4. How to match rules by TTL

How to match rules by TTL

  • H

    Hi!

    I want to prevent rogue routers/ap that are using NAT. There is already a switch policy with one MAC/port, but with using NAT only the masquerading device is seen, so switch does not block.
    Now I want to check the packet TTL for odd values. Since pfSense is first HOP, I would like to block odd TTL values.

    Unter Linux I could do this with:

    
Iptables –A INPUT -m ttl --ttl-eq 62 –j DROP
Iptables –A INPUT -m ttl --ttl-eq 126 –j DROP

    How can I realize this with pfSense. I read that pf could mark pakets and I can filter marked packets. Any chance to do it in webUI? and if not what pf-command to use and to place to be persistant between updates?

    0
  • H

    What a pity. No ideas how to implement it?  :( Anyway pf does not seem to support setting specific ttl value, except min-ttl.

    Well, I found a workaround. I set default TTL to 1, then used scrub to set min-ttl to 64 for all interfaces except outgoing traffic to client interface. So client receives packet with TTL 1. Any additional rogue HOP decreases to zero and discards packet :)

    0
  • C

    There's no way to accomplish what you're asking for re: matching rules by TTL. The scrub min-ttl isn't for that purpose, that's to make mapping of internal network hops unfeasible where you're allowing traffic inbound. Where'd you "set default TTL to 1"?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy