Shorewall users - Feb 2004 - TTL Increment and User Defined policies

Hi

I''m building a router-firewall with Shorewall and it''s a
really nice product,
after reading the iptables-save list of rules shorewall has created for my 
firewall I can finally really understand what and how iptables works. THANKS 
TOM for the GREAT WORK you have done.

But, I''ve two small problems I would like to solve, I''ve been
lurking the
mailing list and searching in google , but I''ve not found any real
answer. If
someone could help, I would be very grateful. An aswer like "Shorewall can 
not do that" is welcome also.

I would like to increment the IP TTL flag in the router for incoming packets, 
so a traceroute could not detect the firewall, it must be something like

	"iptables -t mangle -A PREROUTING -p all  -j TTL --ttl-inc 1"

but  I don''t know what must I write to get this, and the Linux /proc
does not
have (or seems not to have) any global setting to do it.

My other question, is User Defined Policies. The firewall is of the kind 
"Traffic not explicitly allowed is dropped", this policy is right but
I would
like to have something like "Traffic not explicitly allowed goes to the 
HoneyPot". I''ve been testing with actions and DNAT after all
"rules" but this
does not work, because "Going to the HoneyPot" is a policy and not a
rule,
DNAT gets proccessed in the nat:PREROUTING chain and it''s to early to
change
addreses. I would like to have the DNAT done only on dropped traffic. There 
is any way to do it ?

That''s all, and thanks to Tom for making my life a little bit easier.
Keep the
good work.

Enric

On Sunday 08 February 2004 05:51 am, Enric Lafont wrote:
> Hi
>
> I''m building a router-firewall with Shorewall and it''s a
really nice
> product, after reading the iptables-save list of rules shorewall has
> created for my firewall I can finally really understand what and how
> iptables works. THANKS TOM for the GREAT WORK you have done.
>
> But, I''ve two small problems I would like to solve, I''ve
been lurking the
> mailing list and searching in google , but I''ve not found any real
answer.
> If someone could help, I would be very grateful. An aswer like
"Shorewall
> can not do that" is welcome also.
>
> I would like to increment the IP TTL flag in the router for incoming
> packets, so a traceroute could not detect the firewall, it must be
> something like
>
> 	"iptables -t mangle -A PREROUTING -p all  -j TTL --ttl-inc 1"
>
> but  I don''t know what must I write to get this, and the Linux
/proc does
> not have (or seems not to have) any global setting to do it.
Use an extension script (probably /etc/shorewall/start) -- see 
http://www.shorewall.net/shorewall_extension_scripts.htm.
>
> My other question, is User Defined Policies. The firewall is of the kind
> "Traffic not explicitly allowed is dropped", this policy is right
but I
> would like to have something like "Traffic not explicitly allowed goes
to
> the HoneyPot". I''ve been testing with actions and DNAT after
all "rules"
> but this does not work, because "Going to the HoneyPot" is a
policy and not
> a rule, DNAT gets proccessed in the nat:PREROUTING chain and it''s
to early
> to change addreses. I would like to have the DNAT done only on dropped
> traffic. There is any way to do it ?
Not with iptables, no.
>
> That''s all, and thanks to Tom for making my life a little bit
easier.
You''re welcome.

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net