Re: disable traceroute to my host

From: alexus (ml@db.nexgen.com)
Date: 06/25/01 

From: "alexus" <ml@db.nexgen.com>
To: "Jewfish" <jewfish@jewfish.net>, "Igor Podlesny" <poige@morning.ru>
Date: Mon, 25 Jun 2001 15:55:53 -0400

is there any place on internet where all protocols desicrbed .. like icmp and all types of icmps? i'd love to read about that
  ----- Original Message -----
  From: Jewfish
  To: Igor Podlesny
  Cc: alexus ; freebsd-security@FreeBSD.ORG ; freebsd-isp@FreeBSD.ORG
  Sent: Saturday, June 23, 2001 3:32 PM
  Subject: Re: disable traceroute to my host

  These are the rules I have come up with on my own firewall to disable tracerouting and pinging (something which might not be for everybody), but allows me to traceroute and pring from the host and recieve all the responses:

  allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18
  allow icmp from any to any out xmit ep0 icmptype 8

  ep0 being, of course, my external interface. This seems to qork quite well for me. Some other ideas were brought up about denying the "time-to-live-exceeded" icmptype (11) because of packets that may take a long time to reach the host. However, this is the easiest method I could come up with using firewall rules.

  Obviously, these rules also deny ping traffic, which is not recommended for everyone. However, I have recently gotten a lot of ping floods, so I enacted this (possibly on a temporary basis) to deal with this, while still allowing me to ping out (icmptype 8) and recieve the replies (icmptype 0).

  James

  Igor Podlesny wrote:

is it possible to disable using ipfw so people won't be able to tracerouteme?
Yes, of course.You should know how do traceroute-like utilities work.The knowledge can be easily extracted from a lot of sources, for e.g.from Internet, cause you seem to be connected ;) but, it also shouldbe mentioned that man pages coming with FreeBSD (I guess as well aswith other *NIX-likes OSes) also describe the algo.so man traceroute says, that it uses udp ports starting with 33434 andgoes up with every new hop. but this could be easily changed with -poption. Besides, windows' tracert works using icmp proto, so thedecision isn't here. It lies in what does the box do when answering tothem. It does send 'time exceeded in-transit' icmp message cause TTLvalue is set too low to let the packet jump forward. So it is theanswer -- you should disallow it with your ipfw. for e.g. using suchsyntax:deny icmp from any to any icmptype 11(yeah, you shou!
 ld carefully think about whether or not to use ANYcause if you're box is a gateway other people will notice yourcutting-edge knowledge cause it will hide not only your host ;)This is not the end, alas. unix traceroute will wait for port unreachicmp so after meeting, it stops and displays the end-point of yourtrace. Windows' tracert will wait for normal icmp-echo-reply for thesame purpose. So if you also wish to hide the end point, you need todisallow this also. I bet you can figure out the way how by yourself,now.P.S. there are also other ways (even more elegant) of doing that inpractice... they called 'stealth routing' and can be implemented viaFreeBSD kernel mechanism (sysctl + built-in kernel support) or withipf (ipfilter)read the man pages, man, they are freely available...

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: disable traceroute to my host
    ... Arent u leaving out some details, like for example windows tracert is icmp based, whereas unix traces are udp.. ... To: Igor Podlesny ... allow icmp from any to any in recv ep0 icmptype 0,3,11,14,16,18 ...
    (FreeBSD-Security)
  • Re: disable traceroute to my host
    ... disable traceroute to my host ... icmp and all types of icmps? ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)