Hello, suse-security. can i block traceroutes TO my host with ipchains? Monday, January 22, 2001 -- vladimir m. bondarev, icq uin: 62393277 paradox team web: http://scene.org.ru
"vladimir m. bondarev" wrote:
Hello, suse-security.
can i block traceroutes TO my host with ipchains?
Hi, this is not the nicest wa, but will work: ipchains -A output ! --source local_network--destination 0.0.0.0/0 -p ICMP -j DENY bye
-- Carlos Manuel Duclos Vergara carlos@embedded.cl http://www.embedded.cl
Yes... but you need to be aware that traceroutes are typically done with UDP packets bound for high ports, or ICMP echo requests. So you have two protocols to deal with. - Herman On Mon, 22 Jan 2001, vladimir m. bondarev wrote: ->>Hello, suse-security. ->> ->> can i block traceroutes TO my host with ipchains? ->> ->>Monday, January 22, 2001 ->>-- ->>vladimir m. bondarev, icq uin: 62393277 ->>paradox team web: http://scene.org.ru ->> ->> ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>
Hello, Herman. Monday, January 22, 2001, 21:18:22, you wrote to me: HK> Yes... but you need to be aware that traceroutes are typically done with HK> UDP packets bound for high ports, or ICMP echo requests. So you have two HK> protocols to deal with. i've blocked echo requests. what do i need to block else? Monday, January 22, 2001 -- vladimir m. bondarev, icq uin: 62393277 paradox team web: http://scene.org.ru
On Mon, 22 Jan 2001 20:56:08 +0300, "vladimir m. bondarev"
Hello, suse-security.
can i block traceroutes TO my host with ipchains?
Why? Any traceroute will still show every router hop leading to you. You can't hide on the Internet. Traceroutes serve a very useful purpose. It's not good citizenship to try blocking them.
Why?
Any traceroute will still show every router hop leading to you. You can't hide on the Internet.
Traceroutes serve a very useful purpose. It's not good citizenship to try blocking them.
I disagree strongly. The local university blocks them (ICMP ones anyways) at their perimeter, so you can't map out the internal network so easily. Why is this being bad? I'd say it's a good neighbour policy, makes them a little harder to break into (and thus be used to attack me). It's not like you can do anything to FIX the problem when you see one nowadays (hell, good luck even figuring out who to contact). -Kurt
Why?
Any traceroute will still show every router hop leading to you. You can't hide on the Internet.
Traceroutes serve a very useful purpose. It's not good citizenship to try blocking them.
I disagree strongly. The local university blocks them (ICMP ones anyways) at their perimeter, so you can't map out the internal network so easily. Why is this being bad? I'd say it's a good neighbour policy, makes them a little harder to break into (and thus be used to attack me). It's not like you can do anything to FIX the problem when you see one nowadays (hell, good luck even figuring out who to contact).
-Kurt
A small addition: blocking internal network mapping with some certain
rules is fine, but blocking ICMPs is not. It breaks things (such as PMTU
discovery) and causes more grief than anything else. Filter ICMPs by their
subtype rather than all of them.
This has been discussed on security mailing list so many times now...
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Explain exactly how it makes it harder for [hacker] to hack you. It doesn't. All blocking ICMP/Traceroute does is break useful network services. If [hacker] knows your IP address and wants to hack you blocking traceroute will not stop them. -miah On Mon, Jan 22, 2001 at 04:03:14PM -0700, Kurt Seifried wrote:
Why?
Any traceroute will still show every router hop leading to you. You can't hide on the Internet.
Traceroutes serve a very useful purpose. It's not good citizenship to try blocking them.
I disagree strongly. The local university blocks them (ICMP ones anyways) at their perimeter, so you can't map out the internal network so easily. Why is this being bad? I'd say it's a good neighbour policy, makes them a little harder to break into (and thus be used to attack me). It's not like you can do anything to FIX the problem when you see one nowadays (hell, good luck even figuring out who to contact).
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
One thing that it does stop is the ability to map out a network. If s ahacker only has one ip address, they may not know the central computer's ip. Therefore if you map out the network, you can find the most crucial node knock it out. Blocking traceroute will not prevent this, but it will close one option. michael On Mon, 22 Jan 2001, Jeremiah Johnson wrote:
Explain exactly how it makes it harder for [hacker] to hack you. It doesn't. All blocking ICMP/Traceroute does is break useful network services. If [hacker] knows your IP address and wants to hack you blocking traceroute will not stop them.
-miah
On Mon, Jan 22, 2001 at 04:03:14PM -0700, Kurt Seifried wrote:
Why?
Any traceroute will still show every router hop leading to you. You can't hide on the Internet.
Traceroutes serve a very useful purpose. It's not good citizenship to try blocking them.
I disagree strongly. The local university blocks them (ICMP ones anyways) at their perimeter, so you can't map out the internal network so easily. Why is this being bad? I'd say it's a good neighbour policy, makes them a little harder to break into (and thus be used to attack me). It's not like you can do anything to FIX the problem when you see one nowadays (hell, good luck even figuring out who to contact).
-Kurt
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello, suse-security. thank you for your answers. the situation is thati want to hide my router. it doesn't reply to pings and all ports are closed with -j REJECT (so everyone get "connection timed out"). one thing that can show that host is alive is traceroute. now i thinking how to block it too :) Tuesday, January 23, 2001 -- vladimir m. bondarev, icq uin: 62393277 paradox team web: http://scene.org.ru
On Tue, Jan 23, 2001 at 07:27 +0300, vladimir m. bondarev wrote:
the situation is thati want to hide my router. it doesn't reply to pings and all ports are closed with -j REJECT (so everyone get "connection timed out"). one thing that can show that host is alive is traceroute. now i thinking how to block it too :)
That's just a different way of saying "I want this machine to be a bridge". :) And no, a bridge doesn't keep you from filtering what goes through. At least for the UNIX-PC case we're talking about. Maybe you don't want a router? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi,
thank you for your answers. the situation is thati want to hide my router. it doesn't reply to pings and all ports are closed with -j REJECT (so everyone get "connection timed out"). one thing that can
Being pedantic: REJECT gives Unreachable and DENY gives Timed Out.
show that host is alive is traceroute. now i thinking how to block it too :)
I will not repeat it here, but there is a thread currently running on that topic. John
On Tue, 23 Jan 2001, vladimir m. bondarev wrote:
Hello, suse-security.
thank you for your answers. the situation is thati want to hide my router. it doesn't reply to pings and all ports are closed with -j REJECT (so everyone get "connection timed out").
I think you want -j DENY Reading from 'man ipchains': ACCEPT means to let the packet through. DENY means to drop the packet on the floor. REJECT means the same as drop, but is more polite and easier to debug, since an ICMP message is sent back to the sender indicating that the packet was dropped.
one thing that can show that host is alive is traceroute. now i thinking how to block it too :)
Here's how marc blocks traceroute in SuSEfirewall (line 571): $IPCHAINS -A output -j "$DENY" -p icmp -s $i 11 $LDC # Time exceeded $IPCHAINS -A output -j "$DENY" -p icmp -s $i --icmp-type port-unreachable It just so happens I've been looking at that section of code lately... ;-) -- Rick Green
Hello, Rick. Wednesday, January 24, 2001, 8:00:32, you wrote to me:
thank you for your answers. the situation is thati want to hide my router. it doesn't reply to pings and all ports are closed with -j REJECT (so everyone get "connection timed out"). RG> I think you want -j DENY
i can use -j DENY, but i have return-rst installed and when i do -j DENY it sends "connection refused". May be I'll upgrade to 2.4 and use iptables. Wednesday, January 24, 2001 -- vladimir m. bondarev, icq uin: 62393277 paradox team web: http://scene.org.ru
participants (11)
-
Carlos Manuel Duclos Vergara
-
Egan
-
Gerhard Sittig
-
Herman Knief
-
Jeremiah Johnson
-
John Trickey
-
Kurt Seifried
-
Michael Chletsos
-
Rick Green
-
Roman Drahtmueller
-
vladimir m. bondarev