Just wanted to add one thought here ... At 08:37 AM 10/16/02 -0500, Charles Steinkuehler wrote: [...] >Traceroutes are a bit harder...a remote system does a traceroute to a >destination by sending out a packet with a short TTL (time-to-live), and >listening for return ICMP time-exceeded messages from the intermediate >hosts (the TTL field of a packet is decremented each time it passes >through a router). You can use most any IP packet for this. By >default, linux traceroute uses UDP packets sent to port 33434, but any >UDP or TCP port (and even protocols other than TCP/UDP) can be used, so >it's kind of hard to block on the input side. > >You can, however, block the return ICMP time-exceeded messages in the >output chain. Put the following in /etc/ipchains.output > >$IPCH -A output -j DENY -p icmp --icmp-type time-exceeded -i $EXTERN_IF
This strategy works for the *intermediate* hosts, as Charles indicates, but not for the final host. That is, it works unless the LEAF router's IP address is itself the endpoint of the traceroute (as it would always be on the external interface of a NAT'ing router). In that case, the router will return an icmp destination-unreachable (port-unreachable) packet, not icmp time-exceeded. The suggested rule will not block that return type. -- -------------------------------------------"Never tell me the odds!"-------- Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] ------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
