From owner-freebsd-questions Fri Jun 22 18:43: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 61C0737B401 for ; Fri, 22 Jun 2001 18:42:59 -0700 (PDT) (envelope-from fgleiser@cactus.fi.uba.ar) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f5N1fkM06212; Fri, 22 Jun 2001 22:41:47 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Fri, 22 Jun 2001 22:41:46 -0300 (ART) From: Fernando Gleiser To: Ryan Masse Cc: Lawrence Sica , FreeBSD-Questions Subject: Re: disable traceroute to my host In-Reply-To: <00a201c0fb75$b7f4e800$3200a8c0@Home> Message-ID: <20010622222857.K5703-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Don't block all icmp. icmp is an integral part of tcp/ip. If you block all icmp, you'll break things (path MTU discover, for example). Look at the archives for more examples of why you should not block all icmp. Besides, that won't stop traceroutes originated on a unix box, because unix traceroute uses udp by default (it can use any of tcp, udp or icmp). To stop traceroutes directed at you, you need to drop packets with ttl=1. Fer On Fri, 22 Jun 2001, Ryan Masse wrote: > man ipfw and read up on icmptypes. you may wanna do something like the > following; > > ipfw add allow icmp from any to any out via $interface > ipfw add allow icmp from any to any in via $interface icmptype 0 > ipfw add deny icmp from any to any in via $interface > > this will breack various aspects of the icmp protocol but it will all for > all echo responses generated from the inside to be received back through the > firewall. Again this may or may not work in your attempts to deny a > traceroute. > > Ryan > > > > > > > > --On Friday, June 22, 2001 4:02 PM -0700 Kris Anderson > > wrote: > > > > > Now, if anybody knows of a more subtler way to allow ICMP out and back > > > in, but keep any externals from coming in I certainly am one who would > > > like to know. > > > > man 8 ipfw > > > > If you search for icmp you'll find the lsiting on icmptypes. You can > > specify what icmp to block and let through... > > > > --Larry > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message