Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen 
You might take a look in the cf/conf/config.xml .if it persists it should
originate from there. Just do a search for the IP.
12. juli 2014 05:04 skrev "Stefan Maerz" <
stefan.ma...@thecommunitypartnership.org> følgende:

> Thank you for the response Espen. This was actually the approach I took
> (flushing arp and reseting switches). It is a moot point now -- I came to
> the conclusion that I accidentally was spoofing the gateway interface using
> my Windows 7 MAC address.
>
> Darwin award winner? I think so. I misinterpreted "Insert my local MAC
> address" in the Interface Edit screen. I thought it meant local to the
> interface I was editing. Not so! Lesson learned! My poor network was as
> almost as confused as I was.
>
> However at this point I had not solved my original problem. I disabled my
> WAN interface just to see what would happen. This allowed me to ping my
> CentOS host. At that point it became clear to me that there was a routing
> issue -- taking down one interface causing another to start working seems
> like a "pecking order" issue to me. I had not checked the routing table
> before because the pfSense Wiki reads:
>
>> You do not need to add routes for networks which are directly connected
>> to any interface of the firewall, and doing so may cause problems. You only
>> need to define static routes for networks which cannot be reached via the
>> default gateway.
>>
> I made the incorrect assumption that this statement implied that somehow
> no superfluous routes would be added, or if they existed they would
> automatically be removed. However for some reason it was configured to
> forward 10.144.1.8 to my WAN interface.
>
> A quick route del -host 10.144.1.8 and my network is 100% functional.
>
> However, still one problem remains. The route del command is not
> persistent when I reboot. How do I get rid of it? System>Routing>Routes
> indicates that no static routes are set up. Is there a routing
> configuration file somewhere?
>
> Best Regards,
> -Stefan
>
> On 7/11/2014 6:35 PM, Espen Johansen wrote:
>
>>
>> Please provide a network drawing.
>> I suspect you have a arp leak or a switch that needs to be restarted to
>> clear its arp cache. Restart switche (s) without nothing connected and add
>> the cetos and pfsense only and only after you have cleared both units arp
>> cache (arp -d). Then take it from there.
>>
>> HTH.
>>
>> - LSF
>>
>> 11. juli 2014 21:57 skrev "Stefan Maerz" > thecommunitypartnership.org > thecommunitypartnership.org>> følgende:
>>
>> On 7/11/2014 2:03 PM, Stefan Maerz wrote:
>>
>> On 7/10/2014 7:52 PM, Stefan Maerz wrote:
>>
>>
>> Hi everyone,
>>
>> I have a problem I have been unable to solve all day
>> (literally *all* day).
>>
>> My pfSense box has two LAN interfaces and a WAN interface.
>> A CentOS 7.0 server is giving me grief on one of the
>> Subnets when configured as static or dynamic.
>>
>> When I put the problematic CentOS box on the other subnet
>> (and change corresponding host network configurations), it
>> works. The CentOS box also works when I put it on my
>> trustworthy Linksys WRT router (again, changing host
>> network settings along the way). To me this smelled of a
>> firewall problem, but there is nothing logged and I have
>> both LAN interfaces set up to pass everything. Secondly I
>> looked at DHCP for possible DHCP addressing conflicts, but
>> the DHCP server is disabled on this subnet. TCPdump
>> reveals that literally nothing is making it to the gateway
>> interface, however at the same time the activity light on
>> the interface blinks corresponding to my pings (there is
>> no other traffic).
>>
>> Further confusing me is that I am able to get a static IP
>> from other devices when I plug them into the problematic
>> subnet. Basically this single device does not work on this
>> single subnet and that is the only problem. Other devices
>> are fine on this subnet and this device is fine on other
>> subnets. ...?
>>
>> It is also worth noting that all the link lights are
>> lighting up and the cables and switch have been tested to
>> be working correctly. Nothing that I can see looks out of
>> place in pfSense's logs.
>>
>> Here are my host configuration files, all generated by
>> CentOS's nmtui utility. I tried my own manual
>> configurations with the same results (not
>> working):http://pastebin.com/HFYYTG09(possible
>>  typos -- this is
>> hand written, my apologies if that is the case)
>>
>> I am at a loss and have been at this all day. pf

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz 
Thanks again Espen. I can't find anything in /cf/conf/config.xml related 
to this address *and* routing. The  tag area is also 
empty like the webconfiguration indicates.


more /cf/conf/config.xml | grep -n 10.144.1.8

outputs:

221:10.144.1.8
385:10.144.1.8
1055:  10.144.1.8
1059:  10.144.1.8
1061:  10.144.1.8

Line 385 is related to a DNS forwarder.

I could write an init script to kill the route, but it seems it comes 
back every 20 minutes or so. And since I have no way of knowing 
precisely when the route is re-enabled, I would need to run a cronjob 
every second or so. And even that is not a great solution -- I'd 
reinstall before that. I'd really prefer a more elegant solution if 
possible.


Any other ideas? Am I searching for the wrong thing?

Best Regards,
-Stefan

On 7/12/2014 2:46 AM, Espen Johansen wrote:


You might take a look in the cf/conf/config.xml .if it persists it 
should originate from there. Just do a search for the IP.


12. juli 2014 05:04 skrev "Stefan Maerz" 
> følgende:


A quick route del -host 10.144.1.8 and my network is 100% functional.

However, still one problem remains. The route del command is not
persistent when I reboot. How do I get rid of it?
System>Routing>Routes indicates that no static routes are set up.
Is there a routing configuration file somewhere?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen 
Only thing I can think of is that a package with a seperate config file
installs it. Do you have quagga/openbgp or any other routing package
running/installed?
12. juli 2014 23:58 skrev "Stefan Maerz" <
stefan.ma...@thecommunitypartnership.org> følgende:

>  Thanks again Espen. I can't find anything in /cf/conf/config.xml related
> to this address *and* routing. The  tag area is also empty
> like the webconfiguration indicates.
>
> more /cf/conf/config.xml | grep -n 10.144.1.8
>
> outputs:
>
> 221:10.144.1.8
> 385:10.144.1.8
> 1055:  10.144.1.8
> 1059:  10.144.1.8
> 1061:  10.144.1.8
>
> Line 385 is related to a DNS forwarder.
>
> I could write an init script to kill the route, but it seems it comes back
> every 20 minutes or so. And since I have no way of knowing precisely when
> the route is re-enabled, I would need to run a cronjob every second or so.
> And even that is not a great solution -- I'd reinstall before that. I'd
> really prefer a more elegant solution if possible.
>
> Any other ideas? Am I searching for the wrong thing?
>
> Best Regards,
> -Stefan
>
> On 7/12/2014 2:46 AM, Espen Johansen wrote:
>
> You might take a look in the cf/conf/config.xml .if it persists it should
> originate from there. Just do a search for the IP.
> 12. juli 2014 05:04 skrev "Stefan Maerz" <
> stefan.ma...@thecommunitypartnership.org> følgende:
>
>> A quick route del -host 10.144.1.8 and my network is 100% functional.
>>
>> However, still one problem remains. The route del command is not
>> persistent when I reboot. How do I get rid of it? System>Routing>Routes
>> indicates that no static routes are set up. Is there a routing
>> configuration file somewhere?
>>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz 

No 3rd party routing installed.

-Stefan

On 7/12/2014 5:19 PM, Espen Johansen wrote:


Only thing I can think of is that a package with a seperate config 
file installs it. Do you have quagga/openbgp or any other routing 
package running/installed?


12. juli 2014 23:58 skrev "Stefan Maerz" 
> følgende:


Thanks again Espen. I can't find anything in /cf/conf/config.xml
related to this address *and* routing. The  tag
area is also empty like the webconfiguration indicates.

more /cf/conf/config.xml | grep -n 10.144.1.8

outputs:

221: 10.144.1.8
385:10.144.1.8
1055:  10.144.1.8
1059:  10.144.1.8
1061:  10.144.1.8

Line 385 is related to a DNS forwarder.

I could write an init script to kill the route, but it seems it
comes back every 20 minutes or so. And since I have no way of
knowing precisely when the route is re-enabled, I would need to
run a cronjob every second or so. And even that is not a great
solution -- I'd reinstall before that. I'd really prefer a more
elegant solution if possible.

Any other ideas? Am I searching for the wrong thing?

Best Regards,
-Stefan

On 7/12/2014 2:46 AM, Espen Johansen wrote:


You might take a look in the cf/conf/config.xml .if it persists
it should originate from there. Just do a search for the IP.

12. juli 2014 05:04 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

A quick route del -host 10.144.1.8 and my network is 100%
functional.

However, still one problem remains. The route del command is
not persistent when I reboot. How do I get rid of it?
System>Routing>Routes indicates that no static routes are set
up. Is there a routing configuration file somewhere?




___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen 
Other packages?
OpenVPN?

Please list all your installed packages and I´ll have a look.
Or remove them one by one until the "automagic" route add stops.

You can always try to grep /* for the IP in question. But it might be part
of a DB file for a pkg. I´t might not be plain text.
Cant help you remote as I´m on vacation with flaky 3G mobile.



On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz <
stefan.ma...@thecommunitypartnership.org> wrote:

>  No 3rd party routing installed.
>
> -Stefan
>
>
> On 7/12/2014 5:19 PM, Espen Johansen wrote:
>
> Only thing I can think of is that a package with a seperate config file
> installs it. Do you have quagga/openbgp or any other routing package
> running/installed?
> 12. juli 2014 23:58 skrev "Stefan Maerz" <
> stefan.ma...@thecommunitypartnership.org> følgende:
>
>>  Thanks again Espen. I can't find anything in /cf/conf/config.xml
>> related to this address *and* routing. The  tag area is also
>> empty like the webconfiguration indicates.
>>
>> more /cf/conf/config.xml | grep -n 10.144.1.8
>>
>> outputs:
>>
>> 221:10.144.1.8
>> 385:10.144.1.8
>> 1055:  10.144.1.8
>> 1059:  10.144.1.8
>> 1061:  10.144.1.8
>>
>> Line 385 is related to a DNS forwarder.
>>
>> I could write an init script to kill the route, but it seems it comes
>> back every 20 minutes or so. And since I have no way of knowing precisely
>> when the route is re-enabled, I would need to run a cronjob every second or
>> so. And even that is not a great solution -- I'd reinstall before that. I'd
>> really prefer a more elegant solution if possible.
>>
>> Any other ideas? Am I searching for the wrong thing?
>>
>> Best Regards,
>> -Stefan
>>
>> On 7/12/2014 2:46 AM, Espen Johansen wrote:
>>
>> You might take a look in the cf/conf/config.xml .if it persists it should
>> originate from there. Just do a search for the IP.
>> 12. juli 2014 05:04 skrev "Stefan Maerz" <
>> stefan.ma...@thecommunitypartnership.org> følgende:
>>
>>> A quick route del -host 10.144.1.8 and my network is 100% functional.
>>>
>>> However, still one problem remains. The route del command is not
>>> persistent when I reboot. How do I get rid of it? System>Routing>Routes
>>> indicates that no static routes are set up. Is there a routing
>>> configuration file somewhere?
>>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread PiBa 
Please note that dns configuration options can add route's. (what 
gateway is configured behind the dns, if any?)


/* setup static routes for DNS servers. */
https://github.com/pfsense/pfsense/blob/master/etc/inc/system.inc#L159

Greets PiBa-NL

Espen Johansen schreef op 13-7-2014 0:44:

Other packages?
OpenVPN?

Please list all your installed packages and I´ll have a look.
Or remove them one by one until the "automagic" route add stops.

You can always try to grep /* for the IP in question. But it might be 
part of a DB file for a pkg. I´t might not be plain text.

Cant help you remote as I´m on vacation with flaky 3G mobile.



On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz 
> wrote:


No 3rd party routing installed.

-Stefan


On 7/12/2014 5:19 PM, Espen Johansen wrote:


Only thing I can think of is that a package with a seperate
config file installs it. Do you have quagga/openbgp or any other
routing package running/installed?

12. juli 2014 23:58 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

Thanks again Espen. I can't find anything in
/cf/conf/config.xml related to this address *and* routing.
The  tag area is also empty like the
webconfiguration indicates.

more /cf/conf/config.xml | grep -n 10.144.1.8

outputs:

221: 10.144.1.8
385: 10.144.1.8
1055: 10.144.1.8
1059: 10.144.1.8
1061: 10.144.1.8

Line 385 is related to a DNS forwarder.

I could write an init script to kill the route, but it seems
it comes back every 20 minutes or so. And since I have no way
of knowing precisely when the route is re-enabled, I would
need to run a cronjob every second or so. And even that is
not a great solution -- I'd reinstall before that. I'd really
prefer a more elegant solution if possible.

Any other ideas? Am I searching for the wrong thing?

Best Regards,
-Stefan

On 7/12/2014 2:46 AM, Espen Johansen wrote:


You might take a look in the cf/conf/config.xml .if it
persists it should originate from there. Just do a search
for the IP.

12. juli 2014 05:04 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

A quick route del -host 10.144.1.8 and my network is
100% functional.

However, still one problem remains. The route del
command is not persistent when I reboot. How do I get
rid of it? System>Routing>Routes indicates that no
static routes are set up. Is there a routing
configuration file somewhere?




___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org  
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz 

Hello again Espen,

I do have OpenVPN installed, however that was not the problem.

I had 10.144.1.8 configured as my DNS server using my WAN gateway as an 
interface. That was the root of all my problems.


Thank you Espen, Chris (off List), and anyone else who may have taken 
the time to read and think about my problem. I sincerely appreciate your 
advice.


Best Regards,
-Stefan

On 7/12/2014 5:44 PM, Espen Johansen wrote:

Other packages?
OpenVPN?

Please list all your installed packages and I´ll have a look.
Or remove them one by one until the "automagic" route add stops.

You can always try to grep /* for the IP in question. But it might be 
part of a DB file for a pkg. I´t might not be plain text.

Cant help you remote as I´m on vacation with flaky 3G mobile.



On Sun, Jul 13, 2014 at 12:37 AM, Stefan Maerz 
> wrote:


No 3rd party routing installed.

-Stefan


On 7/12/2014 5:19 PM, Espen Johansen wrote:


Only thing I can think of is that a package with a seperate
config file installs it. Do you have quagga/openbgp or any other
routing package running/installed?

12. juli 2014 23:58 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

Thanks again Espen. I can't find anything in
/cf/conf/config.xml related to this address *and* routing.
The  tag area is also empty like the
webconfiguration indicates.

more /cf/conf/config.xml | grep -n 10.144.1.8

outputs:

221: 10.144.1.8
385: 10.144.1.8
1055: 10.144.1.8
1059: 10.144.1.8
1061: 10.144.1.8

Line 385 is related to a DNS forwarder.

I could write an init script to kill the route, but it seems
it comes back every 20 minutes or so. And since I have no way
of knowing precisely when the route is re-enabled, I would
need to run a cronjob every second or so. And even that is
not a great solution -- I'd reinstall before that. I'd really
prefer a more elegant solution if possible.

Any other ideas? Am I searching for the wrong thing?

Best Regards,
-Stefan

On 7/12/2014 2:46 AM, Espen Johansen wrote:


You might take a look in the cf/conf/config.xml .if it
persists it should originate from there. Just do a search
for the IP.

12. juli 2014 05:04 skrev "Stefan Maerz"
mailto:stefan.ma...@thecommunitypartnership.org>> følgende:

A quick route del -host 10.144.1.8 and my network is
100% functional.

However, still one problem remains. The route del
command is not persistent when I reboot. How do I get
rid of it? System>Routing>Routes indicates that no
static routes are set up. Is there a routing
configuration file somewhere?




___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org  
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Voucher system inside FreeRadius?

2014-07-12 Thread Chris Buechler 
On Fri, Jul 11, 2014 at 11:17 AM, Alberto Moreno  wrote:

> Hi.
>
> I'm working with CP, the voucher system can this info be genenerate with
> FRadius2 and save the info in a DB like MySQL.
>
> The ides is to go enterprise +500 users.
>
> Some is doing this now with the current voucher system with ot without
> fradius?
>

Generally you use RADIUS in that case, where RADIUS could be something you
populate with randomly-generated vouchers (entirely unrelated to the
built-in voucher system). Or depending on the use case, where vouchers are
desirable in larger scale, commonly the back end is an ISP billing solution
of some sort that has RADIUS as one of its components (to handle prepaid
Internet cards, monthly access, etc.).
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Chris Buechler 
I don't see the point. If you don't want people to see the path, don't
allow traceroute in (or stop it after the first NAT). If you do, what do
you care if the layers of NAT can be enumerated. If anything even remotely
useful to an attacker can be done to your network because someone knows how
many layers of NAT you have, you have a lot bigger problems than showing
that in a traceroute.

pf scrub does have a min-ttl option but it's not one that's exposed
anywhere in the GUI and would require changing the source to use. Not
something I've ever seen a real need to use.


On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:

>  I would put it on a report as an issue.. further more...  no
> comment
>
> --
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USAhttp://www.integrissecurity.com/
> O: +1(516)750-0478
> M: +1(516)900-2193
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/10/2014 05:29 PM, Walter Parker wrote:
>
> I disagree that this is a vulnerability/weakness. If this is truly your
> only issue with the network, I'd call it good and done if you are not the
> DOD/NSA.
>
>  If you are, then you need to start again with an even more secure
> foundation.
>
>
>  Walter
>
>
>  On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
> bcorn...@integrissecurity.com> wrote:
>
>> There is a reason for it. It works well except for this ONE issue.
>>
>> I like setting up 0 vulnerability/weakness networks. This is the only
>> one minus presentation/application issues.
>>
>> Thank you both for your input. I'll touch base when I determine a
>> resolution strategy.
>>
>> --
>> Blake Cornell
>> CTO, Integris Security LLC
>> 501 Franklin Ave, Suite 200
>> Garden City, NY 11530 USA
>> http://www.integrissecurity.com/
>> O: +1(516)750-0478
>> M: +1(516)900-2193
>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>> Free Tools: https://www.integrissecurity.com/SecurityTools
>> Follow us on Twitter: @integrissec
>>
>>  On 07/10/2014 01:49 PM, James Bensley wrote:
>> > Further to what Walter has said - Double NATB!
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
>  --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Blake Cornell 
Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
services.

I would prefer staying within the framework of the interface or nominal
BSD magic.

-- 
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +1(516)750-0478
M: +1(516)900-2193
PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
Free Tools: https://www.integrissecurity.com/SecurityTools
Follow us on Twitter: @integrissec

On 07/12/2014 09:54 PM, Chris Buechler wrote:
> I don't see the point. If you don't want people to see the path, don't
> allow traceroute in (or stop it after the first NAT). If you do, what
> do you care if the layers of NAT can be enumerated. If anything even
> remotely useful to an attacker can be done to your network because
> someone knows how many layers of NAT you have, you have a lot bigger
> problems than showing that in a traceroute.
>
> pf scrub does have a min-ttl option but it's not one that's exposed
> anywhere in the GUI and would require changing the source to use. Not
> something I've ever seen a real need to use.
>
>
> On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell
> mailto:bcorn...@integrissecurity.com>>
> wrote:
>
> I would put it on a report as an issue.. further more...  no
> comment
>
> -- 
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USA
> http://www.integrissecurity.com/
> O: +1(516)750-0478 
> M: +1(516)900-2193 
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/10/2014 05:29 PM, Walter Parker wrote:
>> I disagree that this is a vulnerability/weakness. If this
>> is truly your only issue with the network, I'd call it good and
>> done if you are not the DOD/NSA.
>>
>> If you are, then you need to start again with an even more secure
>> foundation.
>>
>>
>> Walter
>>
>>
>> On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell
>> > > wrote:
>>
>> There is a reason for it. It works well except for this ONE
>> issue.
>>
>> I like setting up 0 vulnerability/weakness networks. This is
>> the only
>> one minus presentation/application issues.
>>
>> Thank you both for your input. I'll touch base when I determine a
>> resolution strategy.
>>
>> --
>> Blake Cornell
>> CTO, Integris Security LLC
>> 501 Franklin Ave, Suite 200
>> Garden City, NY 11530 USA
>> http://www.integrissecurity.com/
>> O: +1(516)750-0478 
>> M: +1(516)900-2193 
>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>> Free Tools: https://www.integrissecurity.com/SecurityTools
>> Follow us on Twitter: @integrissec
>>
>> On 07/10/2014 01:49 PM, James Bensley wrote:
>> > Further to what Walter has said - Double NATB!
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org 
>> > https://lists.pfsense.org/mailman/listinfo/list
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org 
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>>
>> -- 
>> The greatest dangers to liberty lurk in insidious encroachment by
>> men of zeal, well-meaning but without understanding.   -- Justice
>> Louis D. Brandeis
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org 
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
> ___
> List mailing list
> List@lists.pfsense.org 
> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Walter Parker 
Then you stuck with setting up reverse proxies for those services.


Walter


On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:

>  Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> services.
>
> I would prefer staying within the framework of the interface or nominal
> BSD magic.
>
> --
> Blake Cornell
> CTO, Integris Security LLC
> 501 Franklin Ave, Suite 200
> Garden City, NY 11530 USAhttp://www.integrissecurity.com/
> O: +1(516)750-0478
> M: +1(516)900-2193
> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> Free Tools: https://www.integrissecurity.com/SecurityTools
> Follow us on Twitter: @integrissec
>
> On 07/12/2014 09:54 PM, Chris Buechler wrote:
>
>  I don't see the point. If you don't want people to see the path, don't
> allow traceroute in (or stop it after the first NAT). If you do, what do
> you care if the layers of NAT can be enumerated. If anything even remotely
> useful to an attacker can be done to your network because someone knows how
> many layers of NAT you have, you have a lot bigger problems than showing
> that in a traceroute.
>
>  pf scrub does have a min-ttl option but it's not one that's exposed
> anywhere in the GUI and would require changing the source to use. Not
> something I've ever seen a real need to use.
>
>
> On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell <
> bcorn...@integrissecurity.com> wrote:
>
>>  I would put it on a report as an issue.. further more...  no
>> comment
>>
>> --
>> Blake Cornell
>> CTO, Integris Security LLC
>> 501 Franklin Ave, Suite 200
>> Garden City, NY 11530 USAhttp://www.integrissecurity.com/
>> O: +1(516)750-0478
>> M: +1(516)900-2193
>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>> Free Tools: https://www.integrissecurity.com/SecurityTools
>> Follow us on Twitter: @integrissec
>>
>>   On 07/10/2014 05:29 PM, Walter Parker wrote:
>>
>> I disagree that this is a vulnerability/weakness. If this is truly your
>> only issue with the network, I'd call it good and done if you are not the
>> DOD/NSA.
>>
>>  If you are, then you need to start again with an even more secure
>> foundation.
>>
>>
>>  Walter
>>
>>
>>  On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
>> bcorn...@integrissecurity.com> wrote:
>>
>>> There is a reason for it. It works well except for this ONE issue.
>>>
>>> I like setting up 0 vulnerability/weakness networks. This is the only
>>> one minus presentation/application issues.
>>>
>>> Thank you both for your input. I'll touch base when I determine a
>>> resolution strategy.
>>>
>>> --
>>> Blake Cornell
>>> CTO, Integris Security LLC
>>> 501 Franklin Ave, Suite 200
>>> Garden City, NY 11530 USA
>>> http://www.integrissecurity.com/
>>> O: +1(516)750-0478
>>> M: +1(516)900-2193
>>> PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
>>> Free Tools: https://www.integrissecurity.com/SecurityTools
>>> Follow us on Twitter: @integrissec
>>>
>>>  On 07/10/2014 01:49 PM, James Bensley wrote:
>>> > Further to what Walter has said - Double NATB!
>>> > ___
>>> > List mailing list
>>> > List@lists.pfsense.org
>>> > https://lists.pfsense.org/mailman/listinfo/list
>>>
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>>
>>  --
>> The greatest dangers to liberty lurk in insidious encroachment by men of
>> zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
>>
>>
>> ___
>> List mailing 
>> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Adrian Wenzel 
Simplest answer: block outbound ICMP Time Exceeded type responses at the edge. 
Then your internal layers of routers and hosts can respond to the SYN packets 
from tcptraceroute, but they'll be dropped and the outside party will only see 
the edge device. 

Thanks! 

-Adrian 

- Original Message -

> From: "Walter Parker" 
> To: "pfSense Support and Discussion Mailing List"
> 
> Sent: Saturday, July 12, 2014 11:42:07 PM
> Subject: Re: [pfSense] Enumerating NAT Hops - Information Disclosure
> - TTL++ mangle.

> Then you stuck with setting up reverse proxies for those services.

> Walter

> On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell <
> bcorn...@integrissecurity.com > wrote:

> > Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> > services.
> 

> > I would prefer staying within the framework of the interface or
> > nominal BSD magic.
> 

> > --
> 
> > Blake Cornell
> 
> > CTO, Integris Security LLC
> 
> > 501 Franklin Ave, Suite 200
> 
> > Garden City, NY 11530 USA http://www.integrissecurity.com/ O:
> > +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B
> > 2C5B C34C 7FAB 4660 F572
> 
> > Free Tools: https://www.integrissecurity.com/SecurityTools Follow
> > us
> > on Twitter: @integrissec
> 

> > On 07/12/2014 09:54 PM, Chris Buechler wrote:
> 

> > > I don't see the point. If you don't want people to see the path,
> > > don't allow traceroute in (or stop it after the first NAT). If
> > > you
> > > do, what do you care if the layers of NAT can be enumerated. If
> > > anything even remotely useful to an attacker can be done to your
> > > network because someone knows how many layers of NAT you have,
> > > you
> > > have a lot bigger problems than showing that in a traceroute.
> > 
> 

> > > pf scrub does have a min-ttl option but it's not one that's
> > > exposed
> > > anywhere in the GUI and would require changing the source to use.
> > > Not something I've ever seen a real need to use.
> > 
> 

> > > On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell <
> > > bcorn...@integrissecurity.com > wrote:
> > 
> 

> > > > I would put it on a report as an issue.. further more... 
> > > > no
> > > > comment
> > > 
> > 
> 

> > > > --
> > > 
> > 
> 
> > > > Blake Cornell
> > > 
> > 
> 
> > > > CTO, Integris Security LLC
> > > 
> > 
> 
> > > > 501 Franklin Ave, Suite 200
> > > 
> > 
> 
> > > > Garden City, NY 11530 USA http://www.integrissecurity.com/ O:
> > > > +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7
> > > > 591B
> > > > 2C5B C34C 7FAB 4660 F572
> > > 
> > 
> 
> > > > Free Tools: https://www.integrissecurity.com/SecurityTools
> > > > Follow
> > > > us
> > > > on Twitter: @integrissec
> > > 
> > 
> 

> > > > On 07/10/2014 05:29 PM, Walter Parker wrote:
> > > 
> > 
> 

> > > > > I disagree that this is a vulnerability/weakness. If this is
> > > > > truly
> > > > > your only issue with the network, I'd call it good and done
> > > > > if
> > > > > you
> > > > > are not the DOD/NSA.
> > > > 
> > > 
> > 
> 

> > > > > If you are, then you need to start again with an even more
> > > > > secure
> > > > > foundation.
> > > > 
> > > 
> > 
> 

> > > > > Walter
> > > > 
> > > 
> > 
> 

> > > > > On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
> > > > > bcorn...@integrissecurity.com > wrote:
> > > > 
> > > 
> > 
> 

> > > > > > There is a reason for it. It works well except for this ONE
> > > > > > issue.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > I like setting up 0 vulnerability/weakness networks. This
> > > > > > is
> > > > > > the
> > > > > > only
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > one minus presentation/application issues.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > Thank you both for your input. I'll touch base when I
> > > > > > determine
> > > > > > a
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > resolution strategy.
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > --
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Blake Cornell
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > CTO, Integris Security LLC
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > 501 Franklin Ave, Suite 200
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Garden City, NY 11530 USA
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > http://www.integrissecurity.com/
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > O: +1(516)750-0478
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > M: +1(516)900-2193
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Free Tools: https://www.integrissecurity.com/SecurityTools
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > Follow us on Twitter: @integrissec
> > > > > 
> > > > 
> > > 
> > 
> 

> > > > > > On 07/10/2014 01:49 PM, James Bensley wrote:
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > > Further to what Walter has said - Double
> > > > > > > NATB!
> > > > > 
> > > > 
> > > 
> > 
> 
> > > > > > >

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Chris Buechler 
On Sat, Jul 12, 2014 at 8:56 PM, Blake Cornell
 wrote:
> Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> services.
>
> I would prefer staying within the framework of the interface or nominal BSD
> magic.
>

Makes a little more sense in that context, but the point still stands,
what does it matter.

Hacking /etc/inc/filter.inc to add min-ttl as desired to the scrub
lines wouldn't be too difficult, but it wouldn't survive upgrades. A
reverse proxy is possibly a better solution.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list