Re: Changing packets ttl's

From: Jeremie Le Hen (jeremie_at_le-hen.org)
Date: 04/29/05

  • Next message: B: "Re: ipv6 host part" 
    Date: Fri, 29 Apr 2005 11:07:22 +0200
To: GiZmen <gizmen@zion.vsip.pl>

    Hi,

    > No this sysctl is not what i want.
    > I need to change ttl of outgoing packets to my internal network.
    > For example. There is connection from host on internet.
    > it has for example 10 hops to my gateway. And when packet comes
    > to my box it has for example 55 ttl in ip header.
    > And then it is routed to host in my network so my box change ttl
    > to 54. But what i need is change ttl to '1'.

    In Linux terms, you want to ``mangle'' the packet, we-writing its TTL.
    AFAIK, this is not possible with FreeBSD since this is really not a
    common action for a firewall (some conservative folks would even argue
    this is not its job). The pf firewall seems to have a ``min-ttl''
    statement in traffic normalization, but there is no ``max-ttl'' one.

    The simplest way to achieve this is to write a userland daemon which
    will retrieve the packet from the firewall from a divert socket, using
    ipfw(8). But this would have very poor performances in case you need
    high-bandwidth traffic as each packet would require at least two
    context switches, but for a DSL connexion, I guess this would be ok.

    There other solution is to make a patch for one of the firewall
    avaiable in FreeBSD.

    Best regards, 

    -- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: B: "Re: ipv6 host part"

    Relevant Pages

    • RE: Strange replies on closed port
      ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
      (Pen-Test)
    • Re: Strange ICMP packets
      ... >packets being blocked by my firewall. ... use port numbers - ICMP is not one of them. ... IP address is the remote (router or host), ... the system that sent the original packet that caused the problem. ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Rationale for BSD (I)PF rule order?
      ... there are a few papers around on how to evaluate firewall rules ... match for a given packet as early as possible. ... best match rule for a packet is "allow host a to talk to host b", ... what does this allow for in the case of source routed packets? ...
      (Firewall-Wizards)
    • Re: nmap scan results
      ... Filtered means that it did not receive any packet back from the ... scanned computer. ... Usually happens when their is no host or the host or firewall just ...
      (Security-Basics)
    • Re: Strange ICMP packets
      ... >>packets being blocked by my firewall. ... ICMP code follows the IP address". ... >IP address is the remote (router or host), ... >the system that sent the original packet that caused the problem. ...
      (comp.security.firewalls)