Re[2]: disable traceroute to my host

From: Igor Podlesny (
Date: 06/28/01

Date: Thu, 28 Jun 2001 14:30:21 +0700
From: Igor Podlesny <>
To: "Crist J. Clark" <>

> On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote:
>> sounds good.. although what is tcp there for?

> You can traceroute with any protocol. TCP is just as easy as UDP.

> As people keep saying over and over, there really is no way to stop
> traceroutes without severely breaking things.

I disagree. cause don't see any real hurt of disallowing
icmp-echo-reply (0), icmp-unreach.icmp-unreach-port (3.3) and
icmp-timxceed (11).

the first is already in relatively common practice

the second is similar to blackhole BSD's feature (yeah... it doesn't
fit RFC, but the cruel world ;)

the third is just an informative message (like the second isn't
RFC-compilant but partially)

In sum we can just complain bout non RFC-behavior.... but at the other
side we're to understand that playing according to the rules is too
expensive while others don't bother with.

Already mentioned stealth routing (ok, forwarding, if the difference
kick in eye ;) isn't RFC-compilant and what? "...Who ever promised
anybody equal share?..."

> If you really want to stop traceroutes, pull the plug.
extreme? ;)

> Can this thread
> die now?

18 * * *
19 * * *
20 * * *
21 * * *

p.s. ;)))

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message