HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: ipfilter - blocking traceroute
Operating System - HP-UX
1838598
Members
4203
Online
110128
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2003 06:12 PM
10-23-2003 06:12 PM
Hi, ux 11.00. IPFilter software.
I am trying to block 'outsiders' from getting through to our unix server. Have been thru ipf manual and tried:
block in on lan0 from myipaddr to uxSvr icmp-type 11 keep state
this has not stopped me from being able to traceroute to the server. Have also tried using icmp-type 0.
The only icmp-type that has had any effect is the icmp-type 8. This stopped both traceroute and ping!.
has anyone got any ideas here on where I am going wrong?
Thanks, and appreciate your help
Maria.
I am trying to block 'outsiders' from getting through to our unix server. Have been thru ipf manual and tried:
block in on lan0 from myipaddr to uxSvr icmp-type 11 keep state
this has not stopped me from being able to traceroute to the server. Have also tried using icmp-type 0.
The only icmp-type that has had any effect is the icmp-type 8. This stopped both traceroute and ping!.
has anyone got any ideas here on where I am going wrong?
Thanks, and appreciate your help
Maria.
Solved! Go to Solution.
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2003 07:25 PM
10-23-2003 07:25 PM
Re: ipfilter - blocking traceroute
A traceroute is an echo request, so a ping, but with a TTL incremented from 1 up to the correct value leading to your server.
If you want to block traceroute, try to add a rule droping packets with TTL to 1 in (or 0 out) with no reply to the sender...
hth
J
If you want to block traceroute, try to add a rule droping packets with TTL to 1 in (or 0 out) with no reply to the sender...
hth
J
You can lean only on what resists you...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2003 03:57 PM
11-16-2003 03:57 PM
Re: ipfilter - blocking traceroute
jerome, sorry but I dont really understand your reply. How would you specify ttl values in ipfilter rules?
regards,
Maria
regards,
Maria
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2003 04:28 PM
11-16-2003 04:28 PM
Solution
The only icmp-type that has had any effect is the icmp-type 8. This stopped both traceroute and ping!.
Thats an excellent start.
By your statement you want to block all access from lan0, which is apparently exposed to the Internet from accessing your server.
block in on lan0 proto tcp from 10.1.1.1/32 to any
Just put the right TCP address in the above statment and you'll completely block all outside access including ping.
If you are looking for something more subtle, I'll link the doc I used to get that code.
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B9901-90018/B9901-90018_top.html&con=/hpux/onlinedocs/B9901-90018/00/00/59-con.html&toc=/hpux/onlinedocs/B9901-90018/00/00/59-toc.html&searchterms=configuration%7cipfilter&queryid=20031116-221748
SEP
Thats an excellent start.
By your statement you want to block all access from lan0, which is apparently exposed to the Internet from accessing your server.
block in on lan0 proto tcp from 10.1.1.1/32 to any
Just put the right TCP address in the above statment and you'll completely block all outside access including ping.
If you are looking for something more subtle, I'll link the doc I used to get that code.
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B9901-90018/B9901-90018_top.html&con=/hpux/onlinedocs/B9901-90018/00/00/59-con.html&toc=/hpux/onlinedocs/B9901-90018/00/00/59-toc.html&searchterms=configuration%7cipfilter&queryid=20031116-221748
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP