* TTL target
@ 2002-10-31 14:44 mailinglists
0 siblings, 0 replies; 29+ messages in thread
From: mailinglists @ 2002-10-31 14:44 UTC (permalink / raw
To: 'netfilter@lists.netfilter.org'
Hi
this is my problem:
+ iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name
modprobe ipt_ttl is in my script.
According to
http://cert.uni-stuttgart.de/archive/usenet/comp.os.linux.security/2002/08/m
sg00458.html
there should be two ttl modules in
/lib/modules/2.4.18-4GB/kernel/net/ipv4/netfilter/.
ipt_TTL for the target
ipt_ttl for matching.
ipt_TTL isnt in the modules directory.
How am I going to get this to work?
Thanks,
Philipp
PS:
System is Suse 8.0, Kernel 2.4.18, iptables 1.2.25
^ permalink raw reply [flat|nested] 29+ messages in thread
* TTL target
@ 2002-11-01 12:46 mailinglists
2002-11-03 12:35 ` Cedric Blancher
0 siblings, 1 reply; 29+ messages in thread
From: mailinglists @ 2002-11-01 12:46 UTC (permalink / raw
To: 'netfilter@lists.netfilter.org'
Hi
this is my problem:
+ iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 1
iptables: No chain/target/match by that name
modprobe ipt_ttl is in my script.
According to
http://cert.uni-stuttgart.de/archive/usenet/comp.os.linux.security/2002/08/m
sg00458.html
there should be two ttl modules in
/lib/modules/2.4.18-4GB/kernel/net/ipv4/netfilter/.
ipt_TTL for the target
ipt_ttl for matching.
ipt_TTL isnt in the modules directory.
How am I going to get this to work?
Thanks,
Philipp
PS:
System is Suse 8.0, Kernel 2.4.18, iptables 1.2.25
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2002-11-01 12:46 mailinglists
@ 2002-11-03 12:35 ` Cedric Blancher
0 siblings, 0 replies; 29+ messages in thread
From: Cedric Blancher @ 2002-11-03 12:35 UTC (permalink / raw
To: mailinglists; +Cc: 'netfilter@lists.netfilter.org'
Le ven 01/11/2002 à 13:46, mailinglists@belfin.ch a écrit :
> + iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 1
> iptables: No chain/target/match by that name
> modprobe ipt_ttl is in my script.
> According to
> http://cert.uni-stuttgart.de/archive/usenet/comp.os.linux.security/2002/08/m
> sg00458.html
> there should be two ttl modules in
> /lib/modules/2.4.18-4GB/kernel/net/ipv4/netfilter/.
> ipt_TTL for the target
> ipt_ttl for matching.
> ipt_TTL isnt in the modules directory.
[...]
> System is Suse 8.0, Kernel 2.4.18, iptables 1.2.25
You have to build your kernel and last iptables version (1.2.7a) using
patch-o-matic. TTL target is not yet part of mainstream.
--
Cédric Blancher <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2002-11-03 18:15 mailinglists
0 siblings, 0 replies; 29+ messages in thread
From: mailinglists @ 2002-11-03 18:15 UTC (permalink / raw
To: 'Cedric Blancher'; +Cc: 'netfilter@lists.netfilter.org'
> > + iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 1
> > iptables: No chain/target/match by that name
> > modprobe ipt_ttl is in my script.
> > According to
> >
> http://cert.uni-stuttgart.de/archive/usenet/comp.os.linux.secu
> rity/2002/08/m
> > sg00458.html
> > there should be two ttl modules in
> > /lib/modules/2.4.18-4GB/kernel/net/ipv4/netfilter/.
> > ipt_TTL for the target
> > ipt_ttl for matching.
> > ipt_TTL isnt in the modules directory.
> [...]
> > System is Suse 8.0, Kernel 2.4.18, iptables 1.2.25
>
> You have to build your kernel and last iptables version (1.2.7a) using
> patch-o-matic. TTL target is not yet part of mainstream.
By when do you expect it to be mainstream?
Philipp
^ permalink raw reply [flat|nested] 29+ messages in thread
* TTL target
@ 2004-07-23 17:51 Gonzalez, Federico
0 siblings, 0 replies; 29+ messages in thread
From: Gonzalez, Federico @ 2004-07-23 17:51 UTC (permalink / raw
To: netfilter
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* TTL target
@ 2004-07-23 17:56 Gonzalez, Federico
0 siblings, 0 replies; 29+ messages in thread
From: Gonzalez, Federico @ 2004-07-23 17:56 UTC (permalink / raw
To: netfilter
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 18:21 Jason Opperisano
2004-07-23 18:29 ` Gonzalez, Federico
0 siblings, 1 reply; 29+ messages in thread
From: Jason Opperisano @ 2004-07-23 18:21 UTC (permalink / raw
To: Gonzalez, Federico, netfilter
um--on fedora core 1--which seems to match the versions you provide, the TTL match target is there.
$ uname -r
2.4.22-1.2197.nptl
$ iptables -V
iptables v1.2.9
# iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
#
# iptables -vnL INPUT
Chain INPUT (policy DROP 184 packets, 19161 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 1
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 18:21 Jason Opperisano
@ 2004-07-23 18:29 ` Gonzalez, Federico
2004-07-23 18:43 ` Antony Stone
0 siblings, 1 reply; 29+ messages in thread
From: Gonzalez, Federico @ 2004-07-23 18:29 UTC (permalink / raw
To: Jason Opperisano, netfilter
I get the following error:
iptables: No chain/target/match by that name
Thanks
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
<netfilter@lists.netfilter.org>
Sent: Friday, July 23, 2004 3:21 PM
Subject: RE: TTL target
um--on fedora core 1--which seems to match the versions you provide, the TTL
match target is there.
$ uname -r
2.4.22-1.2197.nptl
$ iptables -V
iptables v1.2.9
# iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
#
# iptables -vnL INPUT
Chain INPUT (policy DROP 184 packets, 19161 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 TTL match TTL == 1
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 18:34 Jason Opperisano
2004-07-23 18:50 ` Gonzalez, Federico
0 siblings, 1 reply; 29+ messages in thread
From: Jason Opperisano @ 2004-07-23 18:34 UTC (permalink / raw
To: Gonzalez, Federico, netfilter
hmmm... can you provide the output of "lsmod | grep ip"
are you running the stock kernel/iptables? what distro/version are you running? sounds like you're missing something module-wise.
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 2:29 PM
To: Jason Opperisano; netfilter@lists.netfilter.org
Subject: Re: TTL target
I get the following error:
iptables: No chain/target/match by that name
Thanks
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
<netfilter@lists.netfilter.org>
Sent: Friday, July 23, 2004 3:21 PM
Subject: RE: TTL target
um--on fedora core 1--which seems to match the versions you provide, the TTL
match target is there.
$ uname -r
2.4.22-1.2197.nptl
$ iptables -V
iptables v1.2.9
# iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
#
# iptables -vnL INPUT
Chain INPUT (policy DROP 184 packets, 19161 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 TTL match TTL == 1
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 18:43 Jason Opperisano
2004-07-23 20:09 ` David Cary Hart
0 siblings, 1 reply; 29+ messages in thread
From: Jason Opperisano @ 2004-07-23 18:43 UTC (permalink / raw
To: Gonzalez, Federico, netfilter
just re-read your original post. if you're trying to *change* the TTL of packets traversing your firewall--you need the TTL patch from patch-o-matic, which will enable a "-j TTL" target in the MANGLE table.
sorry for the confusion.
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 18:29 ` Gonzalez, Federico
@ 2004-07-23 18:43 ` Antony Stone
0 siblings, 0 replies; 29+ messages in thread
From: Antony Stone @ 2004-07-23 18:43 UTC (permalink / raw
To: netfilter
On Friday 23 July 2004 7:29 pm, Gonzalez, Federico wrote:
> I get the following error:
>
> iptables: No chain/target/match by that name
I think two people may be talking about two different things here without
realising it:
The ttl *match* (lowercase) is for matching packets by value of the TTL field.
The TTL *target* (uppercase) is for altering the TTL value in a packet.
Sorry I can't answer the actual question, because I don't use Fedora, but
hopefully this might help to avoid some confusion, at least...
Regards,
Antony.
> ----- Original Message -----
> From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
> To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
> <netfilter@lists.netfilter.org>
> Sent: Friday, July 23, 2004 3:21 PM
> Subject: RE: TTL target
>
>
> um--on fedora core 1--which seems to match the versions you provide, the
> TTL match target is there.
>
> $ uname -r
> 2.4.22-1.2197.nptl
>
> $ iptables -V
> iptables v1.2.9
>
> # iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
> #
>
> # iptables -vnL INPUT
> Chain INPUT (policy DROP 184 packets, 19161 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 TTL match TTL == 1
>
> -j
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
> Federico
> Sent: Friday, July 23, 2004 1:52 PM
> To: netfilter@lists.netfilter.org
> Subject: TTL target
>
>
> Hi,
>
> I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
> target to change the packets TTL.
>
> How do i enable this functionality ?
>
> Thank you.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 18:34 Jason Opperisano
@ 2004-07-23 18:50 ` Gonzalez, Federico
0 siblings, 0 replies; 29+ messages in thread
From: Gonzalez, Federico @ 2004-07-23 18:50 UTC (permalink / raw
To: Jason Opperisano, netfilter
The output of "lsmod | grep ip" is :
[root@firewall rc.d]# lsmod | grep ip
ipt_ttl 592 0 (unused)
ipsec 262336 2
ipt_state 576 6 (autoclean)
ipt_MASQUERADE 1408 1 (autoclean)
iptable_nat 17616 1 (autoclean) [ipt_MASQUERADE]
ip_conntrack 19648 2 (autoclean) [ipt_state ipt_MASQUERADE
iptable_nat]
iptable_mangle 2128 0 (autoclean) (unused)
iptable_filter 1680 1 (autoclean)
ip_tables 12160 8 [ipt_ttl ipt_state ipt_MASQUERADE
iptable_nat
iptable_mangle iptable_filter]
[root@firewall rc.d]#
I have redhat 7.2 and kernel 2.4.22 iptables 1.2.9 compiled in the kernel.
Thank you.
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
<netfilter@lists.netfilter.org>
Sent: Friday, July 23, 2004 3:34 PM
Subject: RE: TTL target
hmmm... can you provide the output of "lsmod | grep ip"
are you running the stock kernel/iptables? what distro/version are you
running? sounds like you're missing something module-wise.
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 2:29 PM
To: Jason Opperisano; netfilter@lists.netfilter.org
Subject: Re: TTL target
I get the following error:
iptables: No chain/target/match by that name
Thanks
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
<netfilter@lists.netfilter.org>
Sent: Friday, July 23, 2004 3:21 PM
Subject: RE: TTL target
um--on fedora core 1--which seems to match the versions you provide, the TTL
match target is there.
$ uname -r
2.4.22-1.2197.nptl
$ iptables -V
iptables v1.2.9
# iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
#
# iptables -vnL INPUT
Chain INPUT (policy DROP 184 packets, 19161 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 TTL match TTL == 1
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 19:18 Jason Opperisano
0 siblings, 0 replies; 29+ messages in thread
From: Jason Opperisano @ 2004-07-23 19:18 UTC (permalink / raw
To: netfilter
heh--yeah, sorry about that.
Frederico-
there's a nice (albeit a bit old) step-by-step on patch-o-matic at:
http://www.lowth.com/howto/add-iptables-modules.php
when you get down to step 6--the patch you're interested in is: "runme base/TTL.patch"
i've never had any luck with pom-ng on the stock RH kernels (runme says that the kernel is too old), so you probably want to grab 'patch-o-matic-20031219' which does have the TTL target you're looking for.
HTH,
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Friday, July 23, 2004 2:44 PM
To: netfilter@lists.netfilter.org
Subject: Re: TTL target
On Friday 23 July 2004 7:29 pm, Gonzalez, Federico wrote:
> I get the following error:
>
> iptables: No chain/target/match by that name
I think two people may be talking about two different things here without
realising it:
The ttl *match* (lowercase) is for matching packets by value of the TTL field.
The TTL *target* (uppercase) is for altering the TTL value in a packet.
Sorry I can't answer the actual question, because I don't use Fedora, but
hopefully this might help to avoid some confusion, at least...
Regards,
Antony.
> ----- Original Message -----
> From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
> To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
> <netfilter@lists.netfilter.org>
> Sent: Friday, July 23, 2004 3:21 PM
> Subject: RE: TTL target
>
>
> um--on fedora core 1--which seems to match the versions you provide, the
> TTL match target is there.
>
> $ uname -r
> 2.4.22-1.2197.nptl
>
> $ iptables -V
> iptables v1.2.9
>
> # iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
> #
>
> # iptables -vnL INPUT
> Chain INPUT (policy DROP 184 packets, 19161 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 TTL match TTL == 1
>
> -j
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
> Federico
> Sent: Friday, July 23, 2004 1:52 PM
> To: netfilter@lists.netfilter.org
> Subject: TTL target
>
>
> Hi,
>
> I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
> target to change the packets TTL.
>
> How do i enable this functionality ?
>
> Thank you.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
2004-07-23 18:43 Jason Opperisano
@ 2004-07-23 20:09 ` David Cary Hart
2004-07-24 11:24 ` adderek
2004-07-24 11:52 ` Cedric Blancher
0 siblings, 2 replies; 29+ messages in thread
From: David Cary Hart @ 2004-07-23 20:09 UTC (permalink / raw
To: netfilter
On Fri, 2004-07-23 at 14:43, Jason Opperisano wrote:
> just re-read your original post. if you're trying to *change* the TTL of packets traversing your firewall--you need the TTL patch from patch-o-matic, which will enable a "-j TTL" target in the MANGLE table.
>
> sorry for the confusion.
>
I must ask a dumb question. Why would one want to mangle TTL or filter
on TTL?
Thanks
> -j
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
> Federico
> Sent: Friday, July 23, 2004 1:52 PM
> To: netfilter@lists.netfilter.org
> Subject: TTL target
>
>
> Hi,
>
> I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
> target to change the packets TTL.
>
> How do i enable this functionality ?
>
> Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 20:35 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 20:59 ` Antony Stone
0 siblings, 1 reply; 29+ messages in thread
From: Hudson Delbert J Contr 61 CS/SCBN @ 2004-07-23 20:35 UTC (permalink / raw
To: netfilter
sorry for being a wet blanket - so to speak.
if stateless defense algortihms are employed, the need to retain state in
order to
make proper decisions.
i suspect that much of todays netsec and/or ids software violates one of the
main
premises of coding securely [re:
cheswick/bellovin/comer/farmer/venema/etc...
--> bad traffic....
0. cant get thru code is specialized, fast, small and clean...(fewer
possible holes)
programmmers...
i used to write assembler, so its not w/out my own past coding sins
but you canned guys are too smart for me nowadays...besides C became
kooler than
masm...hmmmm
you perl/C+/c-not-so-sharp guyz, please check your
arrays/matrices/string and error
handlers before/after calls (during testing phases), instead of
blindly trusting the
integrity of other stack software....
my syadmin colleagues in the shell scripting community (including
moi) should rtfm [re: manpages]
a bit more before we implement new or expand existing services.
firewall folks....
learn the syntax and execution order of whatever module you are
using if possible.
there's nothing worse than editing rules in the order you want and
some "optimizer"
re-orders your ruleset during the commit and reflects it on display.
also remember the thingz a firewall can and connot do.
dont "set it and forget" as many corps would have you do.
1. cant attack service if daemon isnt running its not running.
(self-explanatory)
2. cant attack daemon, if it isnt listening or only rcv/xmt w/its front
end
(web,proxy,etc...)service if daemon isnt running its not running.
(this addrresses of common-mode failure,,if my winbloze box get
broken
the same sets of tools MUST require execution on a diff
chipset,ruleset,OS platform)
this set of hacking tools are a prodigous feat to have handy AND
shift gears
at the same time......
its just that it causes one to wonder if redirecting for control / stat
gather / chroot jails
or just plaining denying access to "suspect" by...
association
(isps that allows launches from there domains), policy, siganture or
just plain lack of trust isnt
signature
(this looks like it did the last time we got attacked, lets treat it
the same - kill it)
policy
(i am a transit carrier and my customers will look elsewhere if they
think i'm letting exploits traverse
(the same routes as his traffic)
i'd just as soon drop packets with a silent but resounding thud
w/out signalling that i ever saw them.
!piranha
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jason
Opperisano
Sent: Friday, July 23, 2004 11:43 AM
To: Gonzalez, Federico; netfilter@lists.netfilter.org
Subject: RE: TTL target
just re-read your original post. if you're trying to *change* the TTL of
packets traversing your firewall--you need the TTL patch from patch-o-matic,
which will enable a "-j TTL" target in the MANGLE table.
sorry for the confusion.
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
Federico
Sent: Friday, July 23, 2004 1:52 PM
To: netfilter@lists.netfilter.org
Subject: TTL target
Hi,
I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
target to change the packets TTL.
How do i enable this functionality ?
Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 20:37 Hudson Delbert J Contr 61 CS/SCBN
0 siblings, 0 replies; 29+ messages in thread
From: Hudson Delbert J Contr 61 CS/SCBN @ 2004-07-23 20:37 UTC (permalink / raw
To: 'NetFilter List'
same question?
~piranha
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of David Cary Hart
Sent: Friday, July 23, 2004 1:09 PM
To: netfilter
Subject: RE: TTL target
On Fri, 2004-07-23 at 14:43, Jason Opperisano wrote:
> just re-read your original post. if you're trying to *change* the TTL of
packets traversing your firewall--you need the TTL patch from patch-o-matic,
which will enable a "-j TTL" target in the MANGLE table.
>
> sorry for the confusion.
>
I must ask a dumb question. Why would one want to mangle TTL or filter
on TTL?
Thanks
> -j
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
> Federico
> Sent: Friday, July 23, 2004 1:52 PM
> To: netfilter@lists.netfilter.org
> Subject: TTL target
>
>
> Hi,
>
> I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
> target to change the packets TTL.
>
> How do i enable this functionality ?
>
> Thank you.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 20:35 Hudson Delbert J Contr 61 CS/SCBN
@ 2004-07-23 20:59 ` Antony Stone
0 siblings, 0 replies; 29+ messages in thread
From: Antony Stone @ 2004-07-23 20:59 UTC (permalink / raw
To: netfilter
On Friday 23 July 2004 9:35 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> sorry for being a wet blanket - so to speak.
>
> if stateless defense algortihms are employed, the need to retain state in
> order to make proper decisions.
>
> i suspect that much of todays netsec and / or ids software violates one of
> the main premises of coding securely [re: cheswick / bellovin / comer /
> farmer / venema / etc...
Sorry; I tried to follow your posting, but found it a bit obscure.
Is there a succinct version of the point you were making?
(Hopefully, one or two sentences?)
Thanks,
Antony.
--
This email is intended for the use of the individual addressee(s) named above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.
If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar. Whisk until soft peaks form, then place in a warm oven for 40
minutes. Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream. Then notify me immediately by return email
and eat the original message.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-23 21:03 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 21:41 ` Antony Stone
2004-07-23 22:14 ` Jeffrey Laramie
0 siblings, 2 replies; 29+ messages in thread
From: Hudson Delbert J Contr 61 CS/SCBN @ 2004-07-23 21:03 UTC (permalink / raw
To: 'netfilter@lists.netfilter.org'
no...is that short enough
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Friday, July 23, 2004 2:00 PM
To: netfilter@lists.netfilter.org
Subject: Re: TTL target
On Friday 23 July 2004 9:35 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> sorry for being a wet blanket - so to speak.
>
> if stateless defense algortihms are employed, the need to retain state in
> order to make proper decisions.
>
> i suspect that much of todays netsec and / or ids software violates one of
> the main premises of coding securely [re: cheswick / bellovin / comer /
> farmer / venema / etc...
Sorry; I tried to follow your posting, but found it a bit obscure.
Is there a succinct version of the point you were making?
(Hopefully, one or two sentences?)
Thanks,
Antony.
--
This email is intended for the use of the individual addressee(s) named
above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.
If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar. Whisk until soft peaks form, then place in a warm oven for
40
minutes. Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream. Then notify me immediately by return
email
and eat the original message.
Please reply to the
list;
please don't CC
me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 21:03 Hudson Delbert J Contr 61 CS/SCBN
@ 2004-07-23 21:41 ` Antony Stone
2004-07-23 23:35 ` Alistair Tonner
2004-07-23 22:14 ` Jeffrey Laramie
1 sibling, 1 reply; 29+ messages in thread
From: Antony Stone @ 2004-07-23 21:41 UTC (permalink / raw
To: 'netfilter@lists.netfilter.org'
On Friday 23 July 2004 10:03 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> no...is that short enough
Thanks,
Antony.
> -----Original Message-----
>
> On Friday 23 July 2004 9:35 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> > sorry for being a wet blanket - so to speak.
> >
> > if stateless defense algortihms are employed, the need to retain state in
> > order to make proper decisions.
> >
> > i suspect that much of todays netsec and / or ids software violates one
> > of the main premises of coding securely [re: cheswick / bellovin / comer
> > / farmer / venema / etc...
>
> Sorry; I tried to follow your posting, but found it a bit obscure.
>
> Is there a succinct version of the point you were making?
>
> (Hopefully, one or two sentences?)
>
> Thanks,
>
> Antony.
--
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.
- Frank Skinner
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 21:03 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 21:41 ` Antony Stone
@ 2004-07-23 22:14 ` Jeffrey Laramie
1 sibling, 0 replies; 29+ messages in thread
From: Jeffrey Laramie @ 2004-07-23 22:14 UTC (permalink / raw
To: netfilter
On Friday 23 July 2004 17:03, Hudson Delbert J Contr 61 CS/SCBN wrote:
> no...is that short enough
OK, let's recap:
1) You hijack a guys thread about the TTL target and give a diatribe about
security policy (I'm guessing since the posting is actually incoherent)
2) You top post your messages.
3) You mention topics that have little to do with netfilter and give no
explanation what the connection is to that thread or any other thread as far
as I can tell.
4) You give a smartass answer to one the brightest and most helpful (not to
mention tolerant) members of this list.
Here in DC we have a saying that fits this situation: "It's time to break the
crack pipe." Here on the netfilter list we have another saying: "Stay on
topic and please don't top post or hijack threads."
Jeff
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 21:41 ` Antony Stone
@ 2004-07-23 23:35 ` Alistair Tonner
0 siblings, 0 replies; 29+ messages in thread
From: Alistair Tonner @ 2004-07-23 23:35 UTC (permalink / raw
To: 'netfilter@lists.netfilter.org'
On July 23, 2004 05:41 pm, Antony Stone wrote:
> On Friday 23 July 2004 10:03 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:
> > no...is that short enough
>
> Thanks,
>
> Antony.
>
Antony:
You do a great job around here. Thanks. Some folks are not, apparently,
aware of the work and time you put in.
Might I suggest, however, not feeding the troll.
*grin*
Alistair
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-23 20:09 ` David Cary Hart
@ 2004-07-24 11:24 ` adderek
2004-07-24 11:39 ` Antony Stone
2004-07-24 11:52 ` Cedric Blancher
1 sibling, 1 reply; 29+ messages in thread
From: adderek @ 2004-07-24 11:24 UTC (permalink / raw
To: NetFilter List
David Cary Hart wrote:
> I must ask a dumb question. Why would one want to mangle TTL or filter
> on TTL?
For example if you want to make little network with your frends where
everyone pay their part of internet-connection price and you don't want
anyone to connect more than one computer into it so they can't make
their own subnetworks to pay less than others.
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-24 11:24 ` adderek
@ 2004-07-24 11:39 ` Antony Stone
2004-07-24 13:36 ` adderek
0 siblings, 1 reply; 29+ messages in thread
From: Antony Stone @ 2004-07-24 11:39 UTC (permalink / raw
To: NetFilter List
On Saturday 24 July 2004 12:24 pm, adderek wrote:
> David Cary Hart wrote:
> > I must ask a dumb question. Why would one want to mangle TTL or filter
> > on TTL?
>
> For example if you want to make little network with your frends where
> everyone pay their part of internet-connection price and you don't want
> anyone to connect more than one computer into it so they can't make
> their own subnetworks to pay less than others.
What stops them doing the same thing with the TTL value in their packets,
before they reach you?
Or just using a proxy which creates its own packets anyway?
Or using an SSH tunnel to forward the other traffic?
Or using a different O/S which sets a different initial TTL value than you're
assuming, when it sends packets?
Antony.
--
The words "e pluribus unum" on the Great Seal of the United States are from a
poem by Virgil entitled "Moretum", which is about cheese and garlic salad
dressing.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
2004-07-23 20:09 ` David Cary Hart
2004-07-24 11:24 ` adderek
@ 2004-07-24 11:52 ` Cedric Blancher
1 sibling, 0 replies; 29+ messages in thread
From: Cedric Blancher @ 2004-07-24 11:52 UTC (permalink / raw
To: NetFilter List
Le ven 23/07/2004 à 22:09, David Cary Hart a écrit :
> I must ask a dumb question. Why would one want to mangle TTL or filter
> on TTL?
Traffic linearization.
As you may know, examine TTL field on an IP packet can provide
information on the host that has generated it. As an example, you can
use it to fingerprint the OS. So, fixing a common TTL value for all
packets that are coming from your network to the outside can be done for
such a purpose.
On the other way, playing with TTL for packets you send can provide
information on target architecture, typically using traceroute methods.
Fixing a given TTL or raising it by a common value at choosen points
within your network can defeat theses technics.
But one always have to remember that playing with TTL can be highly
harmful for your network, and the other's. So it has to be done _very_
carefully. Moreover, there's a lot more to do regarding filtering before
even consider playing with TTL :)
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2004-07-24 11:39 ` Antony Stone
@ 2004-07-24 13:36 ` adderek
0 siblings, 0 replies; 29+ messages in thread
From: adderek @ 2004-07-24 13:36 UTC (permalink / raw
To: NetFilter List
Antony Stone wrote:
> What stops them doing the same thing with the TTL value in their packets,
> before they reach you?
>
> Or just using a proxy which creates its own packets anyway?
>
> Or using an SSH tunnel to forward the other traffic?
>
> Or using a different O/S which sets a different initial TTL value than you're
> assuming, when it sends packets?
Nothing. If they know what they are doing then there is no way to detect
or to stop such incidents. But people who have enough knowledge to do
something like this..... there are only few of them :)
Only a couple people will know what is proxy and how to set it up.
Only a few of them will know how to set up an SSH tunell and how to usae it.
And people who know how to use TTL.... There will be only about 5 people
of a thousand....
^ permalink raw reply [flat|nested] 29+ messages in thread
* RE: TTL target
@ 2004-07-24 22:03 Gonzalez, Federico
0 siblings, 0 replies; 29+ messages in thread
From: Gonzalez, Federico @ 2004-07-24 22:03 UTC (permalink / raw
To: 'Jason Opperisano',
'netfilter@lists.netfilter.org'
Jason,
Thank you very much for your help. I could finally install the patch and is
working fine.
Best regards,
Federico.
-----Mensaje original-----
De: Jason Opperisano [mailto:Jopperisano@alphanumeric.com]
Enviado el: Viernes, 23 de Julio de 2004 04:19 p.m.
Para: netfilter@lists.netfilter.org
Asunto: RE: TTL target
heh--yeah, sorry about that.
Frederico-
there's a nice (albeit a bit old) step-by-step on patch-o-matic at:
http://www.lowth.com/howto/add-iptables-modules.php
when you get down to step 6--the patch you're interested in is: "runme
base/TTL.patch"
i've never had any luck with pom-ng on the stock RH kernels (runme says that
the kernel is too old), so you probably want to grab
'patch-o-matic-20031219' which does have the TTL target you're looking for.
HTH,
-j
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Antony Stone
Sent: Friday, July 23, 2004 2:44 PM
To: netfilter@lists.netfilter.org
Subject: Re: TTL target
On Friday 23 July 2004 7:29 pm, Gonzalez, Federico wrote:
> I get the following error:
>
> iptables: No chain/target/match by that name
I think two people may be talking about two different things here without
realising it:
The ttl *match* (lowercase) is for matching packets by value of the TTL
field.
The TTL *target* (uppercase) is for altering the TTL value in a packet.
Sorry I can't answer the actual question, because I don't use Fedora, but
hopefully this might help to avoid some confusion, at least...
Regards,
Antony.
> ----- Original Message -----
> From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
> To: "Gonzalez, Federico" <fgonzalez@goyaike.com.ar>;
> <netfilter@lists.netfilter.org>
> Sent: Friday, July 23, 2004 3:21 PM
> Subject: RE: TTL target
>
>
> um--on fedora core 1--which seems to match the versions you provide, the
> TTL match target is there.
>
> $ uname -r
> 2.4.22-1.2197.nptl
>
> $ iptables -V
> iptables v1.2.9
>
> # iptables -A INPUT -m ttl --ttl-eq 1 -j DROP
> #
>
> # iptables -vnL INPUT
> Chain INPUT (policy DROP 184 packets, 19161 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 TTL match TTL == 1
>
> -j
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gonzalez,
> Federico
> Sent: Friday, July 23, 2004 1:52 PM
> To: netfilter@lists.netfilter.org
> Subject: TTL target
>
>
> Hi,
>
> I have iptables 1.2.9, red hat kernel 2.4.22 and i need to use the TTL
> target to change the packets TTL.
>
> How do i enable this functionality ?
>
> Thank you.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the
list;
please don't CC
me.
^ permalink raw reply [flat|nested] 29+ messages in thread
* TTL target
@ 2005-09-21 10:09 Ferdinand Zaubzer
0 siblings, 0 replies; 29+ messages in thread
From: Ferdinand Zaubzer @ 2005-09-21 10:09 UTC (permalink / raw
To: netfilter
Why did the TTL target support disappear from patch-o-matic repository.
In the snapshot of 20050918 it was still included but the following two
don't include the TTL target support as far as I have seen.
Could anyone tell me a reason?
Regards
Ferdinand
^ permalink raw reply [flat|nested] 29+ messages in thread
* TTL target
@ 2005-09-21 10:48 Ferdinand Zaubzer
2005-09-21 10:55 ` Jozsef Kadlecsik
0 siblings, 1 reply; 29+ messages in thread
From: Ferdinand Zaubzer @ 2005-09-21 10:48 UTC (permalink / raw
To: netfilter
Why did the TTL target support disappear from patch-o-matic repository.
In the snapshot of 20050918 it was still included but the following two
don't include the TTL target support as far as I have seen.
Could anyone tell me a reason?
Regards
Ferdinand
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: TTL target
2005-09-21 10:48 Ferdinand Zaubzer
@ 2005-09-21 10:55 ` Jozsef Kadlecsik
0 siblings, 0 replies; 29+ messages in thread
From: Jozsef Kadlecsik @ 2005-09-21 10:55 UTC (permalink / raw
To: Ferdinand Zaubzer; +Cc: netfilter
On Wed, 21 Sep 2005, Ferdinand Zaubzer wrote:
> Why did the TTL target support disappear from patch-o-matic repository.
> In the snapshot of 20050918 it was still included but the following two
> don't include the TTL target support as far as I have seen.
> Could anyone tell me a reason?
The TTL target had been submitted into kernel inclusion. You can already
find it in 2.6.14-rc2.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2005-09-21 10:55 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-31 14:44 TTL target mailinglists
-- strict thread matches above, loose matches on Subject: below --
2002-11-01 12:46 mailinglists
2002-11-03 12:35 ` Cedric Blancher
2002-11-03 18:15 mailinglists
2004-07-23 17:51 Gonzalez, Federico
2004-07-23 17:56 Gonzalez, Federico
2004-07-23 18:21 Jason Opperisano
2004-07-23 18:29 ` Gonzalez, Federico
2004-07-23 18:43 ` Antony Stone
2004-07-23 18:34 Jason Opperisano
2004-07-23 18:50 ` Gonzalez, Federico
2004-07-23 18:43 Jason Opperisano
2004-07-23 20:09 ` David Cary Hart
2004-07-24 11:24 ` adderek
2004-07-24 11:39 ` Antony Stone
2004-07-24 13:36 ` adderek
2004-07-24 11:52 ` Cedric Blancher
2004-07-23 19:18 Jason Opperisano
2004-07-23 20:35 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 20:59 ` Antony Stone
2004-07-23 20:37 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 21:03 Hudson Delbert J Contr 61 CS/SCBN
2004-07-23 21:41 ` Antony Stone
2004-07-23 23:35 ` Alistair Tonner
2004-07-23 22:14 ` Jeffrey Laramie
2004-07-24 22:03 Gonzalez, Federico
2005-09-21 10:09 Ferdinand Zaubzer
2005-09-21 10:48 Ferdinand Zaubzer
2005-09-21 10:55 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.