Date: Fri, 22 Jun 2001 16:02:17 -0700 From: "Kris Anderson" <ohshutup@zdnetmail.com> To: freebsd-security@freebsd.org Subject: Re: disable traceroute to my host Message-ID: <20010622230217.JKT10107.mta05.onebox.com@onebox.com>
next in thread | raw e-mail | index | archive | help
You can put in a rule like ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 change FF.FF.FF.FF to the ip address of your outside ip address change F0 to the interface name of said outside interface now I don't know about directly blocking traceroutes only but traceroute does an icmp thing somewhat like ping. Problem is that this will stop all ICMP from coming into the interface from the outside, even ICMP responses. For example, you can traceroute out, but traceroute responses now get blocked (This includes anything that uses ICMP) does not get back in because it is being blocked by the above rule. Think of it as one way mirror. Now, if anybody knows of a more subtler way to allow ICMP out and back in, but keep any externals from coming in I certainly am one who would like to know. -- Kris Anderson ohshutup@zdnetonebox.com - email (408) 514-2611 ext. 1178 - voicemail/fax ---- "alexus" <ml@db.nexgen.com> wrote: > is it possible to disable using ipfw so people won't be able to traceroute > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622230217.JKT10107.mta05.onebox.com>