Bill Marquette wrote:
I have nearly zero idea what you're asking for, but I suspect you want
something like PF's dup-to functionality.
/dup-to/
The /dup-to/ option creates a duplicate of the packet and routes it
like /route-to/. The original packet gets routed as it normally
would.
Amy I close?
Well, I'm not sure what *Amy* has to do with anything, but...
That sounds close, but the key would be mangling both the source &
destination fields AND keeping state. Then for just cream on the top,
go invisible by incrementing one's TTL.
Example:
ICMP ping comes in from 192.168.0.1, a scanning host. The firewall,
masquerading host B at 192.168.0.2, rewrites the destination as
192.168.0.3 (host A) and the source as itself (192.168.0.2) and marks a
state. When (if) a return packet comes from 192.168.0.3, it matches the
state, source gets mangled again to 192.168.0.2, destination as
192.168.0.1, and is forwarded on to 192.168.0.1. That way, all the
specifics of host B that can be determined from stateless network scans
would for all intents and purposes look precisely like host A.
On top of that, statefully incrementing TTL by 1 each time a packet is
masqueraded would prevent even the most scrutinizing scan from
discerning that host B exists - the firewall IP would just look like
another NIC on host A. Host A, of course, would have to be complicit -
if the scan came from host A, all would be revealed and lost.
I know it's all rather complex, and I've not tried it yet on IPTables,
but the MASQUERADE and TTL targets seem to do precisely that.
RB
