Date: Mon, 25 Jun 2001 15:56:21 -0400 From: "alexus" <ml@db.nexgen.com> To: "Brian" <bri@sonicboom.org>, "Jewfish" <jewfish@jewfish.net>, "Igor Podlesny" <poige@morning.ru> Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG> Subject: Re: disable traceroute to my host Message-ID: <01ae01c0fdb0$e7eb8fe0$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> <003d01c0fc30$053716a0$3324200a@sonicboom.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_01AB_01C0FD8F.60AF3660
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
well basically i wanted to block all traceroute .. wither its windows or =
unix
----- Original Message -----=20
From: Brian=20
To: Jewfish ; Igor Podlesny=20
Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20
Sent: Saturday, June 23, 2001 6:01 PM
Subject: Re: disable traceroute to my host
Arent u leaving out some details, like for example windows tracert is =
icmp based, whereas unix traces are udp..
Bri
----- Original Message -----=20
From: Jewfish=20
To: Igor Podlesny=20
Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20
Sent: Saturday, June 23, 2001 12:32 PM
Subject: Re: disable traceroute to my host
These are the rules I have come up with on my own firewall to =
disable tracerouting and pinging (something which might not be for =
everybody), but allows me to traceroute and pring from the host and =
recieve all the responses:
allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype 8
ep0 being, of course, my external interface. This seems to qork =
quite well for me. Some other ideas were brought up about denying the =
"time-to-live-exceeded" icmptype (11) because of packets that may take a =
long time to reach the host. However, this is the easiest method I =
could come up with using firewall rules.
Obviously, these rules also deny ping traffic, which is not =
recommended for everyone. However, I have recently gotten a lot of ping =
floods, so I enacted this (possibly on a temporary basis) to deal with =
this, while still allowing me to ping out (icmptype 8) and recieve the =
replies (icmptype 0).
James
Igor Podlesny wrote:
is it possible to disable using ipfw so people won't be able to =
tracerouteme?
Yes, of course.You should know how do traceroute-like utilities work.The =
knowledge can be easily extracted from a lot of sources, for e.g.from =
Internet, cause you seem to be connected ;) but, it also shouldbe =
mentioned that man pages coming with FreeBSD (I guess as well aswith =
other *NIX-likes OSes) also describe the algo.so man traceroute says, =
that it uses udp ports starting with 33434 andgoes up with every new =
hop. but this could be easily changed with -poption. Besides, windows' =
tracert works using icmp proto, so thedecision isn't here. It lies =
in what does the box do when answering tothem. It does send 'time =
exceeded in-transit' icmp message cause TTLvalue is set too low to =
let the packet jump forward. So it is theanswer -- you should disallow =
it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any =
icmptype 11(yeah, you shou!
ld carefully think about whether or not to use ANYcause if you're =
box is a gateway other people will notice yourcutting-edge =
knowledge cause it will hide not only your host ;)This is not the end, =
alas. unix traceroute will wait for port unreachicmp so after =
meeting, it stops and displays the end-point of yourtrace. Windows' =
tracert will wait for normal icmp-echo-reply for thesame purpose. So =
if you also wish to hide the end point, you need todisallow this also. =
I bet you can figure out the way how by yourself,now.P.S. there are =
also other ways (even more elegant) of doing that inpractice... they =
called 'stealth routing' and can be implemented viaFreeBSD kernel =
mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read =
the man pages, man, they are freely available...
------=_NextPart_000_01AB_01C0FD8F.60AF3660
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>well basically i wanted to block all traceroute .. =
wither its=20
windows or unix</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dbri@sonicboom.org =
href=3D"mailto:bri@sonicboom.org">Brian</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Djewfish@jewfish.net=20
href=3D"mailto:jewfish@jewfish.net">Jewfish</A> ; <A =
title=3Dpoige@morning.ru=20
href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Dml@db.nexgen.com =
href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20
title=3Dfreebsd-security@FreeBSD.ORG=20
=
href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG=
</A> ;=20
<A title=3Dfreebsd-isp@FreeBSD.ORG=20
href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 =
6:01=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable traceroute =
to my=20
host</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>Arent u leaving out some details, =
like for=20
example windows tracert is icmp based, whereas unix traces are=20
udp..</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2> Bri</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Djewfish@jewfish.net =
href=3D"mailto:jewfish@jewfish.net">Jewfish</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dpoige@morning.ru=20
href=3D"mailto:poige@morning.ru">Igor Podlesny</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A =
title=3Dml@db.nexgen.com=20
href=3D"mailto:ml@db.nexgen.com">alexus</A> ; <A=20
title=3Dfreebsd-security@FreeBSD.ORG=20
=
href=3D"mailto:freebsd-security@FreeBSD.ORG">freebsd-security@FreeBSD.ORG=
</A>=20
; <A title=3Dfreebsd-isp@FreeBSD.ORG=20
href=3D"mailto:freebsd-isp@FreeBSD.ORG">freebsd-isp@FreeBSD.ORG</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, June 23, 2001 =
12:32=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: disable =
traceroute to my=20
host</DIV>
<DIV><BR></DIV>These are the rules I have come up with on my own =
firewall to=20
disable tracerouting and pinging (something which might not be for=20
everybody), but allows me to traceroute and pring from the host and =
recieve=20
all the responses:<BR><BR>allow icmp from any to any in recv ep0 =
icmptype=20
0,3,11,14,16,18<BR>allow icmp from any to any out xmit ep0 icmptype=20
8<BR><BR>ep0 being, of course, my external interface. This =
seems to=20
qork quite well for me. Some other ideas were brought up about =
denying=20
the "time-to-live-exceeded" icmptype (11) because of packets that =
may take a=20
long time to reach the host. However, this is the easiest =
method I=20
could come up with using firewall rules.<BR><BR>Obviously, these =
rules also=20
deny ping traffic, which is not recommended for everyone. =
However, I=20
have recently gotten a lot of ping floods, so I enacted this =
(possibly on a=20
temporary basis) to deal with this, while still allowing me to ping =
out=20
(icmptype 8) and recieve the replies (icmptype =
0).<BR><BR>James<BR><BR>Igor=20
Podlesny wrote:<BR>
<BLOCKQUOTE type=3D"cite" =
cite=3D"mid:13760134158.20010623111308@morning.ru">
<BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">is it possible to disable =
using ipfw so people won't be able to =
traceroute<BR>me?<BR></PRE></BLOCKQUOTE><PRE wrap=3D""><!----><BR>Yes, =
of course.<BR><BR>You should know how do traceroute-like utilities =
work.<BR><BR>The knowledge can be easily extracted from a lot of =
sources, for e.g.<BR>from Internet, cause you seem to be connected ;) =
but, it also should<BR>be mentioned that man pages coming with =
FreeBSD (I guess as well as<BR>with other *NIX-likes OSes) also describe =
the algo.<BR><BR>so man traceroute says, that it uses udp ports starting =
with 33434 and<BR>goes up with every new hop. but this could be easily =
changed with -p<BR>option. Besides, windows' tracert works using =
icmp proto, so the<BR>decision isn't here. It lies in what does the box =
do when answering to<BR>them. It does send 'time exceeded in-transit' =
icmp message cause TTL<BR>value is set too low to let the packet =
jump forward. So it is the<BR>answer -- you should disallow it with =
your ipfw. for e.g. using such<BR>syntax:<BR><BR>deny icmp from any to =
any icmptype 11<BR><BR>(yeah, you shou!
ld carefully think about whether or not to use ANY<BR>cause if =
you're box is a gateway other people will notice =
your<BR>cutting-edge knowledge cause it will hide not only your host =
;)<BR><BR>This is not the end, alas. unix traceroute will wait for port =
unreach<BR>icmp so after meeting, it stops and displays the =
end-point of your<BR>trace. Windows' tracert will wait for normal =
icmp-echo-reply for the<BR>same purpose. So if you also wish to hide =
the end point, you need to<BR>disallow this also. I bet you can figure =
out the way how by yourself,<BR>now.<BR><BR>P.S. there are also other =
ways (even more elegant) of doing that in<BR>practice... they called =
'stealth routing' and can be implemented via<BR>FreeBSD kernel =
mechanism (sysctl + built-in kernel support) or with<BR>ipf =
(ipfilter)<BR><BR>read the man pages, man, they are freely =
available...<BR><BR></PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BLOCKQUOTE></BO=
DY></HTML>
------=_NextPart_000_01AB_01C0FD8F.60AF3660--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01ae01c0fdb0$e7eb8fe0$9865fea9>