From owner-freebsd-security Sat Jun 23 4:35:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 472FB37B401 for ; Sat, 23 Jun 2001 04:35:56 -0700 (PDT) (envelope-from roam@ringworld.nanolink.com) Received: (qmail 66570 invoked by uid 1000); 23 Jun 2001 11:34:19 -0000 Date: Sat, 23 Jun 2001 14:34:19 +0300 From: Peter Pentchev To: Fernando Gleiser Cc: alexus , freebsd-security@FreeBSD.ORG Subject: Re: disable traceroute to my host Message-ID: <20010623143419.A29940@ringworld.oblivion.bg> Mail-Followup-To: Fernando Gleiser , alexus , freebsd-security@FreeBSD.ORG References: <006a01c0fb6b$2d64d830$9865fea9@book> <20010622221554.K5703-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010622221554.K5703-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Fri, Jun 22, 2001 at 10:23:30PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 22, 2001 at 10:23:30PM -0300, Fernando Gleiser wrote: > On Fri, 22 Jun 2001, alexus wrote: > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > I don't know if it is posible with ipfw, but with ip filter you can add > a rule to block any packets with ttl=1: > > block in log quick on xl0 ttl 1 proto ip all > > That will stop windows traceroute (icmp based) as well as unix traceroute > (udp based). > > Unix traceroute uses udp packets with destination port > 33434, but this can > be changed. As far as I know, the only way to stop traceroute is to drop > any packet with ttl=1. This might block legitimate trafic, but I haven't > seen any packet in the wild with ttl=1 wich was not a traceroute. This shall only stop traceroutes destined for this particular machine. If you tried this on a firewall/gateway machine, it would block the response from the gateway itself, but the internal machines would still respond. The response from Igor Podlesny in the thread contains a much more effective approach, which might block a bit too much, but it would certainly block traceroutes. Oh and BTW, blocking all packets with ttl=1 could block some legitimate packets that have simply gone down the long and winding road, and stopped at too many auberges to rest along the way :) G'luck, Peter -- If wishes were fishes, the antecedent of this conditional would be true. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message