I'm going to split my connection among two or three computers and using one more as a router. As far as I know, one can detect NAT by sniffing traffic and anylasing TTL value and ID number of IP packets (used also for fingerprinting OS's I think). The questions are: how to make that router/NAT device stealth for the outside world. Did anyone tried it already? Are there any other ways to detect such a device like NAT(what about ports it use)?
I think I'm going to use Linux or FreeBSD for masquerading. I prefer Linux but I also consider the latter one because I heard that In Free You can compile option "do not act as a router" which don't affect TTL during routing packets.
hmm you can actually rewrite the TTL on the packets that pass through the NAT infrastructure of Linux as well, normally by "--ttl-set" directive in your iptables rules.
The only configuration option relative to "act as a router" that I know on FreeBSD is the gateway option which is compiled in by default and can be activated/deactivated from sysctl net.inet.ip.forwarding. Still, without it NAT will not work.
I woudn't worry too much for hiding the router's existense, but then again one can never be too paranoid about security
That's even better. Because I can install Smoothwall as I have planned in the very beginning, and then play a little with firewall rules. Thanks for the tip Nske.
I'm also concerned that this was the easiest part to solve, and still have no idea about IPIDs. If Nat has a table in which it keeps track of all conections and changes on-the-fly IP address field in every packet, couldn't it do the same to change other fields? This would need more processing power from the machine, but that's not a problem nowadays right?
I think it would also bypass few RFC rules, but Microsoft doesn't comply with some as well.
yes processing power is not really an issue for routing in such a small network, especially if you use stateful inspection (since in that case not every packet will be compared against your full ruleset, but only the first for each connection -ideally). I route the traffic to the internet for about 70pcs through an old P1 200MMX and it's not even breaking a sweat