Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Jun 2001 22:41:46 -0300 (ART)
From:      Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To:        Ryan Masse <mail@max-info.net>
Cc:        Lawrence Sica <larry@interactivate.com>, FreeBSD-Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: disable traceroute to my host
Message-ID:  <20010622222857.K5703-100000@cactus.fi.uba.ar>
In-Reply-To: <00a201c0fb75$b7f4e800$3200a8c0@Home>
next in thread | previous in thread | raw e-mail | index | archive | help 
Don't block all icmp. icmp is an integral part of tcp/ip. If you block
all icmp, you'll break things (path MTU discover, for example).

Look at the archives for more examples of why you should not block all
icmp.

Besides, that won't stop traceroutes originated on a unix box, because
unix traceroute uses udp by default (it can use any of tcp, udp or icmp).

To stop traceroutes directed at you, you need to drop packets with ttl=1.


			Fer



On Fri, 22 Jun 2001, Ryan Masse wrote:

> man ipfw and read up on icmptypes. you may wanna do something like the
> following;
>
> ipfw add allow icmp from any to any out via $interface
> ipfw add allow icmp from any to any in via $interface icmptype 0
> ipfw add deny icmp from any to any in via $interface
>
> this will breack various aspects of the icmp protocol but it will all for
> all echo responses generated from the inside to be received back through the
> firewall. Again this may or may not work in your attempts to deny a
> traceroute.
>
> Ryan
>
>
> >
> >
> > --On Friday, June 22, 2001 4:02 PM -0700 Kris Anderson
> > <ohshutup@zdnetmail.com> wrote:
> >
> > > Now, if anybody knows of a more subtler way to allow ICMP out and back
> > > in, but keep any externals from coming in I certainly am one who would
> > > like to know.
> >
> > man 8 ipfw
> >
> > If you search for icmp you'll find the lsiting on icmptypes.  You can
> > specify what icmp to block and let through...
> >
> > --Larry
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622222857.K5703-100000>