Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle.
Simplest answer: block outbound ICMP Time Exceeded type responses at the edge. Then your internal layers of routers and hosts can respond to the SYN packets from tcptraceroute, but they'll be dropped and the outside party will only see the edge device. Thanks! -Adrian - Original Message - From: Walter Parker walt...@gmail.com To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Sent: Saturday, July 12, 2014 11:42:07 PM Subject: Re: [pfSense] Enumerating NAT Hops - Information Disclosure - TTL++ mangle. Then you stuck with setting up reverse proxies for those services. Walter On Sat, Jul 12, 2014 at 6:56 PM, Blake Cornell bcorn...@integrissecurity.com wrote: Its a TCP traceroute, not UDP nor ICMP. I need to provide TCP based services. I would prefer staying within the framework of the interface or nominal BSD magic. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/12/2014 09:54 PM, Chris Buechler wrote: I don't see the point. If you don't want people to see the path, don't allow traceroute in (or stop it after the first NAT). If you do, what do you care if the layers of NAT can be enumerated. If anything even remotely useful to an attacker can be done to your network because someone knows how many layers of NAT you have, you have a lot bigger problems than showing that in a traceroute. pf scrub does have a min-ttl option but it's not one that's exposed anywhere in the GUI and would require changing the source to use. Not something I've ever seen a real need to use. On Thu, Jul 10, 2014 at 4:51 PM, Blake Cornell bcorn...@integrissecurity.com wrote: I would put it on a report as an issue.. further more... no comment -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/10/2014 05:29 PM, Walter Parker wrote: I disagree that this is a vulnerability/weakness. If this is truly your only issue with the network, I'd call it good and done if you are not the DOD/NSA. If you are, then you need to start again with an even more secure foundation. Walter On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell bcorn...@integrissecurity.com wrote: There is a reason for it. It works well except for this ONE issue. I like setting up 0 vulnerability/weakness networks. This is the only one minus presentation/application issues. Thank you both for your input. I'll touch base when I determine a resolution strategy. -- Blake Cornell CTO, Integris Security LLC 501 Franklin Ave, Suite 200 Garden City, NY 11530 USA http://www.integrissecurity.com/ O: +1(516)750-0478 M: +1(516)900-2193 PGP: CF42 5262 AE68 4AC7 591B 2C5B C34C 7FAB 4660 F572 Free Tools: https://www.integrissecurity.com/SecurityTools Follow us on Twitter: @integrissec On 07/10/2014 01:49 PM, James Bensley wrote: Further to what Walter has said - Double NATB! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
Re: [pfSense] naive suggestion: conform to US laws
- Original Message - From: Oliver Hansen oliver.han...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Sent: Saturday, October 12, 2013 11:23:56 AM Subject: Re: [pfSense] naive suggestion: conform to US laws On Sat, Oct 12, 2013 at 4:10 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 19:38, Jim Thompson wrote: So asking the question is stupid On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. On 2013-10-12 01:40, Jim Thompson wrote: Otherwise: get off my lawn. I'm not willing to endure this uninformed Alex Jonesian crapfest. Now that I'm back on US soil, I promise that if the later continues, I will kill the thread. People who hijack threads will be dealt with. Otherwise: STFU. Nor will I endure the besmirching of pfSense's good name and trademark. The only one who is besmirching pfSense here is: you - given that as a co-owner of ESF you are an official representative of pfSense - and your official communication unfortunately shows that you are a vulgarian, plebeian, obscene, scurrilous goon, who insults, threatens, bullys, censors and muzzles other community members, totally lacking control of himself and any professional business manners whatsoever, let alone any constructive discussion culture. To me it feels highly awkward and it is unsettling me a lot, that such an ill-mannered, shady and dubious roughneck like you holds a key position in the project that creates the security product that we use for protecting our networks. I have no idea why highly respected Chris Buechler partnered with you, but it might be good if you would learn a lesson from him concerning his professionalism, seriousness and manners in his official communication. Bye. I can't say I agree with Thinker Rix on everything but on this I do agree. I have been on this list for many years (mostly just reading) and have always been impressed with the professionalism of most members who write and especially those affiliated with the project. I have been quite surprised and disappointed in the attitude and tone coming from Jim Thompson this last week and in my opinion THAT is what reflects poorly on the project. I totally disagree. I respect people who give their opinion outright. We can flop about and sugar coat everything, try to make everyone feel fuzzy... and all that does is lead to misunderstandings and openings for more convoluted and pointless discussions. I've been a part of the open source community for over 20 years, and mostly we're a group of free thinking, well-intentioned individuals who have many irons in the fire. We know the value of our time, and thus respect the value of others' time as well. Our projects are not a place for discussions that can have no resolution: politics, religion, general conspiracy theories. I'm behind Jim on this. Regards, Adrian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NATting/re-routing in the same network, is this possible?
- Original Message - From: Stefan Baur newsgroups.ma...@stefanbaur.de To: pfSense support and discussion list@lists.pfsense.org Sent: Saturday, September 29, 2012 6:06:47 AM Subject: [pfSense] NATting/re-routing in the same network, is this possible? Hi List, I have multiple sites where several clients (C1...Cn) within the same LAN need to connect a server (S). Out of curiosity, what's the DNS setup? If you have an internal server doing resolution are each site, why not create the same zone at each site (internalservers.local) and have a host entry (app01.internalservers.local) that points to the IP of the server at that location? Regards, Adrian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Jason T. Slack-Moehrle slackmoeh...@gmail.com Hi, On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote: I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast has routed that /29 to your cable modem, and made those IPs visible to you on the inside. They are not routing the /29 to your pfSense box, else the fpSense box would have to have its own very own IP address outside of that /29, and that'd be a total waste of address space the IP for your firewall would need to be a /29 to route them to you anyway (at least if you had any redundancy, such as a CARPed pair of firewalls.) Yes, so it still stands that I need to have them create a /30 for me and route my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ….. I've deleted all the previous messages, so perhaps I'm missing something... but why not just use proxy arp and NAT, keep the /29 on the WAN, and have your DMZ et al use reserved private IPs? Comcast may be unwilling to waste a /30 for your WAN, even if you're willing to pay. Regards, Adrian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
