From owner-freebsd-security Sun Nov 26 14: 0:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id D3AF237B479; Sun, 26 Nov 2000 14:00:37 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 26 Nov 2000 13:59:05 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAQM0Y871333; Sun, 26 Nov 2000 14:00:34 -0800 (PST) (envelope-from cjc) Date: Sun, 26 Nov 2000 14:00:33 -0800 From: "Crist J . Clark" To: Doug Barton Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126140033.E70192@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A2183E7.6039C582@FreeBSD.org>; from DougB@FreeBSD.ORG on Sun, Nov 26, 2000 at 01:43:03PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 26, 2000 at 01:43:03PM -0800, Doug Barton wrote: > "Crist J . Clark" wrote: > > > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > > Hi, > > > > > > I think not. Can you tell me how to add this rule to my ruleset? > > > > The two rules needed to get UNIX-style traceroutes to work are, > > > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} > > When I do a traceroute from a freebsd machine outside my firewall to the > firewall machine, I see this: > > ipfw: 1200 Deny UDP :38575 :33468 in via ep0 > > ipfw: 1200 Deny UDP :38597 :33477 in via ep0 > ipfw: 1200 Deny UDP :38597 :33478 in via ep0 > ipfw: 1200 Deny UDP :38597 :33479 in via ep0 > > Which supports what I've been told that unix traceroute uses udp > packets. It sounds like in order to allow traceroutes through the > firewall you have to open up a pretty big hole for udp... But if you want to traceroute other people, you only need to let the UDP _out_ and the ICMP types 11 and 3 in (11:0 and 3:3 to be precise). As for how it works, read the manpage, This program attempts to trace the route an IP packet would follow to some internet host by launching UDP probe packets with a small ttl (time to live) then listening for an ICMP "time exceeded" reply from a gateway. We start our probes with a ttl of one and increase by one until we get an ICMP "port unreachable" (which means we got to "host") or hit a max (which defaults to 30 hops & can be changed with the -m flag). As for people tracerouting you, blocking the ususal UNIX-style (the one we've been discussing) or M$-style (using pings rather than UDP) is not too tough. However, if you let any traffic into your network (and what's the point of connecting to the 'Net if you don't), it is extremely difficult to stop people from tracerouting you by other means. If you want to let people traceroute your net, yeah, you need to make a pretty big hole... but if you want to let people to traceroute you, you apparently are interested in giving out a lot of information anyway. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message