Firewall Wizards mailing list archives
Re: firewalk meets nmap - TTL (fwd)
From: "Chuck Swiger" <chuck () codefab com>
Date: Mon, 6 Nov 2000 12:30:22 -0500
On Sat, 4 Nov 2000 21:13:33 -0600 (CST), Lance Spitzner wrote:
However, if the packet is accepted by the firewall (and the port is not filtered), the firewall will attempt to forward it. However, the TTL will now be zero and the firewall will respond with ICMP TTL expired error message. You can now map what ports are passed through the firewall (i.e not filtered) without a packet ever passing through the firewall.
Very interesting point. Of course, this is assuming a layer-3 firewall (ie, something acting as a router between subnets which decrements the TTL), rather than something acting more like a layer-2 bridge. FreeBSD has (from /usr/src/sys/i386/conf/LINT): # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. options IPSTEALTH #support for stealth forwarding [ ... ] # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). # You can use IPFIREWALL and dummynet together with bridging. options DUMMYNET options BRIDGE I suppose you could also filter locally-generated ICMP error responses from the firewall itself. -Chuck Chuck Swiger | chuck () codefab com | Spin VBHY? -------------+-------------------+----------- "Diplomacy is the art of saying 'Nice doggy', while searching for a rock." -- Talleyrand _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- firewalk meets nmap - TTL (fwd) Lance Spitzner (Nov 06)
- Re: firewalk meets nmap - TTL (fwd) Chris Boscolo (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Chuck Swiger (Nov 08)
- Re: firewalk meets nmap - TTL (fwd) Mikael Olsson (Nov 08)
- <Possible follow-ups>
- RE: firewalk meets nmap - TTL (fwd) Kalat, Andrew (ISS Atlanta) (Nov 08)