4. How to match rules by TTL

How to match rules by TTL

  • H

    Hi!

    I want to prevent rogue routers/ap that are using NAT. There is already a switch policy with one MAC/port, but with using NAT only the masquerading device is seen, so switch does not block.
    Now I want to check the packet TTL for odd values. Since pfSense is first HOP, I would like to block odd TTL values.

    Unter Linux I could do this with:

    
Iptables –A INPUT -m ttl --ttl-eq 62 –j DROP
Iptables –A INPUT -m ttl --ttl-eq 126 –j DROP

    How can I realize this with pfSense. I read that pf could mark pakets and I can filter marked packets. Any chance to do it in webUI? and if not what pf-command to use and to place to be persistant between updates?

    0
  • H

    What a pity. No ideas how to implement it?  :( Anyway pf does not seem to support setting specific ttl value, except min-ttl.

    Well, I found a workaround. I set default TTL to 1, then used scrub to set min-ttl to 64 for all interfaces except outgoing traffic to client interface. So client receives packet with TTL 1. Any additional rogue HOP decreases to zero and discards packet :)

    0
  • C

    There's no way to accomplish what you're asking for re: matching rules by TTL. The scrub min-ttl isn't for that purpose, that's to make mapping of internal network hops unfeasible where you're allowing traffic inbound. Where'd you "set default TTL to 1"?

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy