Any thoughts anyone? -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec
On 07/03/2014 06:15 PM, Blake Cornell wrote: > Hello, > > I have a pfSense network that uses multiple layers of NAT translation. > Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping > on the edge device. The packets are then forwarded to another pfSense > device using another layer of NAT translation. > > Ex: public ip -> NAT network 1 -> NAT network 2 -> target machine. > > The issue lies when using the example IP of 1.1.1.1, on an example open > port 80. > > # tcptraceroute 1.1.1.1 80 > [removed for brevity] > 3 1.1.1.1 29.247 ms 17.670 ms 14.007 ms > 4 1.1.1.1 20.142 ms 16.119 ms 16.609 ms > 5 1.1.1.1 [open] 21.387 ms 17.176 ms 70.283 ms > > As you can see, the results show three instances of 1.1.1.1. This > allows an attacker the ability to enumerate the depth of NAT > translation. This is a low risk issue. > > To resolve this issue I need to "mangle" forwarded IP packets by > incrementing their TTL by 1. This would effectively hide the above > included results. If anyone knows how to do this either through the web > interface or through custom configurations then please let me know. > > EMail me directly for a real world example for your analysis. > > Thanks in Advance, > _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
