Date: Tue, 11 Feb 2003 22:38:06 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: freebsd-questions@freebsd.org Subject: portsentry in combination with ipfilter Message-ID: <20030212043806.GA1267@darkpossum>
index | next in thread | raw e-mail
[-- Attachment #1 --] hi all i have an ipf/ipnat gateway machine protecting an internal network of - so far one, hopefully 2 or more - computers. the first thing i did after i observed that i have my setup successfully nat'ing, was to try to portscan myself from an outside machine, using nmap. at first i thought something was up, and that my ipf.rules were being ignored, because when i ran nmap -sS -v -O on my the public ip of my internal host - which was aliased to the external nic of my gateway box - it showed that a huge amount of tcp and udp ports were open. i could copy the nmap results, but they're long, and suffice it to say ports i thought were closed or inactive were shown as open. after discussing it with the -security listserv, and running a 'sockstat' on the gateway box, it turns out that portsentry was indeed listening on the great majority of ports that the nmap showed to be open. when i turn portsentry off and run nmap again on my setup, it only shows ports that i specially allow open in my ipf/ipnat rules like 80,22, etc. my question is: first if anyone knows how to get portsentry to not broadcast the fact that it's listening on a wide variety ports when the host is being portscanned. i checked the portsentry.conf file, there didn't seem to be an option for this. also - i have block return-rst in log quick on xl0 proto tcp from any to any in my ipf.rules, so i thought that any ports not be nat'd would show up in portscans as not listening. not sure why this isn't working. also, i had wanted to run logcheck, portsentry, and snort or tripwire on my ipf/ipnat gateway box. is this a good combination of apps? as of now, i have portsentry turned off, but would like to use it or an app that performs the same function. any thoughts? thanks again redmond [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Sc+uFNjun16SvHYRAqXaAJ99tM0EzKiHEJAoei9VXRoy1XXUqwCgqgbc BhWJlLD6DA9W7ovzoxPLxh8= =5h7L -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030212043806.GA1267>