Finding out the hard way is not always a bad thing. I think you got a better way of understanding than just "finding the answer" without having to search for it.
Holger > -----Original Message----- > From: Georgi Petrov [mailto:[EMAIL PROTECTED] > Sent: Monday, September 04, 2006 11:19 AM > To: [email protected] > Subject: Re: [pfSense-discussion] pfSense and TTL (time to live) = 1 > > > Wow! > > I'm stupid :( > > 2 days lost in researching how to do it my way with m0n0wall :( Well, > may be not - these were my first steps in BSD :) > > On 9/4/06, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > On 9/4/06, Georgi Petrov <[EMAIL PROTECTED]> wrote: > > > Hello everybody, > > > > > > I've sent this feature request to the m0n0wall mailing > list, so it's a > > > copy-paste. Everything written can be applied to pfSense as well! > > > > > > > > > > > > Here in Bulgaria we love m0n0wall and many people use it for home > > > routing purposes. Our internet is delivered by LAN cables (insane, > > > isn't it?) and some of my smarter friends split the service to the > > > neighbours. This is pretty cool because you have to pay > 2-3 times less > > > and believe me - Bulgaria isn't the cheapest place to live in ;) > > > > > > Ok, you would say - you put one m0n0wall router under > your bed and pay > > > 2 times less for internet (as well as your neighbours). What's the > > > problem? Here comes the problem: Almost all ISPs in > Bulgaria modify > > > the TTL (time to live) value of all incoming packets to 1, so when > > > they enter the m0n0wall router, it decrements the TTL to > 0 and being > > > zero, the packet gets dropped (and doesn't reach any of > the computers > > > in the local network). > > > > > > There is a very simple way to work around that. The FreeBSD kernel > > > should be compiled with IPSTEALTH option enabled. This is > absolutely > > > harmless and does the following: > > > > > > When the kernel is compiled with this option, later you > can set one > > > sysctl variable to "1" (enabled), which will turn on the IPSTEALTH > > > mode. In this mode the router "hides" itself, becomes > intraceable with > > > tracert and the most important thing is that it doesn't > decrement the > > > TTL, so the little trick played by most ISP becomes irrelevant. > > > > > > This is completely harmless to m0n0wall - it won't be enabled by > > > default, nothing will change for the default install, but this > > > functionality will be present for whoever need it! May be later a > > > "checkbox" could be added in the webGUI for easier accessibility. > > > > > > I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel > and enabling > > > IPSTEALTH in running m0n0wall is as easy as adding > > > > > > <shellcmd>sysctl net.inet.ip.stealth=1</shellcmd> > > > > > > just before > > > > > > </system> > > > > > > The whole procedure is explained by another smart > bulgarian on this > > > page (bulgarian language): > > > http://hardwarebg.com/forum/showthread.php?t=76480&highlight=TTL > > > > > > So - this way the whole problem is solved and the day - saved ;) > > > > > > I ask for one simple thing - could you please enable > IPSTEALTH in the > > > next m0n0wall release, please! It's a great > router/firewall - make it > > > even better! > > > > > > > # sysctl -a | grep stealth > > net.inet.ip.stealth: 0 > > net.inet6.ip6.stealth: 0 > > > > It's already compiled in. > > > > Have fun! > > > > Scott > > >
