Date: Tue, 6 Oct 2009 20:28:33 +0200 From: "Helmut Schneider" <jumper99@gmx.de> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus Message-ID: <hag28i$26j$1@ger.gmane.org> References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net>
next in thread | previous in thread | raw e-mail | index | archive | help
文鳥 <bunchou@googlemail.com> wrote: > On Tue, 6 Oct 2009 17:23:09 +0200 > "Helmut Schneider" <jumper99@gmx.de> wrote: > >> From: "Nico De Dobbeleer" <nico@elico-it.be> >>> I just finished installing FreeBSD 7.x with pf in transparant >>> bridging mode as the servers behind the firewall need to have an >>> public ipaddress. Now is everything working fine and the FW is >>> doing his job as it should be. When I nmap the FW I see the open >>> ports and closed ports. Is there a way the get the FW running in >>> stealth mode so that isn't possible anymore with nmap or any other >>> scanning tool to see the open or closed ports? >> >> There is no "stealth". If a service responds to a request the port is >> "open". If not it's closed. > > There is: just use "block drop" in your pf config or "set block-policy > drop" (see man 5 pf.conf). This effectively stops sending TCP RST or > UDP unreach packets. Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is open -> host not "stealth". But even if you "block drop" all incoming traffic to a host, if a host is really down (and therefore stealth) the hosts' gateway would send an ICMP type 3 packet (until you didn't cripple ICMP as well). While sometimes it might be useful to "block drop" it has nothing to do with being "stealth". Helmut
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hag28i$26j$1>