Re: ipchains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yo Greego!

On Sat, 4 Nov 2000, greego barooke wrote:

> can you help me on how to setup a rules that will accept all type of icmp
> packets except traceroute type icmp packet (---means traceroute will
> be disable) using ipchains.

If you allow any ICMP you can stop the casual traceroute but not
the hacker.  There are just too many ways to do traceroute.

First get the source and see that the usual traceroute
sends a UDP packet, not an ICMP packet!  In order to allow
parrallel traces many traceroute will send packets to random UDP
ports above 33,000.  Block those and you block most honest
traceroute.   Almost all traceroute let you select any UDP
port so you really have to block them all to be effective.

Some traceroute let you use any TCP port.  Block them all and
you will be really safe.   Your network connection will be
almost useless, but hey, you will be really secure.

Now that you are with me that you can not stop the inbound
traceroute packet...

When the TTL on any inbound packet is exceeded the routers and along
the path will reply with ICMP Time To Live Exceeded packets.  Block
those and you will block most honest traceroute.

You have now made you network impossible to monitor and repair,
external users will complain that you are down because they can
not traceroute to you, but what they hey, you will feel really
secure because you have blocked the honest people.

Firewalk, and other hacker tools will still work on any open
ports on the firewall, but who cares about real hackers anyway?

Path discovery also uses ICMP, so block that too.  It give the
hacker a good trace of your network as well.  Any web
site using a non-standard MTU or any VPN that you wish to use
will now be non-functional.  So you will be very safe...

Better yet, just unplug your host from the internet.  Then you
only have to worry about traditional burglars!

Do not be confused by RFC1393 traceroute that I have never seen
in practice.  It uses an ICMP ECHO packet with special options
out and expects an ICMP Treaceroute (type 30) in response.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem@rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676


-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux