mailing list archives
Re: firewalk meets nmap - TTL (fwd)
From: "Chuck Swiger" <chuck () codefab com>
Date: Mon, 6 Nov 2000 12:30:22 -0500
On Sat, 4 Nov 2000 21:13:33 -0600 (CST), Lance Spitzner wrote:
However, if the packet is accepted by the firewall (and
the port is not filtered), the firewall will attempt to
forward it. However, the TTL will now be zero and the
firewall will respond with ICMP TTL expired error message.
You can now map what ports are passed through the firewall
(i.e not filtered) without a packet ever passing through the
Very interesting point. Of course, this is assuming a layer-3 firewall (ie,
something acting as a router between subnets which decrements the TTL),
rather than something acting more like a layer-2 bridge.
FreeBSD has (from /usr/src/sys/i386/conf/LINT):
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the ttl). This can be useful to hide firewalls
# from traceroute and similar tools.
options IPSTEALTH #support for stealth forwarding
[ ... ]
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
# BRIDGE enables bridging between ethernet cards -- see bridge(4).
# You can use IPFIREWALL and dummynet together with bridging.
I suppose you could also filter locally-generated ICMP error responses from
the firewall itself.
Chuck Swiger | chuck () codefab com | Spin VBHY?
"Diplomacy is the art of saying 'Nice doggy',
while searching for a rock." -- Talleyrand
firewall-wizards mailing list
firewall-wizards () nfr com