Site Navigation

Date:      Sat, 23 Jun 2001 15:01:07 -0700
From:      "Brian" <bri@sonicboom.org>
To:        "Jewfish" <jewfish@jewfish.net>, "Igor Podlesny" <poige@morning.ru>
Cc:        "alexus" <ml@db.nexgen.com>, <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG>
Subject:   Re: disable traceroute to my host
Message-ID:  <003d01c0fc30$053716a0$3324200a@sonicboom.org>
References:  <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.

------=_NextPart_000_003A_01C0FBF5.54B0B500
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Arent u leaving out some details, like for example windows tracert is =
icmp based, whereas unix traces are udp..

    Bri
  ----- Original Message -----=20
  From: Jewfish=20
  To: Igor Podlesny=20
  Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20
  Sent: Saturday, June 23, 2001 12:32 PM
  Subject: Re: disable traceroute to my host


  These are the rules I have come up with on my own firewall to disable =
tracerouting and pinging (something which might not be for everybody), =
but allows me to traceroute and pring from the host and recieve all the =
responses:

  allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
  allow icmp from any to any out xmit ep0 icmptype 8

  ep0 being, of course, my external interface.  This seems to qork quite =
well for me.  Some other ideas were brought up about denying the =
"time-to-live-exceeded" icmptype (11) because of packets that may take a =
long time to reach the host.  However, this is the easiest method I =
could come up with using firewall rules.

  Obviously, these rules also deny ping traffic, which is not =
recommended for everyone.  However, I have recently gotten a lot of ping =
floods, so I enacted this (possibly on a temporary basis) to deal with =
this, while still allowing me to ping out (icmptype 8) and recieve the =
replies (icmptype 0).

  James

  Igor Podlesny wrote:

is it possible to disable using ipfw so people won't be able to =
tracerouteme?
Yes, of course.You should know how do traceroute-like utilities work.The =
 knowledge can be easily extracted from a lot of sources, for e.g.from  =
Internet,  cause you seem to be connected ;) but, it also shouldbe  =
mentioned  that  man pages coming with FreeBSD (I guess as well aswith =
other *NIX-likes OSes) also describe the algo.so man traceroute says, =
that it uses udp ports starting with 33434 andgoes  up  with every new =
hop. but this could be easily changed with -poption.  Besides,  windows' =
 tracert  works  using  icmp proto, so thedecision isn't here. It lies =
in what does the box do when answering tothem.  It  does send 'time =
exceeded in-transit' icmp message cause TTLvalue  is  set  too  low  to =
let the packet jump forward. So it is theanswer  --  you should disallow =
it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any =
icmptype 11(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANYcause  if  you're  =
box  is  a  gateway  other  people will notice yourcutting-edge =
knowledge cause it will hide not only your host ;)This  is not the end, =
alas. unix traceroute will wait for port unreachicmp  so  after  =
meeting,  it stops and displays the end-point of yourtrace.  Windows'  =
tracert will wait for normal icmp-echo-reply for thesame  purpose.  So =
if you also wish to hide the end point, you need todisallow  this also. =
I bet you can figure out the way how by yourself,now.P.S.  there  are  =
also other ways (even more elegant) of doing that inpractice...  they  =
called 'stealth routing' and can be implemented viaFreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or withipf (ipfilter)read =
the man pages, man, they are freely available...



------=_NextPart_000_003A_01C0FBF5.54B0B500
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Arent u leaving out some details, like =
for example=20
windows tracert is icmp based, whereas unix traces are =
udp..</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; Bri</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Djewfish@jewfish.net =
href=3D"mailto:jewfish@jewfish.net">Jewfish</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Dpoige@morning.ru =

  href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Dml@db.nexgen.com =

  href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20
  title=3Dfreebsd-security@FreeBSD.ORG=20
  =
href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG=
</A> ;=20
  <A title=3Dfreebsd-isp@FreeBSD.ORG=20
  href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> =
</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 =
12:32=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute =
to my=20
  host</DIV>
  <DIV><BR></DIV>These are the rules I have come up with on my own =
firewall to=20
  disable tracerouting and pinging (something which might not be for =
everybody),=20
  but allows me to traceroute and pring from the host and recieve all =
the=20
  responses:<BR><BR>allow icmp from any to any in recv ep0 icmptype=20
  0,3,11,14,16,18<BR>allow icmp from any to any out xmit ep0 icmptype=20
  8<BR><BR>ep0 being, of course, my external interface. &nbsp;This seems =
to qork=20
  quite well for me. &nbsp;Some other ideas were brought up about =
denying the=20
  "time-to-live-exceeded" icmptype (11) because of packets that may take =
a long=20
  time to reach the host. &nbsp;However, this is the easiest method I =
could come=20
  up with using firewall rules.<BR><BR>Obviously, these rules also deny =
ping=20
  traffic, which is not recommended for everyone. &nbsp;However, I have =
recently=20
  gotten a lot of ping floods, so I enacted this (possibly on a =
temporary basis)=20
  to deal with this, while still allowing me to ping out (icmptype 8) =
and=20
  recieve the replies (icmptype 0).<BR><BR>James<BR><BR>Igor Podlesny =
wrote:<BR>
  <BLOCKQUOTE cite=3D"mid:13760134158.20010623111308@morning.ru" =
type=3D"cite">
    <BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">is it possible to disable =
using ipfw so people won't be able to =
traceroute<BR>me?<BR></PRE></BLOCKQUOTE><PRE wrap=3D""><!----><BR>Yes, =
of course.<BR><BR>You should know how do traceroute-like utilities =
work.<BR><BR>The  knowledge can be easily extracted from a lot of =
sources, for e.g.<BR>from  Internet,  cause you seem to be connected ;) =
but, it also should<BR>be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as<BR>with other *NIX-likes OSes) also describe =
the algo.<BR><BR>so man traceroute says, that it uses udp ports starting =
with 33434 and<BR>goes  up  with every new hop. but this could be easily =
changed with -p<BR>option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the<BR>decision isn't here. It lies in what does the box =
do when answering to<BR>them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL<BR>value  is  set  too  low  to let the packet =
jump forward. So it is the<BR>answer  --  you should disallow it with =
your ipfw. for e.g. using such<BR>syntax:<BR><BR>deny icmp from any to =
any icmptype 11<BR><BR>(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY<BR>cause  if  =
you're  box  is  a  gateway  other  people will notice =
your<BR>cutting-edge knowledge cause it will hide not only your host =
;)<BR><BR>This  is not the end, alas. unix traceroute will wait for port =
unreach<BR>icmp  so  after  meeting,  it stops and displays the =
end-point of your<BR>trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the<BR>same  purpose.  So if you also wish to hide =
the end point, you need to<BR>disallow  this also. I bet you can figure =
out the way how by yourself,<BR>now.<BR><BR>P.S.  there  are  also other =
ways (even more elegant) of doing that in<BR>practice...  they  called =
'stealth routing' and can be implemented via<BR>FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with<BR>ipf =
(ipfilter)<BR><BR>read the man pages, man, they are freely =
available...<BR><BR></PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_003A_01C0FBF5.54B0B500--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003d01c0fc30$053716a0$3324200a>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact