Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based services.
I would prefer staying within the framework of the interface or nominal BSD magic. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/12/2014 09:54 PM, Chris Buechler wrote: > I don't see the point. If you don't want people to see the path, don't > allow traceroute in (or stop it after the first NAT). If you do, what > do you care if the layers of NAT can be enumerated. If anything even > remotely useful to an attacker can be done to your network because > someone knows how many layers of NAT you have, you have a lot bigger > problems than showing that in a traceroute. > > pf scrub does have a min-ttl option but it's not one that's exposed > anywhere in the GUI and would require changing the source to use. Not > something I've ever seen a real need to use. > > > On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell > <bcorn...@integrissecurity.com <mailto:bcorn...@integrissecurity.com>> > wrote: > > I would put it on a report as an issue.. further more... .... no > comment.... > > -- > Blake Cornell > CTO, Integris Security LLC > 501 Franklin Ave, Suite 200 > Garden City, NY 11530 USA > http://www.integrissecurity.com/ > O: +1(516)750-0478 <tel:%2B1%28516%29750-0478> > M: +1(516)900-2193 <tel:%2B1%28516%29900-2193> > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 > Free Tools: https://www.integrissecurity.com/SecurityTools > Follow us on Twitter: @integrissec > > On 07/10/2014 05:29 PM, Walter Parker wrote: >> I disagree that this is a vulnerability/weakness. If this >> is truly your only issue with the network, I'd call it good and >> done if you are not the DOD/NSA. >> >> If you are, then you need to start again with an even more secure >> foundation. >> >> >> Walter >> >> >> On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell >> <bcorn...@integrissecurity.com >> <mailto:bcorn...@integrissecurity.com>> wrote: >> >> There is a reason for it. It works well except for this ONE >> issue. >> >> I like setting up 0 vulnerability/weakness networks. This is >> the only >> one minus presentation/application issues. >> >> Thank you both for your input. I'll touch base when I determine a >> resolution strategy. >> >> -- >> Blake Cornell >> CTO, Integris Security LLC >> 501 Franklin Ave, Suite 200 >> Garden City, NY 11530 USA >> http://www.integrissecurity.com/ >> O: +1(516)750-0478 <tel:%2B1%28516%29750-0478> >> M: +1(516)900-2193 <tel:%2B1%28516%29900-2193> >> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 >> Free Tools: https://www.integrissecurity.com/SecurityTools >> Follow us on Twitter: @integrissec >> >> On 07/10/2014 01:49 PM, James Bensley wrote: >> > Further to what Walter has said - Double NAT....Boooooooo! >> > _______________________________________________ >> > List mailing list >> > List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> > https://lists.pfsense.org/mailman/listinfo/list >> >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> https://lists.pfsense.org/mailman/listinfo/list >> >> >> >> >> -- >> The greatest dangers to liberty lurk in insidious encroachment by >> men of zeal, well-meaning but without understanding. -- Justice >> Louis D. Brandeis >> >> >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org <mailto:List@lists.pfsense.org> >> https://lists.pfsense.org/mailman/listinfo/list > > > _______________________________________________ > List mailing list > List@lists.pfsense.org <mailto:List@lists.pfsense.org> > https://lists.pfsense.org/mailman/listinfo/list > > > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
