TTL decrement

obadiah

Hi All,

I would like to see a feature included in pfSense whereby the TTL of a packet can be dropped.

We have a site to site VPN. To avoid an attacker tunnelling traffic from a remote host with IP Forwarding enabled, I would like to set the TTL of ICMP and TCP packets to 1.

I.e. This ensures that the packet will terminate when it hits the destination server. Since the packet expires when it hits the remote host, it should not / could not be forwarded to another subnet / network.

There are obvious drawbacks and limitations (traffic can be proxied / NAT'ed / TTL reset), but other vendors have this feature - and it works effectively with worm / trojan outbreaks.

What would be the easiest way to have this feature request submitted?

phil.davis

Just answering your last question:

Go to https://redmine.pfsense.org and add a new issue there of type "Feature".

Others can discuss if the feature has merit etc.

jimp

That wouldn't be up to us, it would have to be added to pf first. Ask upstream on a FreeBSD forum to see if there is any interest. pf originated on OpenBSD but FreeBSD's pf version has diverted significantly.

doktornotor

https://redmine.pfsense.org/issues/1683 - no need for another ticket, no need to implement anything in FreeBSD … plus frankly, a waste of time.

jimp

Changing it system-wide wouldn't accomplish this particular goal of protecting just this one VPN. It would also kill the ability to reach the Internet at all.

It would have to be set on a policy basis, so pf or ipfw.

I agree though it's not worth the effort.