DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default change ttl value

I am a newbie. I have tried to change ttl value in OpenBSD by adding new line: net.inet.ip.ttl=125 to /etc/sysctl.conf file. It doesn't work. Do I need to change /etc/pf.conf file as well?

OpenBSD version: 4.3
Reply With Quote
  #2   (View Single Post)  
Old 2nd August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Default

Not sure about OpenBSD, but changing the line in sysclt.conf works for me, in my machines running FreeBSD 6.3 and 7.0.

Out of curiousity, are you trying to mask OpenBSD as Windows by changing the ttl?

Last edited by 18Googol2; 2nd August 2008 at 02:43 AM.
Reply With Quote
  #3   (View Single Post)  
Old 2nd August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Did you reboot after adding the line into sysctl.conf?

sysctl.conf is for making changes permanent, use sysctl(8) for immediate results. (Some can't be set at higher securelevels though..)

Note: don't randomly toggle sysctl values unless you're absolutely sure it's the right thing to do.

Last edited by BSDfan666; 2nd August 2008 at 03:00 AM.
Reply With Quote
  #4   (View Single Post)  
Old 2nd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

I have rebooted my system already, still not working. I tried to change the ttl value by just using sysctl, however, when i ping my machine, still not not working. That's why i asked, Do I need to change /etc/pf.conf file as well?
Reply With Quote
  #5   (View Single Post)  
Old 2nd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

I just looked up the man pages of sysctl(3), it states "Not to ICMP". Is there a way that I can change ttl value for ICMP as well?

" ip.ttl The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to nor-
mal transport protocols, not to ICMP."
Reply With Quote
  #6   (View Single Post)  
Old 2nd August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It is always good, when asking these sorts of questions, to state what it is you actually want to accomplish.

For example, traceroute(8) manipulates TTL values in order to function. If you were to force ICMP packets to have specific TTL values, traceroute will no longer function. Is that your intent? If you wish to obfuscate information, easier would be to block ICMP packets entirely.
Reply With Quote
  #7   (View Single Post)  
Old 2nd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

I do not want to block ICMP packets entirely. That would be too easy for you to answer my question. lol. I intended to change the ttl value to 125. I am a newbie, correct me if were wrong. I want to get 3 answers here,

1. /etc/sysctl.conf file (I tried it by add new line: net.inet.ip.ttl=125
If it works on FreeBSD, it should work on OpenBSD as well, right? Did anyone try this on OpenBSD?);
2. /etc/pf.conf file (I tried to add two lines: scrub in on $ext_if all min-ttl 125
scrub out on $ext_if all min-ttl 125
restart computer, still no luck);
3. Kernel (by default, the ttl value is 255, where in the kernel that I can jump in and change this value?)
Reply With Quote
  #8   (View Single Post)  
Old 3rd August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by ecnalbya View Post
...I intended to change the ttl value to 125.
Why? What is the outcome you expect?
Quote:
I am a newbie, correct me if were wrong.
Welcome. I only found one obvious thing wrong (other than your desire to muck about with TTL values), and that is your assumption that...
Quote:
If it works on FreeBSD, it should work on OpenBSD as well, right?
This would be a poor assumption. Sometimes, yes. But mostly, no. They are both BSDs but they have been on separate paths for 14 years. Hundreds of thousands of changes have been made to both operating systems.
Quote:
Did anyone try this on OpenBSD?);
Just now:
Code:
# sysctl net.inet.ip.ttl
net.inet.ip.ttl=64
# sysctl net.inet.ip.ttl=125
net.inet.ip.ttl: 64 -> 125
# sysctl net.inet.ip.ttl
net.inet.ip.ttl=125
#
Quote:
2. /etc/pf.conf
I have not mucked about with stack settings in pf; my understanding is murky of which would override the other .... primarily because I don't muck about with TCP/IP stack configuration.
Quote:
3. Kernel (by default, the ttl value is 255, where in the kernel that I can jump in and change this value?)
As you saw above, my sysctl reports the kernel value used by the stack (unless PF gets involved, perhaps) is 64. I am running 4.4-beta (-current), on i386.
Reply With Quote
  #9   (View Single Post)  
Old 3rd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

Quote:
Originally Posted by jggimi View Post
Why? What is the outcome you expect?
I will answer this question later.

Quote:
Originally Posted by jggimi View Post
Code:
# sysctl net.inet.ip.ttl
net.inet.ip.ttl=64
# sysctl net.inet.ip.ttl=125
net.inet.ip.ttl: 64 -> 125
# sysctl net.inet.ip.ttl
net.inet.ip.ttl=125
#
I tried the above as well. However, when I pinged my box, it returns 255 as ttl value. Is it because of ICMP? I want other people to ping my box, it returns 125.

Quote:
Originally Posted by jggimi View Post
As you saw above, my sysctl reports the kernel value used by the stack (unless PF gets involved, perhaps) is 64.
Why it is 64 but not 255? Are there somewhere in the Kernel that I can change both 64 and 255 to 125?
I am a newbie, never mess with the Kernel before, but I would like to give it a try.
Reply With Quote
Old 3rd August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

As you had discovered, already, ICMP packets set the value to 255. Other protocols use the sysctl value.

As I mentioned above, this is used by traceroute(8), and also by ping(1). There's a nice discussion of TTL in the ping(1) man page.

If you want to muck about in the kernel source.. have fun. The source is packaged with the CD-ROMs, and may also be downloaded from your nearest mirror. You might find src/sys/netinet/ip_icmp.c a good starting point for looking at ICMP logic.

FAQ 5 is required reading, if you are interested in modifying the source and rebuilding the kernel.

You have still not articulated a reason why you want 125 in the TTL field for ICMP ECHO packets.

I believe it is a complete waste of your time to do this. But you are a newbie, and I am unable to dissuade you from going down this path.

Please try to have fun. Don't forget to back up your -release kernel. And good luck to you.
Reply With Quote
Old 3rd August 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Default

Quote:
Originally Posted by ecnalbya View Post
I tried the above as well. However, when I pinged my box, it returns 255 as ttl value. Is it because of ICMP? I want other people to ping my box, it returns 125.
Sounds like your "other people" are outside your subnet, so it cant return them 125. This is networking fundamental

Quote:
Originally Posted by jggimi View Post
You have still not articulated a reason why you want 125 in the TTL field for ICMP ECHO packets.
My educated guess would be the OP is trying to spoof OpenBSD as Windows machine by ttl value. IIRC, by default, ttl is set to 128 and 64 for Windows and *nix machine respectively. Its kind of "security through obscurity"
Reply With Quote
Old 10th August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

I have no clues on which files that I should change, Please Help! I want 125 in the TTL field for ICMP ECHO packets. Here are my codes,

# pwd
/usr/src/sys/netinet/
# grep "255" *.c
ip_carp.c:
ip_mroute.c:

Should I replace 125 on ip_carp.c and ip_mroute.c? It is not that easy, right?
Reply With Quote
Old 10th August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by ecnalbya View Post
...It is not that easy, right?
Right. It's not that easy. Note:
Code:
$ man -k mroute
mrouted (8) - IP multicast routing daemon
$ man -k carp
...
carp (4) - Common Address Redundancy Protocol
...
Neither of these modules are related to ICMP. You apparently will need to have more technical knowledge than you currently possess.

I note you still haven't said why you insist on doing this. 18Googol2 suggested it might be for "security through obscurity." If so, my opinion hasn't changed: you are wasting your time. The consensus of the OpenBSD Project is that security through obscurity is a fallacy. I agree. It may seem plausible to newcomers, but it provides no advantages and may lull one into false assumptions of security.
Reply With Quote
Old 12th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

It's surprising the discussion went this far without the OP stating the "why" for his wishes... and as Jggimi stated, if it's security via obscurity you are looking for, look elsewhere.
__________________
Network Firefighter
Reply With Quote
Old 13th August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Until you explain why you "need" this, no one can really help.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Old 13th August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Well, we could help without that information, but ... no one, I think, is terribly interested in helping.
Reply With Quote
Old 16th August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

There is no win-win situation here. I don't care what is your religion, and I don't want to argue about your definition of security. I am a newbie, I tried to mess with the OPENBSD kernel, still no lucky. I will keep trying, ,what a loser I am!
Reply With Quote
Old 17th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Good Luck to you.
__________________
Network Firefighter
Reply With Quote
Old 23rd August 2008
ecnalbya ecnalbya is offline
New User
 
Join Date: Aug 2008
Posts: 8
Default

Quote:
Originally Posted by ai-danno View Post
Good Luck to you.
good luck to you too.
Reply With Quote
Reply

Tags
ttl

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Change for rc.lkm IdOp NetBSD General 2 24th August 2009 02:33 PM
Username Change ninjatux Off-Topic 3 24th March 2009 06:45 PM
Change CRT to LCD mfaridi FreeBSD General 19 9th September 2008 12:51 PM
rpc.nfsd threads, how do i change them? NathanL FreeBSD General 2 11th July 2008 11:28 AM
Change the Size of a Slice kienjakenobi FreeBSD General 9 27th June 2008 03:01 PM


All times are GMT. The time now is 09:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick