From owner-freebsd-security Fri Jun 22 16: 2:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta05.onebox.com (mta05.onebox.com [64.68.77.148]) by hub.freebsd.org (Postfix) with ESMTP id CDAC937B406 for ; Fri, 22 Jun 2001 16:02:17 -0700 (PDT) (envelope-from ohshutup@zdnetmail.com) Received: from onebox.com ([10.1.111.7]) by mta05.onebox.com (InterMail vM.4.01.03.21 201-229-121-121-20010307) with SMTP id <20010622230217.JKT10107.mta05.onebox.com@onebox.com> for ; Fri, 22 Jun 2001 16:02:17 -0700 Received: from [24.176.48.110] by onebox.com with HTTP; Fri, 22 Jun 2001 16:02:17 -0700 Date: Fri, 22 Jun 2001 16:02:17 -0700 Subject: Re: disable traceroute to my host Reply-To: ohshutup@zdnetonebox.com From: "Kris Anderson" To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Message-Id: <20010622230217.JKT10107.mta05.onebox.com@onebox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You can put in a rule like ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 change FF.FF.FF.FF to the ip address of your outside ip address change F0 to the interface name of said outside interface now I don't know about directly blocking traceroutes only but traceroute does an icmp thing somewhat like ping. Problem is that this will stop all ICMP from coming into the interface from the outside, even ICMP responses. For example, you can traceroute out, but traceroute responses now get blocked (This includes anything that uses ICMP) does not get back in because it is being blocked by the above rule. Think of it as one way mirror. Now, if anybody knows of a more subtler way to allow ICMP out and back in, but keep any externals from coming in I certainly am one who would like to know. -- Kris Anderson ohshutup@zdnetonebox.com - email (408) 514-2611 ext. 1178 - voicemail/fax ---- "alexus" wrote: > is it possible to disable using ipfw so people won't be able to traceroute > me? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ___________________________________________________________________ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message