From owner-freebsd-questions Tue Feb 11 20:56: 3 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC8C837B401 for ; Tue, 11 Feb 2003 20:56:00 -0800 (PST) Received: from mail.karamazov.org (h162-040-089-010.adsl.navix.net [162.40.89.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4055443F3F for ; Tue, 11 Feb 2003 20:55:59 -0800 (PST) (envelope-from smoberly@karamazov.org) Received: from karamazov.org (mail.karamazov.org [10.0.0.11]) by mail.karamazov.org (8.12.6/8.12.6) with SMTP id h1C4twVV085713; Tue, 11 Feb 2003 22:55:58 -0600 (CST) (envelope-from smoberly@karamazov.org) Received: from 10.0.0.2 (SquirrelMail authenticated user smoberly) by mail.karamazov.org with HTTP; Tue, 11 Feb 2003 22:55:58 -0600 (CST) Message-ID: <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> Date: Tue, 11 Feb 2003 22:55:58 -0600 (CST) Subject: Re: portsentry in combination with ipfilter From: "Scott A. Moberly" To: In-Reply-To: <20030212043806.GA1267@darkpossum> References: <20030212043806.GA1267@darkpossum> X-Priority: 3 Importance: Normal Cc: X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > hi all > > i have an ipf/ipnat gateway machine protecting an internal network of - > so far one, hopefully 2 or more - computers. the first thing i did > after i observed that i have my setup successfully nat'ing, was to try > to portscan myself from an outside machine, using nmap. at first i > thought something was up, and that my ipf.rules were being ignored, > because when i ran > > nmap -sS -v -O > > on my the public ip of my internal host - which was aliased to the > external nic of my gateway box - it showed that a huge amount of tcp > and udp ports were open. i could copy the nmap results, but they're > long, and suffice it to say ports i thought were closed or inactive > were shown as open. > > after discussing it with the -security listserv, and running a > 'sockstat' on the gateway box, it turns out that portsentry was indeed > listening on the great majority of ports that the nmap showed to be > open. when i turn portsentry off and run nmap again on my setup, it > only shows ports that i specially allow open in my ipf/ipnat rules like > 80,22, etc. > > my question is: first if anyone knows how to get portsentry to not > broadcast the fact that it's listening on a wide variety ports when the > host is being portscanned. i checked the portsentry.conf file, there > didn't seem to be an option for this. also - i have This is exactly what portsentry is designed to do. Can't tell if a port is hit without first binding to it. I have placed portsentry on other machines than the firewall for just this sort of information. A better solution on a firewall is to turn on logging for specific ports or rules that you are interested in. > block return-rst in log quick on xl0 proto tcp from any to any > > in my ipf.rules, so i thought that any ports not be nat'd would show up > in portscans as not listening. not sure why this isn't working. What ports exactly are still listening that aren't getting allowed through? > also, i had wanted to run logcheck, portsentry, and snort or tripwire > on my ipf/ipnat gateway box. is this a good combination of apps? as of > now, i have portsentry turned off, but would like to use it or an app > that performs the same function. logcheck - not really syslog should be sent inside either via syslog or msyslog (in ports) portsentry - nope (see above) snort - i 'spose (no harm per say) tripwire - definately > any thoughts? > > thanks again > > redmond Hope this helps. -- Scott A. Moberly smoberly@karamazov.org "BASIC is the Computer Science equivalent of `Scientific Creationism'." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message