I think you might have a misconception in your request. Whe you say: >To resolve this issue I need to "mangle" forwarded IP packets by >incrementing their TTL by 1. This would effectively hide the above >included results. If anyone knows how to do this either through the web >interface or through custom configurations then please let me know.
That is how IP normally works. Traceroute uses this feature by sending a packet with the TTL set to 1, then the TTL set to 2, then the TTL set to 3, etc. Each router on the chain reduces the value by one. Each time the packet expires, an ICMP TTL message packet is sent to sender saying that packet exipred in transit. Those are the messages that traceroute uses to map the network. The problem with filtering those messages is if you hit a loop on the Internet (often due to a network with static routes being down), your packets will loop forever. My best guess, a custom rule that drops all packets with a TTL < 5 and live with the fact that some people on the Internet might have issues talking to you if they are the far perimeter of the Internet. This assumes that there is a advanced feature in pfSense (and pf) that allows for filtering based on TTL values. Personally, I don't see why you need to keep the inside topology secret, but if do, use a reverse proxy on the outside and not 1 to 1 NAT. Then the packets will terminate at the proxy and not internally. If you are worried about security and secrecy at this level, then you should not be using 1 to 1 NAT, as it exposes to much information and has too high of a risk. You need to use proxies and other items that intercept and rewrite traffic to hide the inside equipment, or decide that maybe you don't actually need to be quite so much of a back box. Walter On Thu, Jul 10, 2014 at 7:36 AM, Blake Cornell < bcorn...@integrissecurity.com> wrote: > Any thoughts anyone? > > -- > Blake Cornell > CTO, Integris Security LLC > 501 Franklin Ave, Suite 200 > Garden City, NY 11530 USA > http://www.integrissecurity.com/ > O: +1(516)750-0478 > M: +1(516)900-2193 > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 > Free Tools: https://www.integrissecurity.com/SecurityTools > Follow us on Twitter: @integrissec > > On 07/03/2014 06:15 PM, Blake Cornell wrote: > > Hello, > > > > I have a pfSense network that uses multiple layers of NAT translation. > > Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping > > on the edge device. The packets are then forwarded to another pfSense > > device using another layer of NAT translation. > > > > Ex: public ip -> NAT network 1 -> NAT network 2 -> target machine. > > > > The issue lies when using the example IP of 1.1.1.1, on an example open > > port 80. > > > > # tcptraceroute 1.1.1.1 80 > > [removed for brevity] > > 3 1.1.1.1 29.247 ms 17.670 ms 14.007 ms > > 4 1.1.1.1 20.142 ms 16.119 ms 16.609 ms > > 5 1.1.1.1 [open] 21.387 ms 17.176 ms 70.283 ms > > > > As you can see, the results show three instances of 1.1.1.1. This > > allows an attacker the ability to enumerate the depth of NAT > > translation. This is a low risk issue. > > > > To resolve this issue I need to "mangle" forwarded IP packets by > > incrementing their TTL by 1. This would effectively hide the above > > included results. If anyone knows how to do this either through the web > > interface or through custom configurations then please let me know. > > > > EMail me directly for a real world example for your analysis. > > > > Thanks in Advance, > > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
