[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On Tue, 3 Jun 2003, Marco Grigull wrote:
> A feature that might be useful to others would be to set the ttl to a defined
> value, or adjust it for hiding not so capable routers.
> 'ttl -2' decremnt it by 2, probably useless
> 'ttl 64' re/set it to 64, hiding a variety of OSes on the network
> 'ttl +1' increment it by 1, hiding this firewall and an inner or outer router
> 'ttl 0' aka fastroute
If you want to have a hidden firewall, you should make it a bridge.
PF already has some way to adjust the TTL of packets:
1) scrub has an option min-ttl to enforces a minimum TTL for matching IP
2) -current has scrub reassemble tcp. pf.conf(4) explains what it does
Statefully normalizes TCP connections. scrub reassemble tcp rules
may not have the direction (in/out) specified. reassemble tcp per-
forms the following normalizations:
ttl Neither side of the connection is allowed to reduce their
IP TTL. An attacker may send a packet such that it reach-
es the firewall, affects the firewall state, and expires
before reaching the destination host. reassemble tcp will
raise the TTL of all packets back up to the highest value
seen on the connection.
email: [email protected]