[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipchains
Subject: [ipchains] Re: Good DENY statement to kill Ping & Traceroute?
From: Keith Owens <kaos () ocs ! com ! au>
Date: 1999-04-25 22:06:13
[Download RAW message or body]
On Sun, 25 Apr 1999 12:17:59 -0500,
Thomas Munn <munn@bigfoot.com> wrote:
>I have added this line to block what I think to be incoming echo requests
>for ping and Traceroute. It looks like it blocks ping, but traceroute
>manages to "hop" to my machine. How can I stop traceroute (only coming in?)
You cannot, at least not in such a way that you can guarantee it won't
impact anything else.
Traceroute for Windoze uses ping but the rest of the world uses UDP
with high port numbers. The UDP port numbers depend on the sending OS,
the sending task and sometimes the number of hops between you and the
sender. If you know all the UDP ports that you want to service,
including DNS, portmap, games, Real Audio and all the other streaming
protocols then you can block all UDP except the ones you want. That
will stop traceroute that uses UDP. But next week another streaming
product will use another UDP port :(.
Alternatively you can block the response to traceroute. Your system
sends out ICMP "port unreachable" in response to the UDP packets to
your firewall and ICMP "time exceeded in-transit" for probes to
machines behind your firewall. It is easy enough to block these
outgoing ICMP packets but that has nasty side effects. Real TCP/IP
relies on these responses to quickly shut down sessions to non-existent
services and to detect routing loops. Blocking outgoing ICMP has to be
done with extreme care.
----------------------------------------------
To unsubscribe to this list, write an email to
ipchains-request@rustcorp.com with a body of
'unsubscribe'.
www.rustcorp.com - web site
ftp.rustcorp.com - ftp site
Mail Archives:
http://ww.rustcorp.com/archives
http://www.progressive-comp.com/Lists/?l=linux-ipchains&r=1&w=2#linux-ipchains
----------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic