Hi, all While wrestling with our test firewall (transferring it from old Sun X2100 hardware to a Sun X2200M2 with 4 NICs) I got some of my old itchy questions back up again :)
However, there's a new one: it seems (and I think I've read) that policy-based routing is implemented with ipfilter as re-issuing matching packets on a specific interface with "block dup-to" or "block to" kind of keywords, and this kind of PBR bypasses kernel routing and in particular the decrease in packets' TTL. While this provides well for hidden transparent firewalls (i.e. bridging, etc), I do want this host to be visible and to correctly process the TTL IP-header field. So my question is: did I miss some keyword which enables manipulation of TTL in case of ipfilter PBR? Other ideas and details follow... I have a hinch this may relate to one of my observed problems: that the router is missing from traceroutes (although that also happened with no loaded rulesets). What I do see now (and think it's TTL's fault) is that packets traverse this firewall as expected, but the traceroute's output stumbles upon the logical position of ipfilter host, then goes on to the next-hop router and writes it in the same line, i.e.: Tracing route to www.ru [194.87.0.50] over a maximum of 30 hops: 1 4 ms 2 ms 2 ms cisco-a.lan.domain.ru [xxx.yyy.zzz.1] 2 * 2 ms 1 ms cisco-a.inetpbr.domain.ru [192.168.126.1] Hop #2 is supposed to be the ipfilter firewall However the third "actual" router shows up as #2 since TTL is not decreased at ipfilter. 3 <1 ms 2 ms 2 ms 81.5.90.57 4 2 ms 2 ms 1 ms mipt-gw-eth0.mipt.ru [193.125.142.177] 5 2 ms 1 ms 4 ms m9-ix-1g.demos.net [193.232.244.35] 6 15 ms 6 ms 5 ms iki-c1-vl10.demos.net [194.87.0.111] 7 * * 5 ms www.ru [194.87.0.50] -- +============================================================+ | | | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | | | | +7-903-7705859 (cellular) mailto:[email protected] | | CC:[email protected],[email protected] | +============================================================+ | () ascii ribbon campaign - against html mail | | /\ - against microsoft attachments | +============================================================+
