On Monday, 2002/03/25 at 16:45 EST, "David Ishmael" <[EMAIL PROTECTED]> wrote: > If I understand right, you want to drop these packets without the firewall > seeing the packets coming from the router. You can route all traffic coming > from your hacked box to the loopback interface on your router which essentially > drops the packets into the bit bucket.
No, it doesn't, at least not directly. It creates a routing loop, with the router forwarding the packet to itself repeatedly until the TTL expires. The TTL is typically about 60, so your router ends up handling each packet many times. This could contribute to a self-inflicted DoS of the router. (Yes, after the TTL expires the packet will be dropped, but also an "ICMP time exceeded" message will be sent back to the source - exactly what the original poster was trying to avoid.) The lowest impact way to handle this with routing is to policy route it (based on the source address) to null0. Policy routing, however, typically causes more overhead in the router than normal routing. On Cisco IOS routers you can use another method - disable the sending of "icmp unreachables" on the interface facing the firewall: no ip unreachables Of course, this stops all unreachable messages from being sent on that interface. Tony Rall _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
