Playing nice with incoming traceroutes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, I'm considering allowing inbound traceroutes to find me, in the
interest of being a good Internet citizen.  I could simply open the
right udp ports, but i'd rather more tightly control what's allowed
than simply opening them up entirely.  Thus I'm considering something
like the following.  Should it meet my expectations of responding
appropriately to traceroutes but otherwise not letting traffic
through?

-A INPUT -p udp --dport 33434:33534 -m ttl --ttl-eq 1 -j REJECT
--reject-with icmp-port-unreachable

I'm using ttl-eq 1 because that's the lowest TTL that showed up in my
netfilter logs when I tried to traceroute my machine earlier.  In
other words, I don't think I should use 0, but am willing to be
convinced otherwise.

Also, I'm a little unsure if I should be using another ICMP code when
I send the REJECT packet.  But port unreachable seemed reasonable. =)

Thanks!

--Mike
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux