Date: Mon, 25 Jun 2001 15:50:45 -0400 From: "alexus" <ml@db.nexgen.com> To: "Igor Podlesny" <poige@morning.ru> Cc: <freebsd-security@FreeBSD.ORG>, <freebsd-isp@FreeBSD.ORG> Subject: Re: disable traceroute to my host Message-ID: <017a01c0fdb0$1ff51240$9865fea9@book> References: <006a01c0fb6b$2d64d830$9865fea9@book> <13760134158.20010623111308@morning.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks a lot for this whole explanation, i appreciate everyone on the list for taking time to explain how basics works.. i'm trying to read books, manuals, internet for all those things but not everything makes sense, although when real person explains it helps me a lot better thanks everyone ----- Original Message ----- From: "Igor Podlesny" <poige@morning.ru> To: "alexus" <ml@db.nexgen.com> Cc: <freebsd-security@FreeBSD.ORG>; <freebsd-isp@FreeBSD.ORG> Sent: Saturday, June 23, 2001 12:13 AM Subject: Re: disable traceroute to my host > > > is it possible to disable using ipfw so people won't be able to traceroute > > me? > > Yes, of course. > > You should know how do traceroute-like utilities work. > > The knowledge can be easily extracted from a lot of sources, for e.g. > from Internet, cause you seem to be connected ;) but, it also should > be mentioned that man pages coming with FreeBSD (I guess as well as > with other *NIX-likes OSes) also describe the algo. > > so man traceroute says, that it uses udp ports starting with 33434 and > goes up with every new hop. but this could be easily changed with -p > option. Besides, windows' tracert works using icmp proto, so the > decision isn't here. It lies in what does the box do when answering to > them. It does send 'time exceeded in-transit' icmp message cause TTL > value is set too low to let the packet jump forward. So it is the > answer -- you should disallow it with your ipfw. for e.g. using such > syntax: > > deny icmp from any to any icmptype 11 > > (yeah, you should carefully think about whether or not to use ANY > cause if you're box is a gateway other people will notice your > cutting-edge knowledge cause it will hide not only your host ;) > > This is not the end, alas. unix traceroute will wait for port unreach > icmp so after meeting, it stops and displays the end-point of your > trace. Windows' tracert will wait for normal icmp-echo-reply for the > same purpose. So if you also wish to hide the end point, you need to > disallow this also. I bet you can figure out the way how by yourself, > now. > > P.S. there are also other ways (even more elegant) of doing that in > practice... they called 'stealth routing' and can be implemented via > FreeBSD kernel mechanism (sysctl + built-in kernel support) or with > ipf (ipfilter) > > read the man pages, man, they are freely available... > > -- > Igor mailto:poige@morning.ru > http://poige.nm.ru > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?017a01c0fdb0$1ff51240$9865fea9>