From owner-freebsd-security  Wed Jun 27 23:29:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242])
	by hub.freebsd.org (Postfix) with ESMTP id B24F737B401
	for <freebsd-security@FreeBSD.ORG>; Wed, 27 Jun 2001 23:29:51 -0700 (PDT)
	(envelope-from poige@morning.ru)
Received: from NIC1 (seven.ld [192.168.11.7])
	by roulen-gw.morning.ru (Postfix) with ESMTP
	id E1BE118; Thu, 28 Jun 2001 14:29:49 +0800 (KRAST)
Date: Thu, 28 Jun 2001 14:30:21 +0700
From: Igor Podlesny <poige@morning.ru>
X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091
Organization: Morning Network
X-Priority: 3 (Normal)
Message-ID: <198504028264.20010628143021@morning.ru>
To: "Crist J. Clark" <cjclark@alum.mit.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re[2]: disable traceroute to my host
In-Reply-To: <20010627221543.A346@blossom.cjclark.org>
References: <006a01c0fb6b$2d64d830$9865fea9@book>
 <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg>
 <01ec01c0fdb1$6c9cada0$9865fea9@book>
 <20010626085804.E780@ringworld.oblivion.bg>
 <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home>
 <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote:
>> sounds good.. although what is tcp there for?

> You can traceroute with any protocol. TCP is just as easy as UDP.

> As people keep saying over and over, there really is no way to stop
> traceroutes without severely breaking things.

I   disagree.   cause   don't   see   any  real  hurt  of  disallowing
icmp-echo-reply    (0),   icmp-unreach.icmp-unreach-port   (3.3)   and
icmp-timxceed (11).

the first is already in relatively common practice

the  second  is similar to blackhole BSD's feature (yeah... it doesn't
fit RFC, but the cruel world ;)

the  third  is  just  an  informative  message  (like the second isn't
RFC-compilant but partially)

In sum we can just complain bout non RFC-behavior.... but at the other
side  we're  to  understand that playing according to the rules is too
expensive while others don't bother with.

Already  mentioned  stealth routing (ok, forwarding, if the difference
kick  in  eye  ;) isn't RFC-compilant and what? "...Who ever promised
anybody equal share?..."

> If you really want to stop traceroutes, pull the plug.
extreme? ;)

> Can this thread
> die now?

18 * * *
19 * * *
20 * * *
21 * * *
^C

p.s. ;)))

-- 
 Igor                            mailto:poige@morning.ru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message