Or if you want fuck with the ISP and have a full blown network behind
the pfSense box.
Change the following line in /etc/inc/filter.inc
$rules .= "scrub all {$scrubnodf} {$mssclamp} fragment
reassemble\n"; // reassemble all directions
to:
$rules .= "scrub all min-ttl 255 {$scrubnodf} {$mssclamp}
fragment reassemble\n"; // reassemble all directions
That will reset the TTL to 255 (substitute whatever sufficiently high
value appeals to you) as it passes through the pfSense box. The above
line lives on line 166 in filter.inc version 1.575.2.235. BTW, this
will have the other added advantage of being able to mask different
OSs behind your pfSense box and the network layout as ALL packets will
have a normalized TTL after traversing the firewall.
I don't expect to ever put a gui wrapper around this, I feel it has
rather limited use.
--Bill
On 9/4/06, Scott Ullrich <[EMAIL PROTECTED]> wrote:
On 9/4/06, Georgi Petrov <[EMAIL PROTECTED]> wrote:
> Hello everybody,
>
> I've sent this feature request to the m0n0wall mailing list, so it's a
> copy-paste. Everything written can be applied to pfSense as well!
>
>
>
> Here in Bulgaria we love m0n0wall and many people use it for home
> routing purposes. Our internet is delivered by LAN cables (insane,
> isn't it?) and some of my smarter friends split the service to the
> neighbours. This is pretty cool because you have to pay 2-3 times less
> and believe me - Bulgaria isn't the cheapest place to live in ;)
>
> Ok, you would say - you put one m0n0wall router under your bed and pay
> 2 times less for internet (as well as your neighbours). What's the
> problem? Here comes the problem: Almost all ISPs in Bulgaria modify
> the TTL (time to live) value of all incoming packets to 1, so when
> they enter the m0n0wall router, it decrements the TTL to 0 and being
> zero, the packet gets dropped (and doesn't reach any of the computers
> in the local network).
>
> There is a very simple way to work around that. The FreeBSD kernel
> should be compiled with IPSTEALTH option enabled. This is absolutely
> harmless and does the following:
>
> When the kernel is compiled with this option, later you can set one
> sysctl variable to "1" (enabled), which will turn on the IPSTEALTH
> mode. In this mode the router "hides" itself, becomes intraceable with
> tracert and the most important thing is that it doesn't decrement the
> TTL, so the little trick played by most ISP becomes irrelevant.
>
> This is completely harmless to m0n0wall - it won't be enabled by
> default, nothing will change for the default install, but this
> functionality will be present for whoever need it! May be later a
> "checkbox" could be added in the webGUI for easier accessibility.
>
> I already run m0n0wall's FreeBSD IPSTEALTH enabled kernel and enabling
> IPSTEALTH in running m0n0wall is as easy as adding
>
> <shellcmd>sysctl net.inet.ip.stealth=1</shellcmd>
>
> just before
>
> </system>
>
> The whole procedure is explained by another smart bulgarian on this
> page (bulgarian language):
> http://hardwarebg.com/forum/showthread.php?t=76480&highlight=TTL
>
> So - this way the whole problem is solved and the day - saved ;)
>
> I ask for one simple thing - could you please enable IPSTEALTH in the
> next m0n0wall release, please! It's a great router/firewall - make it
> even better!
>
# sysctl -a | grep stealth
net.inet.ip.stealth: 0
net.inet6.ip6.stealth: 0
It's already compiled in.
Have fun!
Scott
