Date: Tue, 08 Jul 2003 22:51:24 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Socketd <db@traceroute.dk> Cc: hackers@freebsd.org Subject: Re: 5 "Advanced" networking questions Message-ID: <3F0BAD5C.65895290@mindspring.com> References: <20030707012205.3103dfc8.db@traceroute.dk> <20030707153314.GA1695@webboy.soth.at> <20030707180252.44036c61.db@traceroute.dk> <3F0A9A1C.25E6EB35@mindspring.com> <20030708131339.16da151f.db@traceroute.dk> <20030708140012.0fd685c8.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Socketd wrote: > On Tue, 08 Jul 2003 04:17:04 -0700 > Terry Lambert <tlambert2@mindspring.com> wrote: > > > I don't want to disable ICMP, just don't want to respond when ttl=0, > > > meaning when my firewall/gateway is on a "traceroute path". > > > > You should specifically modify the ICMP code to not respond > > to echo datagrams, or when ttl == 0, then, and work it that > > way. In other words, it's time to hack your network stack > > to specifically add that "feature". > > Hmm, why not just use a firewall? Because most firewalls, even commercial ones, don't block the ICMP messages you appear to be interested in blocking. You appeared to want to turn your FreeBSD box into what's normally called a "stealth" system: one that doesn't respond at all to external probe attempts. So it looked like you were trying to *write* a firewall, or at least find a set of rules that would let your FreeBSD box act as a "stealth" one. The current FreeBSD doesn't support "stealth"; it's generally something you do to stop network finger-printing and/or to use as a base for launching your own attacks and/or in an attempt to protect a Windows box that can't protect itself very well. If you want the feature in FreeBSD, you are going to need to hack some code. If you are willing to go out ans spend money on a "stealth" firewall box, well, you should feel free to do that, too; if you do, I reccomend "SunScreen" from Sun Microsystems, though in general, I don't recommend using "stealth" firewalls, since they break a number of end-to-end guarantees: http://wwws.sun.com/software/securenet/index.html If you want a real firewall, I recommend the Cisco PIX: http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/ I also recommend reading about the drawbacks of using "stealth" firewalls, to help decide whether you want to avoid attackers by hiding from them, or avoid attackers by having working firewall software which has been usefully auidted, instead. 8-). http://web.proetus.com/reference/stealthfw/ If you just want to avoid ICMP echo datagrams, I'd change my filter criteria from what you are asking (TTL==0) to ICMP type, and filter packets of type 11 and 0 using the ipfw "icmptypes" option on your filter type. It's not the same thing as a "stealth" firewall, but it is good enough to handle your initial complaint, which was the ability to traceroute. Then you wouldn't need to buy another machine. -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F0BAD5C.65895290>