You would send an ICMP time exceeded (type 11) packet if you receive a packet with a ttl=1 you will decrement it one realize it is 0 and send the ICMP time exceeded. Traceroute could also use ping ICMP echo request (type 8). Pieter On Fri, May 14, 2010 at 11:17 PM, Curby <curby@xxxxxx> wrote: > Hello, I'm considering allowing inbound traceroutes to find me, in the > interest of being a good Internet citizen. I could simply open the > right udp ports, but i'd rather more tightly control what's allowed > than simply opening them up entirely. Thus I'm considering something > like the following. Should it meet my expectations of responding > appropriately to traceroutes but otherwise not letting traffic > through? > > -A INPUT -p udp --dport 33434:33534 -m ttl --ttl-eq 1 -j REJECT > --reject-with icmp-port-unreachable > > I'm using ttl-eq 1 because that's the lowest TTL that showed up in my > netfilter logs when I tried to traceroute my machine earlier. In > other words, I don't think I should use 0, but am willing to be > convinced otherwise. > > Also, I'm a little unsure if I should be using another ICMP code when > I send the REJECT packet. But port unreachable seemed reasonable. =) > > Thanks! > > --Mike > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
