Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: firewalk meets nmap - TTL (fwd)
From: "Chuck Swiger" <chuck () codefab com>
Date: Mon, 6 Nov 2000 12:30:22 -0500

On Sat, 4 Nov 2000 21:13:33 -0600 (CST), Lance Spitzner wrote:
However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it.  However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the

Very interesting point.  Of course, this is assuming a layer-3 firewall (ie,  
something acting as a router between subnets which decrements the TTL),  
rather than something acting more like a layer-2 bridge.

FreeBSD has (from /usr/src/sys/i386/conf/LINT):

# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl).  This can be useful to hide firewalls
# from traceroute and similar tools.
options         IPSTEALTH               #support for stealth forwarding

[ ... ]

# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.

options         DUMMYNET
options         BRIDGE

I suppose you could also filter locally-generated ICMP error responses from  
the firewall itself.


           Chuck Swiger | chuck () codefab com | Spin VBHY?
           "Diplomacy is the art of saying 'Nice doggy',
            while searching for a rock."  -- Talleyrand

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]