On Sat, Jul 12, 2014 at 8:56 PM, Blake Cornell
wrote:
> Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> services.
>
> I would prefer staying within the framework of the interface or nominal BSD
> magic.
>
Makes a little more sense in that context, but the point still stands,
ginal Message -
> From: "Walter Parker"
> To: "pfSense Support and Discussion Mailing List"
>
> Sent: Saturday, July 12, 2014 11:42:07 PM
> Subject: Re: [pfSense] Enumerating NAT Hops - Information Disclosure
> - TTL++ mangle.
> Then you stuck with
Then you stuck with setting up reverse proxies for those services.
Walter
On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell <
bcorn...@integrissecurity.com> wrote:
> Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> services.
>
> I would prefer staying within the framework of
Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
services.
I would prefer staying within the framework of the interface or nominal
BSD magic.
--
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +
I don't see the point. If you don't want people to see the path, don't
allow traceroute in (or stop it after the first NAT). If you do, what do
you care if the layers of NAT can be enumerated. If anything even remotely
useful to an attacker can be done to your network because someone knows how
many
I would put it on a report as an issue.. further more... no comment
--
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +1(516)750-0478
M: +1(516)900-2193
PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F
I disagree that this is a vulnerability/weakness. If this is truly your
only issue with the network, I'd call it good and done if you are not the
DOD/NSA.
If you are, then you need to start again with an even more secure
foundation.
Walter
On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
bcorn
There is a reason for it. It works well except for this ONE issue.
I like setting up 0 vulnerability/weakness networks. This is the only
one minus presentation/application issues.
Thank you both for your input. I'll touch base when I determine a
resolution strategy.
--
Blake Cornell
CTO, Integr
Further to what Walter has said - Double NATB!
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
I think you might have a misconception in your request. Whe you say:
>To resolve this issue I need to "mangle" forwarded IP packets by
>incrementing their TTL by 1. This would effectively hide the above
>included results. If anyone knows how to do this either through the web
>interface or throug
Any thoughts anyone?
--
Blake Cornell
CTO, Integris Security LLC
501 Franklin Ave, Suite 200
Garden City, NY 11530 USA
http://www.integrissecurity.com/
O: +1(516)750-0478
M: +1(516)900-2193
PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
Free Tools: https://www.integrissecurity.com/Securit
Hello,
I have a pfSense network that uses multiple layers of NAT translation.
Public IP's are mapped to specific NAT addresses using a 1 to 1 mapping
on the edge device. The packets are then forwarded to another pfSense
device using another layer of NAT translation.
Ex: public ip -> NAT network
12 matches
Mail list logo
