Re: disable traceroute to my host

From: Peter Pentchev (roam@orbitel.bg)
Date: 06/25/01

• Next message: Kris Anderson: "Re: IPF rule response [should be IPFW rule response instead]"
• Previous message: Crist J. Clark: "Re: "Correct" permissions on /var/mail?"
• In reply to: Simon Rakovec: "Re: disable traceroute to my host"
• Next in thread: alexus: "Re: disable traceroute to my host"
• Reply: alexus: "Re: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 25 Jun 2001 09:37:31 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Simon Rakovec <simon@inforta.com>

On Sun, Jun 24, 2001 at 07:42:19PM +0200, Simon Rakovec wrote:
> Try this:
>
> ipfw add deny udp from any 32769-65535 to <your-host> 33434-33523

As Karsten noted in a followup, this is not proper network practice.
There might be a LOT of things listening on those UDP ports, including
ephemeral outgoing UDP connections.

As many other people noted, this does not stop Windows traceroute,
which goes via ICMP.

As the traceroute(8) manpage notes, this does not stop people who
know how to use the traceroute '-p port' option to select a starting
port != 32768.

As Dag-Erling Smoerdgrav noted, in general it is impossible to disable
a person determined to traceroute you, and in practice, there is
no need to.

G'luck,
Peter

PS. How was that now... one source: plagiarism, two sources: comparative
study, three sources: an academic thesis.. I did even better than that! ;)

-- 
Thit sentence is not self-referential because "thit" is not a word.
> alexus wrote:
> > 
> > is it possible to disable using ipfw so people won't be able to traceroute
> > me?
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Kris Anderson: "Re: IPF rule response [should be IPFW rule response instead]"
• Previous message: Crist J. Clark: "Re: "Correct" permissions on /var/mail?"
• In reply to: Simon Rakovec: "Re: disable traceroute to my host"
• Next in thread: alexus: "Re: disable traceroute to my host"
• Reply: alexus: "Re: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: port block question along path ... verify a routing path to a specific IP-ADDRESS, not a port on that host. ... The original LBL version of traceroute written by Van Jacobson in 1987 uses ... UDP and defaults to ports 33434 + hop-count. ... this used the ICMP echo instead of UDP. ... (comp.security.firewalls) Re: disable traceroute to my host ... disable traceroute to my host ... > As Karsten noted in a followup, this is not proper network practice. ... > ephemeral outgoing UDP connections. ... > know how to use the traceroute '-p port' option to select a starting ... (FreeBSD-Security) Re: disable traceroute to my host ... >> You can traceroute with any protocol. ... TCP is just as easy as UDP. ... > the third is just an informative message (like the second isn't ... (FreeBSD-Security) ICMP pokes holes in firewalls... ... Traceroute uses two protocols: UDP and ICMP ... A system inside a firewall performs a traceroute to a system ... Traceroute chooses the next available UDP port. ... (Bugtraq) RE: traceroute-like tool for UDP or TCP packet ... traceroute-like tool for UDP or TCP packet ... A ping is also just a ICMP ECHO ... > Traceroute implementations vary across OS platforms. ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2001-06