Date: Wed, 9 Jul 2003 19:47:02 +1000 From: Paul Armstrong <army@cyber.com.au> To: hackers@freebsd.org Subject: Re: 5 "Advanced" networking questions Message-ID: <20030709094702.GX19324@vanilla.office.cyber.com.au> In-Reply-To: <3F0BAD5C.65895290@mindspring.com> References: <20030707012205.3103dfc8.db@traceroute.dk> <20030707153314.GA1695@webboy.soth.at> <20030707180252.44036c61.db@traceroute.dk> <3F0A9A1C.25E6EB35@mindspring.com> <20030708131339.16da151f.db@traceroute.dk> <20030708140012.0fd685c8.db@traceroute.dk> <3F0BAD5C.65895290@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 08, 2003 at 10:51:24PM -0700, Terry Lambert wrote: > > > > I don't want to disable ICMP, just don't want to respond when ttl=0, > > > > meaning when my firewall/gateway is on a "traceroute path". > > > > > > You should specifically modify the ICMP code to not respond > > > to echo datagrams, or when ttl == 0, then, and work it that > > > way. In other words, it's time to hack your network stack > > > to specifically add that "feature". > > > > Hmm, why not just use a firewall? > > Because most firewalls, even commercial ones, don't block the > ICMP messages you appear to be interested in blocking. > > If you want the feature in FreeBSD, you are going to need to > hack some code. Actually, he can get what he wants with: Kernel: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK /etc/ipf.rules: # Block in all icmp packets which have a ttl of 0. block in quick proto icmp all ttl 0 >From there, I think you can work out the rest... "man 5 ipf" is your friend. Paul
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030709094702.GX19324>