Just make sure that you have good ingress filters. Otherwise, envision this situation:
1. your isp decides to route an additional block of addresses to you, either by mistake, or because you requested it and haven't configured for it yet. 2. the "background radiation" of the internet caused by nimda, code red, and a billion script kiddies with nmap means that packets destined for that network *will* be floating around. 3. your isp routes those packets to you. Their edge router gets a packet, decrements the ttl, and ships it out your link. 4. your firewall gets it, increments the ttl, and since it doesn't know about this network, ships it out via its default route back to the isp. 5. the isp edge router gets the packet, decrements the ttl, and ships it out your link. 6. lather, rinse, repeat. 7. eventually, your link has 100% utilization and is passing no usefull traffic. I recall when nimda first came out, there were some people who had netblocks that they weren't using, who had their isp links saturated by this because every packet would cross their isp link 60 or 80 times before its ttl decremented to zero. Take away ttl decrementing and you have a problem. It's easy to fix with the right filters, but many people don't use the right filters, they just assume that their isp won't ship them any networks that they aren't expecting. -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Ramin Alidousti > Sent: Monday, May 20, 2002 9:24 PM > To: [EMAIL PROTECTED] > Subject: Re: How could i enable traceroute ? > > > On Tue, May 21, 2002 at 01:08:21AM +0100, [EMAIL PROTECTED] wrote: > > > On Mon, May 20, 2002 at 06:34:19PM +0100, Antony Stone wrote: > > > On Monday 20 May 2002 5:55 pm, Miky J wrote: > > > > <snip> > > > > > If you want to hide the firewall from showing up in the > traceroute, there > > > is a TTL match, which you might be able to use - I'm not sure if the > > > filtering rules are checked before or after the TTL is > decremented, and an > > > ICMP packet generated if it's just become zero.... > > > > The filtering rules will be checked beforehand I expect, which > means you can > > do things with TTL=1 packets in the right table ( mangle? ) > before the stack > > replies to them. I reckon if you add 1 to the TTL of all > packets you could > > make the firewall invisible to packets being forwarded through it. > > > > Of course, you'll also be standing in a pile of broken RFCs.... > > I don't think that he'll be standing in a pile of broken RFCs just because > of the increased TTL. What was the reason for the introduction of the TTL > field again? Oh, yes, to avoid orphan packets to wander around for ever. > So, changing that is not harmful at all, as long as, the Internet in > general plays by the rule and decreases it by one so the orphan > packets can > eventually die in piece. > > Ramin > > > FunkyJesus System Administration Team > >
