Hiding NATs with PF
From: Max Bolingbroke (batterseapower{no_at_spam}hotmail.com)
Date: 09/28/05
- Next message: jpd: "Re: Hiding NATs with PF"
- Previous message: Mikko Nahkola: "Re: Setting up X walkthrough step-by-step"
- Next in thread: jpd: "Re: Hiding NATs with PF"
- Reply: jpd: "Re: Hiding NATs with PF"
- Reply: Greg Hennessy: "Re: Hiding NATs with PF"
- Reply: Daniel Hartmeier: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 28 Sep 2005 03:01:55 +0100
Hi,
It's my first time out with OpenBSD and I'm building a little NAT
device. Its been great so far, it's really well put together. I
especially like PF, but I'm having trouble making my NAT "invisible".
What I mean by this is that I want to make it look identical to a single
host on the internet (assume application level proxying is not practical
in this scenario). I've already enabled the usual suspects in scrub:
no-df, min-ttl, random-id, fragment reassemble and reassemble tcp. I
also added state modulation to outgoing traffic for good measure.
This has covered the two main bases: TTL monitoring and statistical
analysis of IP IDs. However, I'm still going to be vunerable to passive
OS fingerprinting. Are there any further ways I can have PF munge my
outgoing packets so look like they all come from the same flavour of TCP
stack?
Thanks in advance!
Max Bolingbroke
- Next message: jpd: "Re: Hiding NATs with PF"
- Previous message: Mikko Nahkola: "Re: Setting up X walkthrough step-by-step"
- Next in thread: jpd: "Re: Hiding NATs with PF"
- Reply: jpd: "Re: Hiding NATs with PF"
- Reply: Greg Hennessy: "Re: Hiding NATs with PF"
- Reply: Daniel Hartmeier: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
