Modify TTL value for security reasons.

Reply to Modify TTL value for security reasons. on Mon, 07 May 2007 12:59:40 GMT

juanchoX — Mon, 07 May 2007 12:59:40 GMT

yeah, thanks ulrich, here …

Bill Marquette
Mon, 04 Sep 2006 10:09:44 -0700

Or if you want fuck with the ISP and have a full blown network behind
the pfSense box.

Change the following line in /etc/inc/filter.inc
$rules .= "scrub all {$scrubnodf} {$mssclamp} fragment
reassemble\n"; // reassemble all directions
to:
$rules .= "scrub all min-ttl 255 {$scrubnodf} {$mssclamp}
fragment reassemble\n"; // reassemble all directions

That will reset the TTL to 255 (substitute whatever sufficiently high
value appeals to you) as it passes through the pfSense box. The above
line lives on line 166 in filter.inc version 1.575.2.235. BTW, this
will have the other added advantage of being able to mask different
OSs behind your pfSense box and the network layout as ALL packets will
have a normalized TTL after traversing the firewall.

I don't expect to ever put a gui wrapper around this, I feel it has
rather limited use.

--Bill

Reply to Modify TTL value for security reasons. on Mon, 07 May 2007 02:25:04 GMT

rcarr — Mon, 07 May 2007 02:25:04 GMT

I don't know if pfsense supports it, but pf allows you to create rules based on the TTL value. For instance, you should be suspicious of incoming packets with very low TTL (TTL = 1, 2, etc) because it's likely the result of firewalking.

Reply to Modify TTL value for security reasons. on Mon, 07 May 2007 01:10:09 GMT

cmb — Mon, 07 May 2007 01:10:09 GMT

That may or may not be what you're after. If not, by "packet mangle TTL", what exactly do you mean?

Reply to Modify TTL value for security reasons. on Mon, 07 May 2007 01:06:20 GMT

sullrich — Mon, 07 May 2007 01:06:20 GMT

See this URL for more information: http://www.mail-archive.com/discussion@pfsense.com/msg01782.html