Jeremie Le Hen wrote:
Hi,
No this sysctl is not what i want.
I need to change ttl of outgoing packets to my internal network.
For example. There is connection from host on internet.
it has for example 10 hops to my gateway. And when packet comes
to my box it has for example 55 ttl in ip header.
And then it is routed to host in my network so my box change ttl
to 54. But what i need is change ttl to '1'.
In Linux terms, you want to ``mangle'' the packet, we-writing its TTL. AFAIK, this is not possible with FreeBSD since this is really not a common action for a firewall (some conservative folks would even argue this is not its job). The pf firewall seems to have a ``min-ttl'' statement in traffic normalization, but there is no ``max-ttl'' one.
The simplest way to achieve this is to write a userland daemon which
will retrieve the packet from the firewall from a divert socket, using
ipfw(8). But this would have very poor performances in case you need
high-bandwidth traffic as each packet would require at least two
context switches, but for a DSL connexion, I guess this would be ok.
Your assertion that the diverted packets add a lot of latency is not quite true.
While it is slower than in-kernel processing, it is not nearly as bad as some people make out.
Certainly it can keep up with the average internet connection.
I would add code to do the mangling into a program such as natd and set it up to do no
translation (or a null translation).
Alternatively there is a much simpler daemon that connects in the same way.
In ports look for net/tcpmssd, which already does 99% of what you want. it would be about a 20 line change to tcpmssd to do this. It already fiddles other packets.
There other solution is to make a patch for one of the firewall avaiable in FreeBSD.
Best regards,
_______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
