All of lore.kernel.org
 help / color / mirror / Atom feed
From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Henrik Nordstrom <hno@marasystems.com>, netfilter@lists.netfilter.org
Cc: Harald Welte <laforge@netfilter.org>,
	netfilter-devel@lists.netfilter.org
Subject: Re: TTL patch buggy?
Date: Wed, 07 Jan 2004 14:04:36 -0500	[thread overview]
Message-ID: <1073502275.16972.10.camel@jasiiitosh.nexusmgmt.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0401071709030.4717-100000@filer.marasystems.com>

On Wed, 2004-01-07 at 11:16, Henrik Nordstrom wrote:
> On Tue, 6 Jan 2004, John A. Sullivan III wrote:
> 
> > <snip>.  We are
> > planning to not only use the TTL patch in ISCS to create stealth
> > firewalls but also to secure communications between internal and DMZ
> > systems by allowing admins to set TTL on a per service basis to allow
> > the DMZ <-> Internal flow to only have enough life to live on the site
> > and not to be set anywhere else on the Internet.  We think this is a
> > pretty interesting feature and hence are keen on the TTL patch working. 
> 
> Take care to never increase the TTL value however.
> 
> There is no technical problems from artificially decreasing the TTL, but 
> increasing should never be done unless you are 200% sure on what you are 
> doing (and even then you should not).
> 
> The TTL target is dangerous in the sense that it allows the packet ttl to
> be set freely with no restrictions. But if combined with a "-m ttl
> --ttl-gt NEWVALUE" then you should be safe.
> 
> Harald: What do you think about making the patch civilised and restricting
> the TTL to be set to lower values only eleminating the need of the above
> safeguard match? (simply change "new_ttl != iph->ttl" to "new_ttl < 
> iph->ttl")
> 
> Regards
> Henrik

Thank you very much but could you please explain this a bit more.  Oskar
Andreasson's tutorial explicitly mentions doing this, i.e., incrementing
TTL and we thought it was a good idea.  We certainly want to change our
ways if this is dangerous.  Here is the excerpt from the tutorial:

The --ttl-inc option tells the TTL target to increment the Time To Live
value with the value specified to the --ttl-inc option. This means that
we should raise the TTL value with the value specified in the --ttl-inc
option, and if we specified --ttl-inc 4, a packet entering with a TTL of
53 would leave the host with TTL 56. Note that the same thing goes here,
as for the previous example of the --ttl-dec option, where the network
code will automatically decrement the TTL value by 1, which it always
does. This may be used to make our firewall a bit more stealthy to
trace-routes among other things. By setting the TTL one value higher for
all incoming packets, we effectively make the firewall hidden from
trace-routes.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

  reply	other threads:[~2004-01-07 19:04 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-02 15:02 TTL patch buggy? John A. Sullivan III
2004-01-06 18:56 ` Harald Welte
2004-01-06 22:18   ` John A. Sullivan III
2004-01-07 16:16     ` Henrik Nordstrom
2004-01-07 19:04       ` John A. Sullivan III [this message]
2004-01-07 19:18         ` Antony Stone
2004-01-07 20:44           ` Ramin Dousti
2004-01-07 19:35         ` Harald Welte
2004-01-07 20:07           ` John A. Sullivan III
2004-01-07 21:38             ` Ramin Dousti
2004-01-08  8:02               ` Cedric Blancher
2004-01-08 16:25                 ` Ramin Dousti
2004-01-08 19:17                   ` Cedric Blancher
2004-01-07 21:19           ` Ramin Dousti
2004-01-07 20:54             ` Henrik Nordstrom
2004-01-07 20:54               ` Henrik Nordstrom
2004-01-07 22:16               ` Ramin Dousti
2004-01-08  7:14                 ` Henrik Nordstrom
2004-01-08  7:14                   ` Henrik Nordstrom
2004-01-08 20:56                   ` Ramin Dousti
2004-01-07 20:36         ` Ramin Dousti
2004-01-07 19:31       ` Harald Welte
  -- strict thread matches above, loose matches on Subject: below --
2004-01-08 14:32 bmcdowell
2004-01-02 13:13 John A. Sullivan III
2004-01-02 14:27 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1073502275.16972.10.camel@jasiiitosh.nexusmgmt.com \
    --to=john.sullivan@nexusmgmt.com \
    --cc=hno@marasystems.com \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.