Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Jun 2001 11:11:20 +0300
From:      Peter Pentchev <roam@orbitel.bg>
To:        Igor Podlesny <poige@morning.ru>
Cc:        "Crist J. Clark" <cjclark@alum.mit.edu>, freebsd-security@FreeBSD.ORG
Subject:   Re: disable traceroute to my host
Message-ID:  <20010628111119.C80342@ringworld.oblivion.bg>
In-Reply-To: <198504028264.20010628143021@morning.ru>; from poige@morning.ru on Thu, Jun 28, 2001 at 02:30:21PM %2B0700
References:  <006a01c0fb6b$2d64d830$9865fea9@book> <3B36267B.5B5FDBE@inforta.com> <20010625093731.A934@ringworld.oblivion.bg> <01ec01c0fdb1$6c9cada0$9865fea9@book> <20010626085804.E780@ringworld.oblivion.bg> <002701c0fe76$7530eab0$01000001@book> <003401c0fe93$a3f405e0$3200a8c0@Home> <001101c0ff3d$ca013aa0$01000001@book> <20010627221543.A346@blossom.cjclark.org> <198504028264.20010628143021@morning.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jun 28, 2001 at 02:30:21PM +0700, Igor Podlesny wrote:
> 
> > On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote:
> >> sounds good.. although what is tcp there for?
> 
> > You can traceroute with any protocol. TCP is just as easy as UDP.
> 
> > As people keep saying over and over, there really is no way to stop
> > traceroutes without severely breaking things.
> 
> I   disagree.   cause   don't   see   any  real  hurt  of  disallowing
> icmp-echo-reply    (0),   icmp-unreach.icmp-unreach-port   (3.3)   and
> icmp-timxceed (11).
> 
> the first is already in relatively common practice

This is acceptable, although it might confuse somebody who's new
to the hostile world of the today's Internet :)

> the  second  is similar to blackhole BSD's feature (yeah... it doesn't
> fit RFC, but the cruel world ;)

..and if you are running an UDP service, it would confuse the hell
out of people unable to connect to it when the server is down.

> the  third  is  just  an  informative  message  (like the second isn't
> RFC-compilant but partially)

..an informative message that can tell somebody exactly why they
can't connect to your system, instead of having their connections
just hang.  As I mentioned before, there *are* OS's which will set
stupidly low TTL's on outgoing packets.

G'luck,
Peter

-- 
This sentence would be seven words long if it were six words shorter.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010628111119.C80342>