Modify TTL value for security reasons.



  • Pfsense support Packet Mangle TTL ?





  • That may or may not be what you're after. If not, by "packet mangle TTL", what exactly do you mean?



  • I don't know if pfsense supports it, but pf allows you to create rules based on the TTL value.  For instance, you should be suspicious of incoming packets with very low TTL (TTL = 1, 2, etc) because it's likely the result of firewalking.



  • yeah, thanks ulrich, here …

    Bill Marquette
    Mon, 04 Sep 2006 10:09:44 -0700

    Or if you want fuck with the ISP and have a full blown network behind
    the pfSense box.

    Change the following line in /etc/inc/filter.inc
          $rules .= "scrub all {$scrubnodf} {$mssclamp} fragment
    reassemble\n"; // reassemble all directions
    to:
          $rules .= "scrub all min-ttl 255 {$scrubnodf} {$mssclamp}
    fragment reassemble\n"; // reassemble all directions

    That will reset the TTL to 255 (substitute whatever sufficiently high
    value appeals to you) as it passes through the pfSense box.  The above
    line lives on line 166 in filter.inc version 1.575.2.235.  BTW, this
    will have the other added advantage of being able to mask different
    OSs behind your pfSense box and the network layout as ALL packets will
    have a normalized TTL after traversing the firewall.

    I don't expect to ever put a gui wrapper around this, I feel it has
    rather limited use.

    --Bill


Log in to reply