Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Chris Buechler
On Sat, Jul 12, 2014 at 8:56 PM, Blake Cornell wrote: > Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based > services. > > I would prefer staying within the framework of the interface or nominal BSD > magic. > Makes a little more sense in that context, but the point still stands,

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Adrian Wenzel
Simplest answer: block outbound ICMP Time Exceeded type responses at the edge. Then your internal layers of routers and hosts can respond to the SYN packets from tcptraceroute, but they'll be dropped and the outside party will only see the edge device. Thanks! -Adrian - Original Messag

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Walter Parker
Then you stuck with setting up reverse proxies for those services. Walter On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell < bcorn...@integrissecurity.com> wrote: > Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based > services. > > I would prefer staying within the framework of

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Blake Cornell
Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based services. I would prefer staying within the framework of the interface or nominal BSD magic. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +

Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.

2014-07-12 Thread Chris Buechler
I don't see the point. If you don't want people to see the path, don't allow traceroute in (or stop it after the first NAT). If you do, what do you care if the layers of NAT can be enumerated. If anything even remotely useful to an attacker can be done to your network because someone knows how many

Re: [pfSense] Voucher system inside FreeRadius?

2014-07-12 Thread Chris Buechler
On Fri, Jul 11, 2014 at 11:17 AM, Alberto Moreno wrote: > Hi. > > I'm working with CP, the voucher system can this info be genenerate with > FRadius2 and save the info in a DB like MySQL. > > The ides is to go enterprise +500 users. > > Some is doing this now with the current voucher system with

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz
Hello again Espen, I do have OpenVPN installed, however that was not the problem. I had 10.144.1.8 configured as my DNS server using my WAN gateway as an interface. That was the root of all my problems. Thank you Espen, Chris (off List), and anyone else who may have taken the time to read an

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread PiBa
Please note that dns configuration options can add route's. (what gateway is configured behind the dns, if any?) /* setup static routes for DNS servers. */ https://github.com/pfsense/pfsense/blob/master/etc/inc/system.inc#L159 Greets PiBa-NL Espen Johansen schreef op 13-7-2014 0:44: Other pac

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen
Other packages? OpenVPN? Please list all your installed packages and I´ll have a look. Or remove them one by one until the "automagic" route add stops. You can always try to grep /* for the IP in question. But it might be part of a DB file for a pkg. I´t might not be plain text. Cant help you rem

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz
No 3rd party routing installed. -Stefan On 7/12/2014 5:19 PM, Espen Johansen wrote: Only thing I can think of is that a package with a seperate config file installs it. Do you have quagga/openbgp or any other routing package running/installed? 12. juli 2014 23:58 skrev "Stefan Maerz"

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen
Only thing I can think of is that a package with a seperate config file installs it. Do you have quagga/openbgp or any other routing package running/installed? 12. juli 2014 23:58 skrev "Stefan Maerz" < stefan.ma...@thecommunitypartnership.org> følgende: > Thanks again Espen. I can't find anythin

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Stefan Maerz
Thanks again Espen. I can't find anything in /cf/conf/config.xml related to this address *and* routing. The tag area is also empty like the webconfiguration indicates. more /cf/conf/config.xml | grep -n 10.144.1.8 outputs: 221:10.144.1.8 385:10.144.1.8 1055:

Re: [pfSense] Host Connectivity on a Specific Subnet

2014-07-12 Thread Espen Johansen
You might take a look in the cf/conf/config.xml .if it persists it should originate from there. Just do a search for the IP. 12. juli 2014 05:04 skrev "Stefan Maerz" < stefan.ma...@thecommunitypartnership.org> følgende: > Thank you for the response Espen. This was actually the approach I took > (f