Date: Sun, 26 Nov 2000 14:00:33 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Doug Barton <DougB@FreeBSD.ORG> Cc: Nuno Teixeira <nuno.teixeira@pt-quorum.com>, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001126140033.E70192@149.211.6.64.reflexcom.com> In-Reply-To: <3A2183E7.6039C582@FreeBSD.org>; from DougB@FreeBSD.ORG on Sun, Nov 26, 2000 at 01:43:03PM -0800 References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> <3A2183E7.6039C582@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 26, 2000 at 01:43:03PM -0800, Doug Barton wrote:
> "Crist J . Clark" wrote:
> >
> > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote:
> > > Hi,
> > >
> > > I think not. Can you tell me how to add this rule to my ruleset?
> >
> > The two rules needed to get UNIX-style traceroutes to work are,
> >
> > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif}
>
> When I do a traceroute from a freebsd machine outside my firewall to the
> firewall machine, I see this:
>
> ipfw: 1200 Deny UDP <outside machine>:38575 <firewall>:33468 in via ep0
>
> ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33477 in via ep0
> ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33478 in via ep0
> ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33479 in via ep0
>
> Which supports what I've been told that unix traceroute uses udp
> packets. It sounds like in order to allow traceroutes through the
> firewall you have to open up a pretty big hole for udp...
But if you want to traceroute other people, you only need to let the
UDP _out_ and the ICMP types 11 and 3 in (11:0 and 3:3 to be precise).
As for how it works, read the manpage,
This program attempts to trace the route an IP packet
would follow to some internet host by launching UDP probe
packets with a small ttl (time to live) then listening for
an ICMP "time exceeded" reply from a gateway. We start
our probes with a ttl of one and increase by one until we
get an ICMP "port unreachable" (which means we got to
"host") or hit a max (which defaults to 30 hops & can be
changed with the -m flag).
As for people tracerouting you, blocking the ususal UNIX-style (the
one we've been discussing) or M$-style (using pings rather than UDP)
is not too tough. However, if you let any traffic into your network
(and what's the point of connecting to the 'Net if you don't), it is
extremely difficult to stop people from tracerouting you by other
means.
If you want to let people traceroute your net, yeah, you need to make
a pretty big hole... but if you want to let people to traceroute you,
you apparently are interested in giving out a lot of information
anyway.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001126140033.E70192>