibly on a temporary basis) to deal with this, while 
still allowing me to ping out (icmptype 8) and recieve the replies 
(icmptype 0).

James

Igor Podlesny wrote:

>>is it possible to disable using ipfw so people won't be able to traceroute
>>me?
>>
>
>Yes, of course.
>
>You should know how do traceroute-like utilities work.
>
>The  knowledge can be easily extracted from a lot of sources, for e.g.
>from  Internet,  cause you seem to be connected ;) but, it also should
>be  mentioned  that  man pages coming with FreeBSD (I guess as well as
>with other *NIX-likes OSes) also describe the algo.
>
>so man traceroute says, that it uses udp ports starting with 33434 and
>goes  up  with every new hop. but this could be easily changed with -p
>option.  Besides,  windows'  tracert  works  using  icmp proto, so the
>decision isn't here. It lies in what does the box do when answering to
>them.  It  does send 'time exceeded in-transit' icmp message cause TTL
>value  is  set  too  low  to let the packet jump forward. So it is the
>answer  --  you should disallow it with your ipfw. for e.g. using such
>syntax:
>
>deny icmp from any to any icmptype 11
>
>(yeah,  you  should  carefully  think  about whether or not to use ANY
>cause  if  you're  box  is  a  gateway  other  people will notice your
>cutting-edge knowledge cause it will hide not only your host ;)
>
>This  is not the end, alas. unix traceroute will wait for port unreach
>icmp  so  after  meeting,  it stops and displays the end-point of your
>trace.  Windows'  tracert will wait for normal icmp-echo-reply for the
>same  purpose.  So if you also wish to hide the end point, you need to
>disallow  this also. I bet you can figure out the way how by yourself,
>now.
>
>P.S.  there  are  also other ways (even more elegant) of doing that in
>practice...  they  called 'stealth routing' and can be implemented via
>FreeBSD  kernel  mechanism  (sysctl + built-in kernel support) or with
>ipf (ipfilter)
>
>read the man pages, man, they are freely available...
>


--------------060909000703080703070904
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html>
<head>
</head>
<body>
These are the rules I have come up with on my own firewall to disable tracerouting
and pinging (something which might not be for everybody), but allows me to
traceroute and pring from the host and recieve all the responses:<br>
<br>
allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18<br>
allow icmp from any to any out xmit ep0 icmptype 8<br>
<br>
ep0 being, of course, my external interface. &nbsp;This seems to qork quite well
for me. &nbsp;Some other ideas were brought up about denying the "time-to-live-exceeded"
icmptype (11) because of packets that may take a long time to reach the host.
&nbsp;However, this is the easiest method I could come up with using firewall
rules.<br>
<br>
Obviously, these rules also deny ping traffic, which is not recommended for
everyone. &nbsp;However, I have recently gotten a lot of ping floods, so I enacted
this (possibly on a temporary basis) to deal with this, while still allowing
me to ping out (icmptype 8) and recieve the replies (icmptype 0).<br>
<br>
James<br>
<br>
Igor Podlesny wrote:<br>
<blockquote type="cite" cite="mid:13760134158.20010623111308@morning.ru">
  <blockquote type="cite"><pre wrap="">is it possible to disable using ipfw so people won't be able to traceroute<br>me?<br></pre>
    </blockquote>
    <pre wrap=""><!----><br>Yes, of course.<br><br>You should know how do traceroute-like utilities work.<br><br>The  knowledge can be easily extracted from a lot of sources, for e.g.<br>from  Internet,  cause you seem to be connected ;) but, it also should<br>be  mentioned  that  man pages coming with FreeBSD (I guess as well as<br>with other *NIX-likes OSes) also describe the algo.<br><br>so man traceroute says, that it uses udp ports starting with 33434 and<br>goes  up  with every new hop. but this could be easily changed with -p<br>option.  Besides,  windows'  tracert  works  using  icmp proto, so the<br>decision isn't here. It lies in what does the box do when answering to<br>them.  It  does send 'time exceeded in-transit' icmp message cause TTL<br>value  is  set  too  low  to let the packet jump forward. So it is the<br>answer  --  you should disallow it with your ipfw. for e.g. using such<br>syntax:<br><br>deny icmp from any to any icmptype 11<br><br>(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY<br>cause  if  you're  box  is  a  gateway  other  people will notice your<br>cutting-edge knowledge cause it will hide not only your host ;)<br><br>This  is not the end, alas. unix traceroute will wait for port unreach<br>icmp  so  after  meeting,  it stops and displays the end-point of your<br>trace.  Windows'  tracert will wait for normal icmp-echo-reply for the<br>same  purpose.  So if you also wish to hide the end point, you need to<br>disallow  this also. I bet you can figure out the way how by yourself,<br>now.<br><br>P.S.  there  are  also other ways (even more elegant) of doing that in<br>practice...  they  called 'stealth routing' and can be implemented via<br>FreeBSD  kernel  mechanism  (sysctl + built-in kernel support) or with<br>ipf (ipfilter)<br><br>read the man pages, man, they are freely available...<br><br></pre>
    </blockquote>
    <br>
    </body>
    </html>

--------------060909000703080703070904--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message