Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to match rules by TTL

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hbc
      last edited by

      Hi!

      I want to prevent rogue routers/ap that are using NAT. There is already a switch policy with one MAC/port, but with using NAT only the masquerading device is seen, so switch does not block.
      Now I want to check the packet TTL for odd values. Since pfSense is first HOP, I would like to block odd TTL values.

      Unter Linux I could do this with:

      
      Iptables –A INPUT -m ttl --ttl-eq 62 –j DROP
      Iptables –A INPUT -m ttl --ttl-eq 126 –j DROP
      
      

      How can I realize this with pfSense. I read that pf could mark pakets and I can filter marked packets. Any chance to do it in webUI? and if not what pf-command to use and to place to be persistant between updates?

      1 Reply Last reply Reply Quote 0
      • H
        hbc
        last edited by

        What a pity. No ideas how to implement it?  :( Anyway pf does not seem to support setting specific ttl value, except min-ttl.

        Well, I found a workaround. I set default TTL to 1, then used scrub to set min-ttl to 64 for all interfaces except outgoing traffic to client interface. So client receives packet with TTL 1. Any additional rogue HOP decreases to zero and discards packet :)

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          There's no way to accomplish what you're asking for re: matching rules by TTL. The scrub min-ttl isn't for that purpose, that's to make mapping of internal network hops unfeasible where you're allowing traffic inbound. Where'd you "set default TTL to 1"?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.