From owner-freebsd-security Sat Jun 23 15: 1:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 4484937B405; Sat, 23 Jun 2001 15:01:06 -0700 (PDT) (envelope-from bri@sonicboom.org) Received: from Brian (cx175057-b.ocnsd1.sdca.home.com [24.13.23.147]) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with SMTP id f5NM0kA32665; Sat, 23 Jun 2001 15:00:46 -0700 (PDT) (envelope-from bri@sonicboom.org) Message-ID: <003d01c0fc30$053716a0$3324200a@sonicboom.org> From: "Brian" To: "Jewfish" , "Igor Podlesny" Cc: "alexus" , , References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru> <3B34EEC8.9010606@jewfish.net> Subject: Re: disable traceroute to my host Date: Sat, 23 Jun 2001 15:01:07 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003A_01C0FBF5.54B0B500" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_003A_01C0FBF5.54B0B500 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Arent u leaving out some details, like for example windows tracert is = icmp based, whereas unix traces are udp.. Bri ----- Original Message -----=20 From: Jewfish=20 To: Igor Podlesny=20 Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG=20 Sent: Saturday, June 23, 2001 12:32 PM Subject: Re: disable traceroute to my host These are the rules I have come up with on my own firewall to disable = tracerouting and pinging (something which might not be for everybody), = but allows me to traceroute and pring from the host and recieve all the = responses: allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 allow icmp from any to any out xmit ep0 icmptype 8 ep0 being, of course, my external interface. This seems to qork quite = well for me. Some other ideas were brought up about denying the = "time-to-live-exceeded" icmptype (11) because of packets that may take a = long time to reach the host. However, this is the easiest method I = could come up with using firewall rules. Obviously, these rules also deny ping traffic, which is not = recommended for everyone. However, I have recently gotten a lot of ping = floods, so I enacted this (possibly on a temporary basis) to deal with = this, while still allowing me to ping out (icmptype 8) and recieve the = replies (icmptype 0). James Igor Podlesny wrote: is it possible to disable using ipfw so people won't be able to = tracerouteme? Yes, of course.You should know how do traceroute-like utilities work.The = knowledge can be easily extracted from a lot of sources, for e.g.from = Internet, cause you seem to be connected ;) but, it also shouldbe = mentioned that man pages coming with FreeBSD (I guess as well aswith = other *NIX-likes OSes) also describe the algo.so man traceroute says, = that it uses udp ports starting with 33434 andgoes up with every new = hop. but this could be easily changed with -poption. Besides, windows' = tracert works using icmp proto, so thedecision isn't here. It lies = in what does the box do when answering tothem. It does send 'time = exceeded in-transit' icmp message cause TTLvalue is set too low to = let the packet jump forward. So it is theanswer -- you should disallow = it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any = icmptype 11(yeah, you shou! ld carefully think about whether or not to use ANYcause if you're = box is a gateway other people will notice yourcutting-edge = knowledge cause it will hide not only your host ;)This is not the end, = alas. unix traceroute will wait for port unreachicmp so after = meeting, it stops and displays the end-point of yourtrace. Windows' = tracert will wait for normal icmp-echo-reply for thesame purpose. So = if you also wish to hide the end point, you need todisallow this also. = I bet you can figure out the way how by yourself,now.P.S. there are = also other ways (even more elegant) of doing that inpractice... they = called 'stealth routing' and can be implemented viaFreeBSD kernel = mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read = the man pages, man, they are freely available... ------=_NextPart_000_003A_01C0FBF5.54B0B500 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Arent u leaving out some details, like = for example=20 windows tracert is icmp based, whereas unix traces are = udp..
 
    Bri
----- Original Message -----
From:=20 Jewfish=20
Cc: alexus ; freebsd-security@FreeBSD.ORG= ;=20 freebsd-isp@FreeBSD.ORG =
Sent: Saturday, June 23, 2001 = 12:32=20 PM
Subject: Re: disable traceroute = to my=20 host

These are the rules I have come up with on my own = firewall to=20 disable tracerouting and pinging (something which might not be for = everybody),=20 but allows me to traceroute and pring from the host and recieve all = the=20 responses:

allow icmp from any to any in recv ep0 icmptype=20 0,3,11,14,16,18
allow icmp from any to any out xmit ep0 icmptype=20 8

ep0 being, of course, my external interface.  This seems = to qork=20 quite well for me.  Some other ideas were brought up about = denying the=20 "time-to-live-exceeded" icmptype (11) because of packets that may take = a long=20 time to reach the host.  However, this is the easiest method I = could come=20 up with using firewall rules.

Obviously, these rules also deny = ping=20 traffic, which is not recommended for everyone.  However, I have = recently=20 gotten a lot of ping floods, so I enacted this (possibly on a = temporary basis)=20 to deal with this, while still allowing me to ping out (icmptype 8) = and=20 recieve the replies (icmptype 0).

James

Igor Podlesny = wrote:
is it possible to disable =
using ipfw so people won't be able to =
traceroute
me?

Yes, =
of course.

You should know how do traceroute-like utilities =
work.

The  knowledge can be easily extracted from a lot of =
sources, for e.g.
from  Internet,  cause you seem to be connected ;) =
but, it also should
be  mentioned  that  man pages coming with =
FreeBSD (I guess as well as
with other *NIX-likes OSes) also describe =
the algo.

so man traceroute says, that it uses udp ports starting =
with 33434 and
goes  up  with every new hop. but this could be easily =
changed with -p
option.  Besides,  windows'  tracert  works  using  =
icmp proto, so the
decision isn't here. It lies in what does the box =
do when answering to
them.  It  does send 'time exceeded in-transit' =
icmp message cause TTL
value  is  set  too  low  to let the packet =
jump forward. So it is the
answer  --  you should disallow it with =
your ipfw. for e.g. using such
syntax:

deny icmp from any to =
any icmptype 11

(yeah,  you  shou!
 ld  carefully  think  about whether or not to use ANY
cause  if  =
you're  box  is  a  gateway  other  people will notice =
your
cutting-edge knowledge cause it will hide not only your host =
;)

This  is not the end, alas. unix traceroute will wait for port =
unreach
icmp  so  after  meeting,  it stops and displays the =
end-point of your
trace.  Windows'  tracert will wait for normal =
icmp-echo-reply for the
same  purpose.  So if you also wish to hide =
the end point, you need to
disallow  this also. I bet you can figure =
out the way how by yourself,
now.

P.S.  there  are  also other =
ways (even more elegant) of doing that in
practice...  they  called =
'stealth routing' and can be implemented via
FreeBSD  kernel  =
mechanism  (sysctl + built-in kernel support) or with
ipf =
(ipfilter)

read the man pages, man, they are freely =
available...


------=_NextPart_000_003A_01C0FBF5.54B0B500-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message