On Sep 24, 2011, at 9:14 AM, Tom Eastep wrote: > On Sat, 2011-09-24 at 09:00 -0700, Tom Eastep wrote: > >>> Second question for a different box (xen dom0): I want to add rules for >>> certain public IPs that have the form of iptables -t mangle -d $dest -j >>> TTL --ttl-inc 1 -- this would hide the firewall from traceroute etc. to >>> domU's. How can this be done? >> >> You will have to use an Action that either has an associated extension >> script or that uses BEGIN PERL...END PERL and generates the rule in >> Perl. /usr/share/shorewall/action.Invalid would be a good example to >> follow. See also http://www.shorewall.net/Actions.html. >> > > I should note that to use this approach, you must invoke the action in > the ALL section of the rules file and your iptables/kernel must allow > mangling in the filter table. >
Just tried this and, although the MARK targets are allowed in the filter table, 'TTL' is not. So you will have to place the command in the 'start' extension script. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
