Tcp syn-proxy, PF, NAT connections

[Magnesik]

Is there possible to use PF's tcp syn-proxy for outgoing NATed connections? If it is possible, will it protect against passive fingerprinting?

 

[copypaiste]

Here some advices for hiding your system: http://zog.net/Docs/nmap.html

As far as I concerned pf synproxy works for incoming connections, handling handshake between endpoints, so I think you can use it before address translation occurs. But it's not enough to hide your system from popular scanners.
There's a lot of protecting measures available in pf and FreeBSD. You can block outgoing replies (TCP RST, ICMP port unreachable) from closed ports and use pf os fingerprints. See pf.conf(5)

 

[Magnesik]

Yes, you have right but I think only about passive fingerprinting, not active. I was wondering if syn-proxy would protect before guess number of machines behind NAT.

 

[sniper007]

Enable Scrubbing

http://www.openbsd.org/faq/pf/scrub.html

then you can help with this page to test your settings

http://lcamtuf.coredump.cx/p0f-help/

 

[Magnesik]

Scrub is not good enough. As I know scrub doesn't do anything with window size. Various OSes use other default value of window size and this parametr helps in guess number of machines behind NAT. I thought that syn-proxy would be helpfull.

 

[Magnesik]

I have tried synproxy state for nat connections and I observed one curious thing.

At first I'll show what I have done.

[Internet] --- rl0(serwer)rl1 --- [Lan]

I wanted to hide characteristic parts of syn outgoing packets. I used synproxy state for it in pf (ports are only examples):

pass in on rl1 proto tcp from any to any port {443, 8080} flags S/SA synproxy state

Everything works fine. Every outgoing nated syn packet looks the same but they don't look like system's syn packets. Here is listing from p0f:

10.0.0.101:62346 - UNKNOWN [0:128:1:44:M1460:.:?:?] [high throughput] -> 91.111.11.11:443 (link: ethernet/modem) ##synproxy state###

10.0.0.101:57584 - UNKNOWN [65535:128:1:48:M1460,S,E:P:?:?] -> 193.11.11.11:80 (link: ethernet/modem) ##system syn##

As we can see they are diffrent. Besides why does synproxy's syn have 0 windowsize?! and why in general these both packets are diffrent?

 

[johnsalomon]

Hi,

I just saw this thread in my server logs -- http://zog.net/Docs/nmap.html is no more, I am moving my page around.

An archived copy is at

http://web.archive.org/web/20080223232552/http://www.zog.net/Docs/nmap.html

-John