Tom hi, Back in 2011 you added the TTL target in tcrules per my request: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg12420.html Today I tried adding the rule to tcrules in shorewall 4.5.5.3 on the following (typical) setup: Internet -> eth0(in) -> Shorewall -> eth1(out) -> internal hosts /etc/shorewall/tcrules: TTL(+1) eth0 eth1 all With said Shorewall version, I found that TTL is only allowed to be added to the FORWARD chain in the mangle table. However, in order to hide ''Shorewall'' from e.g. traceroute in the above setup, it has to be added to the PREROUTING chain of the mangle table. Currently this is not allowed. Could you please make it possible? In other words: TTL(+1):P eth0 eth1 all Thank you, -- Stay in touch, Mark van Dijk. ,------------------------------------ -------------------------------'' Tue Aug 28 17:57 UTC 2012 Today is Setting Orange, the 21st day of Bureaucracy in the YOLD 3178 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/28/2012 11:12 AM, Mark van Dijk wrote:> Tom hi, > > Back in 2011 you added the TTL target in tcrules per my request: > > http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg12420.html > > Today I tried adding the rule to tcrules in shorewall 4.5.5.3 on the > following (typical) setup: > > Internet -> eth0(in) -> Shorewall -> eth1(out) -> internal hosts > > /etc/shorewall/tcrules: > TTL(+1) eth0 eth1 all > > With said Shorewall version, I found that TTL is only allowed to be > added to the FORWARD chain in the mangle table. However, in order to > hide ''Shorewall'' from e.g. traceroute in the above setup, > it has to be > added to the PREROUTING chain of the mangle table. Currently this is not > allowed. Could you please make it possible? In other words: > > TTL(+1):P eth0 eth1 allPatch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/28/2012 11:12 AM, Mark van Dijk wrote:> Tom hi, > > Back in 2011 you added the TTL target in tcrules per my request: > > http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg12420.html > > Today I tried adding the rule to tcrules in shorewall 4.5.5.3 on the > following (typical) setup: > > Internet -> eth0(in) -> Shorewall -> eth1(out) -> internal hosts > > /etc/shorewall/tcrules: > TTL(+1) eth0 eth1 all > > With said Shorewall version, I found that TTL is only allowed to be > added to the FORWARD chain in the mangle table. However, in order to > hide ''Shorewall'' from e.g. traceroute in the above setup, > it has to be > added to the PREROUTING chain of the mangle table. Currently this is not > allowed. Could you please make it possible? In other words: > > TTL(+1):P eth0 eth1 allWith the patch I posted, you don''t want ''eth1'' in the DEST column.... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > > TTL(+1):P eth0 eth1 all > > With the patch I posted, you don''t want ''eth1'' in the DEST column.... >Good morning, Thanks for the patch Tom, I''ll test it today. I''m not sure why I don''t want eth1 as the destination; could you explain? What /do/ I want to put in DEST, if anything at all? :) (email resent to list, I used the wrong from address so the list bounced it) -- Stay in touch, Mark van Dijk. ,--------------------------------- ----------------------------'' Thu Aug 30 07:57 UTC 2012 Today is Boomtime, the 23rd day of Bureaucracy in the YOLD 3178 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/30/2012 12:58 AM, Mark van Dijk wrote:>>> >>> TTL(+1):P eth0 eth1 all >> >> With the patch I posted, you don''t want ''eth1'' in the DEST column.... >> > > > Good morning, > > Thanks for the patch Tom, I''ll test it today. I''m not sure why I > don''t want eth1 as the destination; could you explain? What /do/ I want > to put in DEST, if anything at all? :) >The rule is in the PREROUTING (*before routing*) chain so the output interface (if any) is unknown because the packet hasn''t been routed yet. Leave the column empty or put ''-'' there. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/30/2012 07:47 AM, Mark van Dijk wrote:> > I am not sure about is why this does not seem to do anything when it''s > added to FORWARD chain.. any idea? >The TTL is decremented during routing. If it is zero after being decremented, an ICMP response is generated. With the rule in the FORWARD chain, the TTL gets re-incremented provided that the ICMP wasn''t generated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/