TTL Match - WTF?
Thu, 18 Oct 2001 13:41:46 +0100
> How is matching TTL useful in firewalling/packet filtering? My collegues
> and myself cannot think of a situation where this might be useful. Any
> insight is appreciated.
i can think of at least 1 place of use
say you have a machine with a large link on it serving lots of smaller links
and networks as a firewall to the internet. which may also be serving other
eg THENET -> firewall -> neta
now on the firewall you could filter packets going to netaa / netbb
if the TTL is less than 2 because the packet is going to get dropped
before it reaches netaa or netbb though it could be also nice to send
a faked icmp TTL: expired packet from the firewall to say it did not reach.
think of this on a larger scale and it could work better if the finall links
are small and almost always overloaded (every little bit helps)
only 1 idea i only just tough of off the top of my head but there could be
others as well.