From owner-freebsd-security  Thu Jun 28  1: 6:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 2944737B403
	for <freebsd-security@FreeBSD.ORG>; Thu, 28 Jun 2001 01:06:35 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 80855 invoked by uid 1000); 28 Jun 2001 08:11:20 -0000
Date: Thu, 28 Jun 2001 11:11:20 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Igor Podlesny <poige@morning.ru>
Cc: "Crist J. Clark" <cjclark@alum.mit.edu>,
	freebsd-security@FreeBSD.ORG
Subject: Re: disable traceroute to my host
Message-ID: <20010628111119.C80342@ringworld.oblivion.bg>
Mail-Followup-To: Igor Podlesny <poige@morning.ru>,
	"Crist J. Clark" <cjclark@alum.mit.edu>, freebsd-security@FreeBSD.ORG
References: <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org> <198504028264.20010628143021@morning.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <198504028264.20010628143021@morning.ru>; from poige@morning.ru on Thu, Jun 28, 2001 at 02:30:21PM +0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Jun 28, 2001 at 02:30:21PM +0700, Igor Podlesny wrote:
> 
> > On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote:
> >> sounds good.. although what is tcp there for?
> 
> > You can traceroute with any protocol. TCP is just as easy as UDP.
> 
> > As people keep saying over and over, there really is no way to stop
> > traceroutes without severely breaking things.
> 
> I   disagree.   cause   don't   see   any  real  hurt  of  disallowing
> icmp-echo-reply    (0),   icmp-unreach.icmp-unreach-port   (3.3)   and
> icmp-timxceed (11).
> 
> the first is already in relatively common practice

This is acceptable, although it might confuse somebody who's new
to the hostile world of the today's Internet :)

> the  second  is similar to blackhole BSD's feature (yeah... it doesn't
> fit RFC, but the cruel world ;)

..and if you are running an UDP service, it would confuse the hell
out of people unable to connect to it when the server is down.

> the  third  is  just  an  informative  message  (like the second isn't
> RFC-compilant but partially)

..an informative message that can tell somebody exactly why they
can't connect to your system, instead of having their connections
just hang.  As I mentioned before, there *are* OS's which will set
stupidly low TTL's on outgoing packets.

G'luck,
Peter

-- 
This sentence would be seven words long if it were six words shorter.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message