From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 19:09:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D46891065676 for ; Tue, 6 Oct 2009 19:09:18 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 5A7878FC15 for ; Tue, 6 Oct 2009 19:09:17 +0000 (UTC) Received: by bwz27 with SMTP id 27so3297899bwz.43 for ; Tue, 06 Oct 2009 12:09:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=TIKjIdVSFTUhKUbgdAPfUNL75SqM7Juxfmo2a40wKsw=; b=b6jvbGqBX9HTcM+q103Sjsb59Jg82rk47rgutFm/e3PMt1jgLTb9wynx/pEMZ0u3uX nTg+sHU6rR/hj/4D89dBbFyW3M4ID7g0PNFg6IcmmZLv3K69nNpyQIr8OinLHNcsd62Y KOUzKGZhlPJD9zA4NqXk7RhGJ6eYIQ2/YLJHI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=ckMKUaK3DGdykczr3MUQBLchf5gZVOJnj4kWUIU93URORH8UUGCZ8Q/5bdqE6Q2xpn B4pY8H+CyPEMWrMcbmoQSmdNctiD4R2Y2f244LXS7Y0FWmJmQLz/2aCpBghw4cr1brsL qJdqP9Il+Py1Z4NpEFBSkgfRAL04AnjoaR5nc= Received: by 10.102.248.14 with SMTP id v14mr550556muh.74.1254856156326; Tue, 06 Oct 2009 12:09:16 -0700 (PDT) Received: from centaur.5550h.net ([93.216.234.69]) by mx.google.com with ESMTPS id j10sm35845mue.14.2009.10.06.12.09.14 (version=SSLv3 cipher=RC4-MD5); Tue, 06 Oct 2009 12:09:15 -0700 (PDT) Date: Tue, 6 Oct 2009 21:09:12 +0200 From: "=?UTF-8?B?5paH6bOl?=" To: "Helmut Schneider" Message-ID: <20091006210912.379434eb@centaur.5550h.net> In-Reply-To: References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 19:09:19 -0000 On Tue, 6 Oct 2009 20:28:33 +0200 "Helmut Schneider" wrote: > =E6=96=87=E9=B3=A5 wrote: > > On Tue, 6 Oct 2009 17:23:09 +0200 > > "Helmut Schneider" wrote: > > > >> From: "Nico De Dobbeleer" > >>> I just finished installing FreeBSD 7.x with pf in transparant > >>> bridging mode as the servers behind the firewall need to have an > >>> public ipaddress. Now is everything working fine and the FW is > >>> doing his job as it should be. When I nmap the FW I see the open > >>> ports and closed ports. Is there a way the get the FW running in > >>> stealth mode so that isn't possible anymore with nmap or any other > >>> scanning tool to see the open or closed ports? > >> > >> There is no "stealth". If a service responds to a request the port > >> is "open". If not it's closed. > > > > There is: just use "block drop" in your pf config or "set > > block-policy drop" (see man 5 pf.conf). This effectively stops > > sending TCP RST or UDP unreach packets. >=20 > Consider a webserver where you pass HTTP and "block drop" SSH. 1 port > is open -> host not "stealth". >=20 > But even if you "block drop" all incoming traffic to a host, if a > host is really down (and therefore stealth) the hosts' gateway would > send an ICMP type 3 packet (until you didn't cripple ICMP as well). >=20 > While sometimes it might be useful to "block drop" it has nothing to > do with being "stealth". >=20 > Helmut=20 Not replying to a probe in the mentioned way is exactly what is commonly referred to as "stealth mode" by consumer firewalls. Just try a simple google search for "stealth firewall" and you will see. Besides, if only a few (uncommon) ports are open, a limited scan is unlikely to find them, thus calling it "stealth" (aka "low observability" according to wikipedia) is appropriate imho. There is a difference between stealth and invisibility.