How to match rules by TTL

  • Hi!

    I want to prevent rogue routers/ap that are using NAT. There is already a switch policy with one MAC/port, but with using NAT only the masquerading device is seen, so switch does not block.
    Now I want to check the packet TTL for odd values. Since pfSense is first HOP, I would like to block odd TTL values.

    Unter Linux I could do this with:

    Iptables –A INPUT -m ttl --ttl-eq 62 –j DROP
    Iptables –A INPUT -m ttl --ttl-eq 126 –j DROP

    How can I realize this with pfSense. I read that pf could mark pakets and I can filter marked packets. Any chance to do it in webUI? and if not what pf-command to use and to place to be persistant between updates?

  • What a pity. No ideas how to implement it?  :( Anyway pf does not seem to support setting specific ttl value, except min-ttl.

    Well, I found a workaround. I set default TTL to 1, then used scrub to set min-ttl to 64 for all interfaces except outgoing traffic to client interface. So client receives packet with TTL 1. Any additional rogue HOP decreases to zero and discards packet :)

  • There's no way to accomplish what you're asking for re: matching rules by TTL. The scrub min-ttl isn't for that purpose, that's to make mapping of internal network hops unfeasible where you're allowing traffic inbound. Where'd you "set default TTL to 1"?

Log in to reply