To stop pinging and traceroute from outside (Fabrice MARIE)
Thu, 20 Dec 2001 11:24:22 -0800
-----BEGIN PGP SIGNED MESSAGE-----
"Darian Lanx" <firstname.lastname@example.org> writes:
> |> 1. Re: To stop pinging and traceroute from outside (Fabrice
> |> MARIE)
> |> You can drop incoming echo-requests to stop ping to your interface,
> |> and drop outgoing time-exeeded to drop reply to traceroute.
> Just a side note. Please do NOT drop time-exceeded packets if you are
> running services on the firewall or the firewall acts as a rpoxy to
> services running behind the firewall. The ICMP time-exceeded packet is
> crucial to proper funcvtion of daemon/client connections.
I think a better way of dealing with it is to use the TTL match to
DROP anything with TTL=1 at the firewall/router.
... -m ttl --ttl-eq 1 -j DROP
This will have the minor downside of a (very) few false positives, but
IMHO it is a better way to go.
It would still be possible to craft a mechanism whereby protected
hosts could be mapped, but the average traceroute would fail and only
report the hop prior to the firewall/router.
-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.
-----END PGP SIGNATURE-----