On Tue, Jul 08, 2003 at 10:51:24PM -0700, Terry Lambert wrote: > > > > I don't want to disable ICMP, just don't want to respond when ttl=0, > > > > meaning when my firewall/gateway is on a "traceroute path". > > > > > > You should specifically modify the ICMP code to not respond > > > to echo datagrams, or when ttl == 0, then, and work it that > > > way. In other words, it's time to hack your network stack > > > to specifically add that "feature". > > > > Hmm, why not just use a firewall? > > Because most firewalls, even commercial ones, don't block the > ICMP messages you appear to be interested in blocking. > > If you want the feature in FreeBSD, you are going to need to > hack some code.
Actually, he can get what he wants with: Kernel: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK /etc/ipf.rules: # Block in all icmp packets which have a ttl of 0. block in quick proto icmp all ttl 0 >From there, I think you can work out the rest... "man 5 ipf" is your friend. Paul _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
