On Fri, 30 Aug 2002, Daniel Hartmeier wrote:
> On Thu, Aug 29, 2002 at 09:56:17PM +0200, Alexandre Dulaunoy wrote:
>
> > As the scrub directive can be set with a specified min/max ttl. This could
> > be also useful to add set_ttl directive into scrub to make a
> > normalization of the ttl in the packet.
>
> It's certainly possible, but wouldn't it royally break traceroute and
> other applications that _use_ ttl?
Yes like any other packet filtering or traffic normalizer with
this type of feature. This is not a standard feature.
>
> Is this an attempt to hide the fact that connections from behind the
> firewall originate from different hosts? How does min-ttl 255 not
> achieve the same result? The packets might still take different paths
> with varying number of hops and arrive with varying ttls at the
> destination.
Yes, but the set-ttl could be applied to input packet for a
specified interface (the like ext_int � la FW1). Just an idea, I need to
check the -current to see the inner architecture of pf.
You are right, there are multiple implication of doing that.
>
> Or what's the purpose of resetting all ttls that pass through the
> filter?
To have a traffic normalizer in front of an architecture to limit
the ttl forged packet and so other stuff like that and have a correct
overview after for the NIDS and he could concentrate on some other task.
I know this is not a standard feature (means exploding some RFCs
;-) but this could be useful in some case. For example, we have the need
with a honeynet...
Thanks a lot for your time.
adulau
--
Alexandre Dulaunoy -- http://www.foo.be/
3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD --- AD993-6BONE
"People who fight may lose. People who not fight have already lost."
Bertolt Brecht
