stop pfsense showing as route
-
Hello, is there a way to stop pfsense firewall to stop showing as a route / hop on traceroutes, i want to do this for security in case it gets attacked.
Kind Regards,
Chris -
Block ICMP.
-
Done that, when i do a normal ping it doesnt ping but when doing a trace route it shows.
-
Did you kill the firewall states ?
-
how would i do that? is there a guide for that?
-
Diagnostics -> States -> States -> Reset States
Read the text above the reset button.
-
Done that, no luck. i think it must be somewhere else or a different option.
-
would it be this?
https://phil.lavin.me.uk/2013/04/how-to-disable-icmp-redirects-in-pfsense/
-
Your ICMP block rule is at the top isn't it ?
-
Yes very top
-
Where are you trying to block traceroutes from, if its your local network out the rule needs to be on the LAN interface.
-
Its WAN, its a public firewall for public IP's so has a WAN IP
-
I saw 'somewhere' that trace route could be ICMP based.
Normally, it's UDP based.@chrisjmuk : you want to hide your router from LAN based clients ?
You can not fear attacks from the inside. Unless you created that situation.
Only trusted clients should be connected to the LAN interface.
Everybody else goes on a another LAN network, called OPTx where x is a number.
These guys shouldn't be able to connect to pfSense, the GUI (port 443 or 80). They can just use '53', '67', '68' and '123' (if you want).
Attacks from the outside isn't possible. pfSense, out of the box, is rock solid. -
https://superuser.com/questions/355486/what-is-the-range-of-ports-that-is-usually-used-in-the-traceroute-command
Forgot it could use UDP.
-
Thank, but that doesnt really help me blocking the trace, i set to udp and ports 33434 to 33534 and no luck, someone must of solved this issue before. surely
-
Do you have any floating rules, by default everything is blocked into the WAN interface.
-
https://www.ultratools.com/tools/traceRoute
-
whats the entire port range you have? i have this as i said (i know rule is currently disabled in the screenshot but doesnt work enabled)
-
Post a screenshot of your WAN rules, as I said by default everything is blocked inbound on the WAN.
-
yep just posted, because its all public IP's it cant work as like that, if i block ICMP on everything in WAN the public IP's will no longer ping, so just setting to the firewall ip itself.
