5 "Advanced" networking questions
Paul Armstrong
army at cyber.com.au
Wed Jul 9 02:47:06 PDT 2003
On Tue, Jul 08, 2003 at 10:51:24PM -0700, Terry Lambert wrote:
> > > > I don't want to disable ICMP, just don't want to respond when ttl=0,
> > > > meaning when my firewall/gateway is on a "traceroute path".
> > >
> > > You should specifically modify the ICMP code to not respond
> > > to echo datagrams, or when ttl == 0, then, and work it that
> > > way. In other words, it's time to hack your network stack
> > > to specifically add that "feature".
> >
> > Hmm, why not just use a firewall?
>
> Because most firewalls, even commercial ones, don't block the
> ICMP messages you appear to be interested in blocking.
>
> If you want the feature in FreeBSD, you are going to need to
> hack some code.
Actually, he can get what he wants with:
Kernel:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
/etc/ipf.rules:
# Block in all icmp packets which have a ttl of 0.
block in quick proto icmp all ttl 0
>From there, I think you can work out the rest...
"man 5 ipf" is your friend.
Paul
More information about the freebsd-hackers
mailing list