At 21:39 27/06/01 -0400, Juan L. Zamora wrote:
>Probably this question has been asked several times before in this list.
>The thing is that I'm confused about how to implement an stateful inspection
>in FW-1 4.0, since somewhere says that in version 4.0 or higher this ICMP
>inspection is fully supported and somewhere else says one have to use Bill
>Burns's (http://people.netscape.com/shadow/) "inspec code" to handle it.
>All that I want is just to drop all Unix traceroute.
>Wouldn't be as easy as to drop all outgoing ICMP type-3 packets?
You should not. Type 3 is icmp unreachable messages. traceroute is based on
ICMP time exceeded, that is, type 11.
Anyway, ICMP time exceeded messages are useful for correct network operation
and should not be blocked (except if you don't care for network loops...).
Anyway,
this would block other traceroutes too!
ICMP unreachable messages should really not be blocked. Otherwise, you'll
create
many problems (too many retransmissions if a destination is unreachable,
no connection if a router needs to frag the packets and your client supports
PMTU discovery, etc.)
If you don't wanna allow "unix" traceroute, then deny the outbound UDP
connection instead.
but the unix traceroute can generally be told (or rewritten if not) to use
other
protocols, such as ICMP, TCP or any other.
but why do you wanna block traceroute? Most people have the reverse
problem: how to
allow traceroute but not open a hole.
and why only "unix" traceroute? (I guess you mean the UDP based one).
cheers,
mouss
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
