Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: firewalk meets nmap - TTL (fwd)

From: "Chuck Swiger" <chuck () codefab com>
Date: Mon, 6 Nov 2000 12:30:22 -0500
On Sat, 4 Nov 2000 21:13:33 -0600 (CST), Lance Spitzner wrote:

However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it.  However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the
firewall.


Very interesting point.  Of course, this is assuming a layer-3 firewall (ie,  
something acting as a router between subnets which decrements the TTL),  
rather than something acting more like a layer-2 bridge.

FreeBSD has (from /usr/src/sys/i386/conf/LINT):

# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl).  This can be useful to hide firewalls
# from traceroute and similar tools.
options         IPSTEALTH               #support for stealth forwarding

[ ... ]

# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.

options         DUMMYNET
options         BRIDGE

I suppose you could also filter locally-generated ICMP error responses from  
the firewall itself.

-Chuck

           Chuck Swiger | chuck () codefab com | Spin VBHY?
           -------------+-------------------+-----------
           "Diplomacy is the art of saying 'Nice doggy',
            while searching for a rock."  -- Talleyrand


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: