Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01 

From: "alexus" <ml@db.nexgen.com>
To: <ohshutup@zdnetonebox.com>, <freebsd-security@freebsd.org>
Date: Mon, 25 Jun 2001 15:21:49 -0400

the thing is that windows based machines they using icmp for traceroute and
unix uses udp..

what i'd like to know is:

which type of icmp uses for traceroute? (for example by deny icmp for
incoming icmptype 8 i was able to deny any pinging of my box from outside
*BUT* i can ping everyone myself from my box)

also i'd like to know which standard range of ports udp uses in unix's
traceroute?

----- Original Message -----
From: "Kris Anderson" <ohshutup@zdnetmail.com>
To: <freebsd-security@freebsd.org>
Sent: Friday, June 22, 2001 7:02 PM
Subject: Re: disable traceroute to my host

> You can put in a rule like
>
> ipfw add 3 deny icmp from any to FF.FF.FF.FF via F0
>
> change FF.FF.FF.FF to the ip address of your outside ip address
> change F0 to the interface name of said outside interface
>
> now I don't know about directly blocking traceroutes only but traceroute
> does an icmp thing somewhat like ping.
>
> Problem is that this will stop all ICMP from coming into the interface
> from the outside, even ICMP responses.
>
> For example, you can traceroute out, but traceroute responses now get
> blocked (This includes anything that uses ICMP) does not get back in
> because it is being blocked by the above rule. Think of it as one way
> mirror.
>
> Now, if anybody knows of a more subtler way to allow ICMP out and back
> in, but keep any externals from coming in I certainly am one who would
> like to know.
> --
> Kris Anderson
> ohshutup@zdnetonebox.com - email
> (408) 514-2611 ext. 1178 - voicemail/fax
>
>
>
> ---- "alexus" <ml@db.nexgen.com> wrote:
> > is it possible to disable using ipfw so people won't be able to
traceroute
> > me?
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
> ___________________________________________________________________
> To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax,
> all in one place - sign up today at http://www.zdnetonebox.com
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: disable traceroute to my host
    ... change F0 to the interface name of said outside interface ... Problem is that this will stop all ICMP from coming into the interface ... For example, you can traceroute out, but traceroute responses now get ... To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, ...
    (FreeBSD-Security)
  • Re: Question regarding traceroute
    ... the command options I use, the only output I'm getting is: ... refuse to return ICMP TTL exceeded errors in response to ICMP ... mishandles UDP, then the behavior you're describing sounds right. ... Try the "-I" option on traceroute to force it to use ICMP ECHO ...
    (comp.unix.solaris)
  • Re: How do they do it?
    ... Ports are for TCP and UDP. ... > traceroute use or can use, UDP as an alternative option to ICMP. ...
    (comp.security.firewalls)
  • ICMP ttl-exceeded packets not sourced correctly
    ... I think there's a problem with the ICMP code... ... On your cogent interface, you have the ip address on the /30 assigned by cogent, ... Same story with qwest, ... a traceroute into your network and his incoming path to your network comes over qwest. ...
    (Linux-Kernel)
  • Re: Blocked incoming ICMP, getting outgoing ICMP [3] Destination Unreachable
    ... The real LBL traceroute ... icmp error in reponse to an icmp packet. ... icmp time exceeded in response to an icmp echo or echo reply. ... had created a b0rken network stack that could be kicked over by sending ...
    (comp.security.firewalls)