From owner-freebsd-security Fri Jun 22 20:12:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from roulen-gw.morning.ru (roulen-gw.morning.ru [195.161.98.242]) by hub.freebsd.org (Postfix) with ESMTP id 93D2E37B406; Fri, 22 Jun 2001 20:12:42 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (seven.ld [192.168.11.7]) by roulen-gw.morning.ru (Postfix) with ESMTP id 0C31C25; Sat, 23 Jun 2001 11:12:41 +0800 (KRAST) Date: Sat, 23 Jun 2001 11:13:08 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <13760134158.20010623111308@morning.ru> To: "alexus" Cc: freebsd-security@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: disable traceroute to my host In-Reply-To: <006a01c0fb6b$2d64d830$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > is it possible to disable using ipfw so people won't be able to traceroute > me? Yes, of course. You should know how do traceroute-like utilities work. The knowledge can be easily extracted from a lot of sources, for e.g. from Internet, cause you seem to be connected ;) but, it also should be mentioned that man pages coming with FreeBSD (I guess as well as with other *NIX-likes OSes) also describe the algo. so man traceroute says, that it uses udp ports starting with 33434 and goes up with every new hop. but this could be easily changed with -p option. Besides, windows' tracert works using icmp proto, so the decision isn't here. It lies in what does the box do when answering to them. It does send 'time exceeded in-transit' icmp message cause TTL value is set too low to let the packet jump forward. So it is the answer -- you should disallow it with your ipfw. for e.g. using such syntax: deny icmp from any to any icmptype 11 (yeah, you should carefully think about whether or not to use ANY cause if you're box is a gateway other people will notice your cutting-edge knowledge cause it will hide not only your host ;) This is not the end, alas. unix traceroute will wait for port unreach icmp so after meeting, it stops and displays the end-point of your trace. Windows' tracert will wait for normal icmp-echo-reply for the same purpose. So if you also wish to hide the end point, you need to disallow this also. I bet you can figure out the way how by yourself, now. P.S. there are also other ways (even more elegant) of doing that in practice... they called 'stealth routing' and can be implemented via FreeBSD kernel mechanism (sysctl + built-in kernel support) or with ipf (ipfilter) read the man pages, man, they are freely available... -- Igor mailto:poige@morning.ru http://poige.nm.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message