On top of that, statefully incrementing TTL by 1 each time a packet is masqueraded would prevent even the most scrutinizing scan from discerning that host B exists - the firewall IP would just look like another NIC on host A. Host A, of course, would have to be complicit - if the scan came from host A, all would be revealed and lost.That can't currently be done with PF. You can enforce a minimum TTL, but not set it to not decrement. Besides, not decrementing the TTL probably violates some RFC.
Ah, but sometimes the RFCs don't allow you to be "Nefariously Sneaky". That's half the exercise - someone smart enough looking at the scan would see that this "other NIC" for host A was somehow consistently decrementing the TTL by 1 more than it should. It would probably be really hard to find and diagnose properly, but it could be done.
Sometimes I just get these kind of ideas - partially because I work on security all the time, and try to work out ways to do better than the people I catch. :)
RB
