From owner-freebsd-hackers@FreeBSD.ORG Wed Jul 9 02:47:06 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DD1137B401 for ; Wed, 9 Jul 2003 02:47:06 -0700 (PDT) Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id D390643F85 for ; Wed, 9 Jul 2003 02:47:04 -0700 (PDT) (envelope-from army@cyber.com.au) Received: from vanilla.office.cyber.com.au (vanilla.office.cyber.com.au [192.168.155.226]) by plum.cyber.com.au (8.8.6/8.6.6) with ESMTP id TAA12080 for ; Wed, 9 Jul 2003 19:47:02 +1000 (EST) Received: by vanilla.office.cyber.com.au (Postfix, from userid 1103) id 5DFDA57BADD; Wed, 9 Jul 2003 19:47:02 +1000 (EST) Date: Wed, 9 Jul 2003 19:47:02 +1000 From: Paul Armstrong To: hackers@freebsd.org Message-ID: <20030709094702.GX19324@vanilla.office.cyber.com.au> References: <20030707012205.3103dfc8.db@traceroute.dk> <20030707153314.GA1695@webboy.soth.at> <20030707180252.44036c61.db@traceroute.dk> <3F0A9A1C.25E6EB35@mindspring.com> <20030708131339.16da151f.db@traceroute.dk> <20030708140012.0fd685c8.db@traceroute.dk> <3F0BAD5C.65895290@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F0BAD5C.65895290@mindspring.com> User-Agent: Mutt/1.4i Subject: Re: 5 "Advanced" networking questions X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 09:47:06 -0000 On Tue, Jul 08, 2003 at 10:51:24PM -0700, Terry Lambert wrote: > > > > I don't want to disable ICMP, just don't want to respond when ttl=0, > > > > meaning when my firewall/gateway is on a "traceroute path". > > > > > > You should specifically modify the ICMP code to not respond > > > to echo datagrams, or when ttl == 0, then, and work it that > > > way. In other words, it's time to hack your network stack > > > to specifically add that "feature". > > > > Hmm, why not just use a firewall? > > Because most firewalls, even commercial ones, don't block the > ICMP messages you appear to be interested in blocking. > > If you want the feature in FreeBSD, you are going to need to > hack some code. Actually, he can get what he wants with: Kernel: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK /etc/ipf.rules: # Block in all icmp packets which have a ttl of 0. block in quick proto icmp all ttl 0 >From there, I think you can work out the rest... "man 5 ipf" is your friend. Paul