Simplest answer: block outbound ICMP Time Exceeded type responses at the edge.
Then your internal layers of routers and hosts can respond to the SYN packets
from tcptraceroute, but they'll be dropped and the outside party will only see
the edge device.
Thanks!
-Adrian
----- Original Message -----
> From: "Walter Parker" <[email protected]>
> To: "pfSense Support and Discussion Mailing List"
> <[email protected]>
> Sent: Saturday, July 12, 2014 11:42:07 PM
> Subject: Re: [pfSense] Enumerating NAT Hops - Information Disclosure
> - TTL++ mangle.
> Then you stuck with setting up reverse proxies for those services.
> Walter
> On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell <
> [email protected] > wrote:
> > Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based
> > services.
>
> > I would prefer staying within the framework of the interface or
> > nominal BSD magic.
>
> > --
>
> > Blake Cornell
>
> > CTO, Integris Security LLC
>
> > 501 Franklin Ave, Suite 200
>
> > Garden City, NY 11530 USA http://www.integrissecurity.com/ O:
> > +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B
> > 2C5B C34C 7FAB 4660 F572
>
> > Free Tools: https://www.integrissecurity.com/SecurityTools Follow
> > us
> > on Twitter: @integrissec
>
> > On 07/12/2014 09:54 PM, Chris Buechler wrote:
>
> > > I don't see the point. If you don't want people to see the path,
> > > don't allow traceroute in (or stop it after the first NAT). If
> > > you
> > > do, what do you care if the layers of NAT can be enumerated. If
> > > anything even remotely useful to an attacker can be done to your
> > > network because someone knows how many layers of NAT you have,
> > > you
> > > have a lot bigger problems than showing that in a traceroute.
> >
>
> > > pf scrub does have a min-ttl option but it's not one that's
> > > exposed
> > > anywhere in the GUI and would require changing the source to use.
> > > Not something I've ever seen a real need to use.
> >
>
> > > On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell <
> > > [email protected] > wrote:
> >
>
> > > > I would put it on a report as an issue.. further more... ....
> > > > no
> > > > comment....
> > >
> >
>
> > > > --
> > >
> >
>
> > > > Blake Cornell
> > >
> >
>
> > > > CTO, Integris Security LLC
> > >
> >
>
> > > > 501 Franklin Ave, Suite 200
> > >
> >
>
> > > > Garden City, NY 11530 USA http://www.integrissecurity.com/ O:
> > > > +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7
> > > > 591B
> > > > 2C5B C34C 7FAB 4660 F572
> > >
> >
>
> > > > Free Tools: https://www.integrissecurity.com/SecurityTools
> > > > Follow
> > > > us
> > > > on Twitter: @integrissec
> > >
> >
>
> > > > On 07/10/2014 05:29 PM, Walter Parker wrote:
> > >
> >
>
> > > > > I disagree that this is a vulnerability/weakness. If this is
> > > > > truly
> > > > > your only issue with the network, I'd call it good and done
> > > > > if
> > > > > you
> > > > > are not the DOD/NSA.
> > > >
> > >
> >
>
> > > > > If you are, then you need to start again with an even more
> > > > > secure
> > > > > foundation.
> > > >
> > >
> >
>
> > > > > Walter
> > > >
> > >
> >
>
> > > > > On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell <
> > > > > [email protected] > wrote:
> > > >
> > >
> >
>
> > > > > > There is a reason for it. It works well except for this ONE
> > > > > > issue.
> > > > >
> > > >
> > >
> >
>
> > > > > > I like setting up 0 vulnerability/weakness networks. This
> > > > > > is
> > > > > > the
> > > > > > only
> > > > >
> > > >
> > >
> >
>
> > > > > > one minus presentation/application issues.
> > > > >
> > > >
> > >
> >
>
> > > > > > Thank you both for your input. I'll touch base when I
> > > > > > determine
> > > > > > a
> > > > >
> > > >
> > >
> >
>
> > > > > > resolution strategy.
> > > > >
> > > >
> > >
> >
>
> > > > > > --
> > > > >
> > > >
> > >
> >
>
> > > > > > Blake Cornell
> > > > >
> > > >
> > >
> >
>
> > > > > > CTO, Integris Security LLC
> > > > >
> > > >
> > >
> >
>
> > > > > > 501 Franklin Ave, Suite 200
> > > > >
> > > >
> > >
> >
>
> > > > > > Garden City, NY 11530 USA
> > > > >
> > > >
> > >
> >
>
> > > > > > http://www.integrissecurity.com/
> > > > >
> > > >
> > >
> >
>
> > > > > > O: +1(516)750-0478
> > > > >
> > > >
> > >
> >
>
> > > > > > M: +1(516)900-2193
> > > > >
> > > >
> > >
> >
>
> > > > > > PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572
> > > > >
> > > >
> > >
> >
>
> > > > > > Free Tools: https://www.integrissecurity.com/SecurityTools
> > > > >
> > > >
> > >
> >
>
> > > > > > Follow us on Twitter: @integrissec
> > > > >
> > > >
> > >
> >
>
> > > > > > On 07/10/2014 01:49 PM, James Bensley wrote:
> > > > >
> > > >
> > >
> >
>
> > > > > > > Further to what Walter has said - Double
> > > > > > > NAT....Boooooooo!
> > > > >
> > > >
> > >
> >
>
> > > > > > > _______________________________________________
> > > > >
> > > >
> > >
> >
>
> > > > > > > List mailing list
> > > > >
> > > >
> > >
> >
>
> > > > > > > [email protected]
> > > > >
> > > >
> > >
> >
>
> > > > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > >
> > > >
> > >
> >
>
> > > > > > _______________________________________________
> > > > >
> > > >
> > >
> >
>
> > > > > > List mailing list
> > > > >
> > > >
> > >
> >
>
> > > > > > [email protected]
> > > > >
> > > >
> > >
> >
>
> > > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > > >
> > > >
> > >
> >
>
> > > > > --
> > > >
> > >
> >
>
> > > > > The greatest dangers to liberty lurk in insidious
> > > > > encroachment
> > > > > by
> > > > > men
> > > > > of zeal, well-meaning but without understanding. -- Justice
> > > > > Louis
> > > > > D.
> > > > > Brandeis
> > > >
> > >
> >
>
> > > > > _______________________________________________
> > > >
> > >
> >
>
> > > > > List mailing list [email protected]
> > > > > https://lists.pfsense.org/mailman/listinfo/list
> > > >
> > >
> >
>
> > > > _______________________________________________
> > >
> >
>
> > > > List mailing list
> > >
> >
>
> > > > [email protected]
> > >
> >
>
> > > > https://lists.pfsense.org/mailman/listinfo/list
> > >
> >
>
> > > _______________________________________________
> >
>
> > > List mailing list [email protected]
> > > https://lists.pfsense.org/mailman/listinfo/list
> >
>
> > _______________________________________________
>
> > List mailing list
>
> > [email protected]
>
> > https://lists.pfsense.org/mailman/listinfo/list
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men
> of zeal, well-meaning but without understanding. -- Justice Louis D.
> Brandeis
> _______________________________________________
> List mailing list
> [email protected]
> https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
