On Sat, 4 Nov 2000 21:13:33 -0600 (CST), Lance Spitzner wrote:
> However, if the packet is accepted by the firewall (and
> the port is not filtered), the firewall will attempt to
> forward it. However, the TTL will now be zero and the
> firewall will respond with ICMP TTL expired error message.
> You can now map what ports are passed through the firewall
> (i.e not filtered) without a packet ever passing through the
> firewall.
Very interesting point. Of course, this is assuming a layer-3 firewall (ie,
something acting as a router between subnets which decrements the TTL),
rather than something acting more like a layer-2 bridge.
FreeBSD has (from /usr/src/sys/i386/conf/LINT):
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
options IPSTEALTH #support for stealth forwarding
[ ... ]
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.
options DUMMYNET
options BRIDGE
I suppose you could also filter locally-generated ICMP error responses from
the firewall itself.
-Chuck
Chuck Swiger | chuck_at_codefab.com | Spin VBHY?
-------------+-------------------+-----------
"Diplomacy is the art of saying 'Nice doggy',
while searching for a rock." -- Talleyrand
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Nov 08 2000
Intro
