To stop pinging and traceroute from outside (Fabrice MARIE)
Ian Jones
ian@dsl081-056-052.sfo1.dsl.speakeasy.net
Thu, 20 Dec 2001 11:24:22 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"Darian Lanx" <nour@nour.net> writes:
> |> 1. Re: To stop pinging and traceroute from outside (Fabrice
> |> MARIE)
> |>
> |> You can drop incoming echo-requests to stop ping to your interface,
> |> and drop outgoing time-exeeded to drop reply to traceroute.
> Just a side note. Please do NOT drop time-exceeded packets if you are
> running services on the firewall or the firewall acts as a rpoxy to
> services running behind the firewall. The ICMP time-exceeded packet is
> crucial to proper funcvtion of daemon/client connections.
I think a better way of dealing with it is to use the TTL match to
DROP anything with TTL=1 at the firewall/router.
... -m ttl --ttl-eq 1 -j DROP
This will have the minor downside of a (very) few false positives, but
IMHO it is a better way to go.
It would still be possible to craft a mechanism whereby protected
hosts could be mapped, but the average traceroute would fail and only
report the hop prior to the firewall/router.
-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.
iD8DBQE8IjrmwBVKl/Nci0oRAk3NAKC5OMvBYjdVUClzp0EzRPFZqA2eBQCgll9w
RQRmhkjv/lV8afVx1hy4oWs=
=ftJ7
-----END PGP SIGNATURE-----