Re: Drop packets with low IP Time to Live field value

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Drop packets with low IP Time to Live field value
Date: Fri, 24 Dec 2004 21:08:12 -0500	[thread overview]
Message-ID: <1103940492.2011.19.camel@grendel> (raw)
In-Reply-To: <1103914608.14459.23.camel@hubcap.ljm.dom>

On Fri, 2004-12-24 at 13:56, Jason Opperisano wrote:
>
> this has nothing to do with netfilter or firewalling--it is part of
> standard routing.

Agreed. TTL of 0 should never happen unless the upstream router has gone
rogue or has been compromised.

> that all being said--use the ttl match:
> 
>   iptables [...] -m ttl --ttl-eq 1 [...]
>   iptables [...] -m ttl --ttl-lt 1 [...]
> 
> i don't condone the use of the above.

I've rejected TTL's of 5 or less with a host unreachable for many years
and have never had a problem. Its a great way to detect, and usually
prevent, tools such as Firewalk and TCPTrace. 

The lowest starting TTL you will see in the wild today is 32. Even then,
that's only certain networking hardware as most OS's are 64 or higher.
Given that most hosts are 14-18 hops away from each other on the
Internet, filtering TTL's or 5 or less should cause zero problems with
legitimate traffic.

HTH,
Chris

next prev parent reply	other threads:[~2004-12-25  2:08 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-24 18:30 Drop packets with low IP Time to Live field value Jorge Agrelo
2004-12-24 18:56 ` Jason Opperisano
2004-12-25  2:08   ` Chris Brenton [this message]
2004-12-27 15:25     ` Nick Drage
2004-12-27 16:38 ` One Nic; Multiple Subnets Mike
2004-12-27 16:52   ` Jason Opperisano
2004-12-27 17:57     ` Mike
     [not found]       ` <16365.213.236.112.75.1104237335.squirrel@213.236.112.75>
2004-12-28 17:35         ` Mike
2004-12-27 17:01   ` John A. Sullivan III
2004-12-27 17:43     ` Mike

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1103940492.2011.19.camel@grendel \
    --to=cbrenton@chrisbrenton.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.