# PF: allow traceroute but hide



## TaHu (Sep 13, 2014)

Greetings,

I'm using PF on FreeBSD 9.2 on a server which is used only to perform NAT (got customers in private IP behind this server), and I'd like to know which kind of rule do I have to implement to allow `traceroute` (from a Windows laptop) to go through my server, but I don't want my server to answer it. And in the meantime, I want my server to answer to `ping`.

After research, it seems that either my server has to answer to both `ping` and `traceroute`, or not at all.

Otherwise if I want to allow `traceroute` to go through my server, but without permitting the server to answer it, would this rule below be ok:

ext_if : external interface
subs_net: my subscriber

Rule:

```
block out on $ext_if inet proto udp from $subs_net to any port 33433 >< 33626 keep state
```

Thanks for your feedback guys


----------



## TaHu (Sep 17, 2014)

Has anyone already tried something like that?


----------



## SirDice (Sep 17, 2014)

If a traceroute(1) is supposed to go _through_ the firewall where is it supposed to go?


----------



## SirDice (Sep 17, 2014)

Scratch that, I was thinking about a traceroute(1) from outside to in but I think you actually meant from inside to outside. But this begs the question, why don't you want the box to respond as an intermediary? To hide it? They already know its IP address as it's set as the default gateway. What would be the point?


----------



## asteriskRoss (Sep 17, 2014)

@TaHu: Note also that the Windows tracert utility implements traceroute differently from FreeBSD, using ICMP ECHO (like ping(1)).  FreeBSD's traceroute(1) uses UDP packets by default has options to use ICMP ECHO or TCP packets.  This means that your proposed rule would not do what you want.

You don't mention whether you're dealing with IPv4 or IPv6.  For IPv4, to allow your server to respond to ICMP echo requests (ping), you need to permit outbound ICMP echo replies from your server's address(es).  To block traceroute responses from your server, you need to block ICMP time exceeded responses from your server's address(es).  I'm not sure why the particular behaviour you want would be useful, but it's your network   Have a look at the traceroute page on Peter Hansteen's PF guide , the pf.conf(5) man page (in particular relating to icmp-type) and the icmp(4) man page for IPv4 (icmp6(4) for IPv6).


----------



## TaHu (Sep 17, 2014)

Thanks for your feedback.

@SirDice: Indeed *I*'m talking about tracert from inside to outside. It's not the default gateway that my customers have, so if *I* hide it, they won't know the _IP_ address of this NAT server. Here below the architecture:


```
customers ---- switch (default gateway) ----- NAT server ---- router ----- Internet
```

And yes, *I* use a specific machine to perf_or_m NAT: *I*'ve got around 10k customers, and *I* don't want to put this service on my router or my switch.

@asteriskRoss: I'm aware that traceroute from windows is different from FreeBSD, and *I* confirm that it's just traceroute from Windows that *I* want my NAT server to be hidden. I'm dealing with IPv4 only.

Thanks for the page guide, *I*'ll check it


----------



## asteriskRoss (Sep 17, 2014)

To clarify, I'm suggesting that rather than blocking *incoming* ICMP echo requests to your server, which would block traffic from the Windows tracert utility, but also block traffic from the ping utility, you block *outgoing* ICMP time exceeded traffic from your server, which blocks traceroute responses irrespective of which protocol was used for the request, but allow ICMP echo replies, meaning that the ping utility still functions.  I hope that makes sense.


----------



## TaHu (Sep 17, 2014)

*Y*es, that's exactly what *I*'m trying to do, thanks for your feedback. I'll come back here with rules implemented once it's done


----------

