PF: allow traceroute but hide

[TaHu]

Greetings,

I'm using PF on FreeBSD 9.2 on a server which is used only to perform NAT (got customers in private IP behind this server), and I'd like to know which kind of rule do I have to implement to allow traceroute (from a Windows laptop) to go through my server, but I don't want my server to answer it. And in the meantime, I want my server to answer to ping.

After research, it seems that either my server has to answer to both ping and traceroute, or not at all.

Otherwise if I want to allow traceroute to go through my server, but without permitting the server to answer it, would this rule below be ok:

ext_if : external interface
subs_net: my subscriber

Rule:

block out on $ext_if inet proto udp from $subs_net to any port 33433 >< 33626 keep state

Thanks for your feedback guys

 

[TaHu]

Has anyone already tried something like that?

 

[SirDice]

If a traceroute(1) is supposed to go through the firewall where is it supposed to go?

 

[SirDice]

Scratch that, I was thinking about a traceroute(1) from outside to in but I think you actually meant from inside to outside. But this begs the question, why don't you want the box to respond as an intermediary? To hide it? They already know its IP address as it's set as the default gateway. What would be the point?

 

[asteriskRoss]

@TaHu: Note also that the Windows tracert utility implements traceroute differently from FreeBSD, using ICMP ECHO (like ping(1)). FreeBSD's traceroute(1) uses UDP packets by default has options to use ICMP ECHO or TCP packets. This means that your proposed rule would not do what you want.

You don't mention whether you're dealing with IPv4 or IPv6. For IPv4, to allow your server to respond to ICMP echo requests (ping), you need to permit outbound ICMP echo replies from your server's address(es). To block traceroute responses from your server, you need to block ICMP time exceeded responses from your server's address(es). I'm not sure why the particular behaviour you want would be useful, but it's your network Have a look at the traceroute page on Peter Hansteen's PF guide , the pf.conf(5) man page (in particular relating to icmp-type) and the icmp(4) man page for IPv4 (icmp6(4) for IPv6).

 

[TaHu]

Thanks for your feedback.

@SirDice: Indeed I'm talking about tracert from inside to outside. It's not the default gateway that my customers have, so if I hide it, they won't know the IP address of this NAT server. Here below the architecture:

customers ---- switch (default gateway) ----- NAT server ---- router ----- Internet

And yes, I use a specific machine to perform NAT: I've got around 10k customers, and I don't want to put this service on my router or my switch.

@asteriskRoss: I'm aware that traceroute from windows is different from FreeBSD, and I confirm that it's just traceroute from Windows that I want my NAT server to be hidden. I'm dealing with IPv4 only.

Thanks for the page guide, I'll check it

 

[asteriskRoss]

To clarify, I'm suggesting that rather than blocking incoming ICMP echo requests to your server, which would block traffic from the Windows tracert utility, but also block traffic from the ping utility, you block outgoing ICMP time exceeded traffic from your server, which blocks traceroute responses irrespective of which protocol was used for the request, but allow ICMP echo replies, meaning that the ping utility still functions. I hope that makes sense.

 

[TaHu]

Yes, that's exactly what I'm trying to do, thanks for your feedback. I'll come back here with rules implemented once it's done