Date: Mon, 25 Jun 2001 15:21:49 -0400 From: "alexus" <ml@db.nexgen.com> To: <ohshutup@zdnetonebox.com>, <freebsd-security@freebsd.org> Subject: Re: disable traceroute to my host Message-ID: <005f01c0fdac$15221010$9865fea9@book> References: <20010622230217.JKT10107.mta05.onebox.com@onebox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
the thing is that windows based machines they using icmp for traceroute and unix uses udp.. what i'd like to know is: which type of icmp uses for traceroute? (for example by deny icmp for incoming icmptype 8 i was able to deny any pinging of my box from outside *BUT* i can ping everyone myself from my box) also i'd like to know which standard range of ports udp uses in unix's traceroute? ----- Original Message ----- From: "Kris Anderson" <ohshutup@zdnetmail.com> To: <freebsd-security@freebsd.org> Sent: Friday, June 22, 2001 7:02 PM Subject: Re: disable traceroute to my host > You can put in a rule like > > ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0 > > change FF.FF.FF.FF to the ip address of your outside ip address > change F0 to the interface name of said outside interface > > now I don't know about directly blocking traceroutes only but traceroute > does an icmp thing somewhat like ping. > > Problem is that this will stop all ICMP from coming into the interface > from the outside, even ICMP responses. > > For example, you can traceroute out, but traceroute responses now get > blocked (This includes anything that uses ICMP) does not get back in > because it is being blocked by the above rule. Think of it as one way > mirror. > > Now, if anybody knows of a more subtler way to allow ICMP out and back > in, but keep any externals from coming in I certainly am one who would > like to know. > -- > Kris Anderson > ohshutup@zdnetonebox.com - email > (408) 514-2611 ext. 1178 - voicemail/fax > > > > ---- "alexus" <ml@db.nexgen.com> wrote: > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > ___________________________________________________________________ > To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, > all in one place - sign up today at http://www.zdnetonebox.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005f01c0fdac$15221010$9865fea9>