Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TTL decrement

    Scheduled Pinned Locked Moved
    2.4 Development Snapshots
    4
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      obadiah
      last edited by

      Hi All,

      I would like to see a feature included in pfSense whereby the TTL of a packet can be dropped.

      We have a site to site VPN. To avoid an attacker tunnelling traffic from a remote host with IP Forwarding enabled, I would like to set the TTL of ICMP and TCP packets to 1.

      I.e. This ensures that the packet will terminate when it hits the destination server. Since the packet expires when it hits the remote host, it should not / could not be forwarded to another subnet / network.

      There are obvious drawbacks and limitations (traffic can be proxied / NAT'ed / TTL reset), but other vendors have this feature - and it works effectively with worm / trojan outbreaks.

      What would be the easiest way to have this feature request submitted?

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Just answering your last question:

        Go to https://redmine.pfsense.org and add a new issue there of type "Feature".

        Others can discuss if the feature has merit etc.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          That wouldn't be up to us, it would have to be added to pf first. Ask upstream on a FreeBSD forum to see if there is any interest. pf originated on OpenBSD but FreeBSD's pf version has diverted significantly.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            https://redmine.pfsense.org/issues/1683 - no need for another ticket, no need to implement anything in FreeBSD … plus frankly, a waste of time.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Changing it system-wide wouldn't accomplish this particular goal of protecting just this one VPN. It would also kill the ability to reach the Internet at all.

              It would have to be set on a policy basis, so pf or ipfw.

              I agree though it's not worth the effort.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post