From owner-freebsd-security  Fri Jul  6 20:25:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from silby.com (cb34181-a.mdsn1.wi.home.com [24.14.173.39])
	by hub.freebsd.org (Postfix) with ESMTP id 6CC3237B40A
	for <security@freebsd.org>; Fri,  6 Jul 2001 20:25:38 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: (qmail 18237 invoked by uid 1000); 7 Jul 2001 03:25:37 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 7 Jul 2001 03:25:37 -0000
Date: Fri, 6 Jul 2001 22:25:37 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: <appleseed@hushmail.com>
Cc: <security@freebsd.org>, <avalon@coombs.anu.edu.au>
Subject: Re: Hiding Versions
In-Reply-To: <200107070319.UAA11446@user7.hushmail.com>
Message-ID: <20010706222359.H18136-100000@achilles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Fri, 6 Jul 2001 appleseed@hushmail.com wrote:

> >wrong.
> Okay, I'm running a gateway A. A receives packets incoming
> on the internet interface to port 80 and forwards the request
> on the condition that its a proper SYN packet with keep-state
> enabled disallowing fragmentation etc.  Verified, the data
> is forwarded via NAT to the internal machine B at port X
> assumed to be an integer greater than maximum privledge
> port and less than maximum allowed TCP port.
> -- request --> [ A:80 .nat.->] ---> [B:X .httpd.]
> B's firewall rules verify what the router already knows and
> sends back the proper packet.
> I've never had nmap verify the OS of a system based on this
> setup. Ever.
> With all due respect prove me wrong.
> northern_
> P.S. I was hoping you would respond the way u did, since, if u
> did not we both know i wouldnt be using ipf anymore ;-)

There are programs other than nmap, you know.  You should be able to
determine the OS version of a system by the syn-ack response alone; nmap
just likes more info.

And your setup seems too clever for it's own good.  I doubt you're really
protecting anything.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message