Does anyone know that? how i can enable disable traceroute for my IPv4 range /24 ?
What do you mean from public?
Just don’t reply to icmp traffic, a traceroute is ‘just’ pings with a TTL that goes from 1 to destination reached.
How i can disable traceroute on vyos do provide command? as my attacker tracer route one of my IPv4 from /24 range and get the Upstream IPv4 where my router advertise /24.
port-group TRACEROUTE-GRP {
port 33434-34000
rule 9 {
action drop
destination {
group {
port-group TRACEROUTE-GRP
}
}
log enable
protocol udp
source {
group {
address-group ????
}
}
}
Thank you for comment can you provide full command like
set policy? etc
set firewall group port-group TRACEROUTE-GRP port 33434-34000
set firewall name YOUR_FW_RULE? rule $YOURSEQUENCE_NUMBER$ action drop
set firewall name YOUR_FW_RULE? rule $YOURSEQUENCE_NUMBER$ destination group port-group TRACEROUTE-GRP
set firewall name YOUR_FW_RULE? rule $YOURSEQUENCE_NUMBER$ log enable
set firewall name YOUR_FW_RULE? rule $YOURSEQUENCE_NUMBER$ protocol udp
Thank you for reply @rufzor
I applied the all above CMD with my rules and numbers.
But my tracert still enabled i can see all IP’s
all-ping enable
broadcast-ping disable
config-trap disable
group {
port-group TRACEROUTE-GRP {
port 33434-34000
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name tracert {
rule 007 {
action drop
destination {
group {
port-group TRACEROUTE-GRP
}
}
log enable
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
commit
error: error creating output file /opt/vyatta/etc/config/archive/config.boot.0: File exists
[edit]
you must apply rule in right direction