Date: Tue, 17 Dec 2002 09:02:59 -1000 From: Clifton Royston <cliftonr@lava.net> To: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> Cc: stable@freebsd.org Subject: Re: ipfilter / ipnat quandry Message-ID: <20021217090259.C17469@lava.net> In-Reply-To: <bulk.5085.20021217103310@hub.freebsd.org>; from owner-freebsd-stable-digest@FreeBSD.ORG on Tue, Dec 17, 2002 at 10:33:10AM -0800 References: <bulk.5085.20021217103310@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
(This probably belonged on -security or -questions or someplace else...) > Date: Mon, 16 Dec 2002 13:55:48 -0500 > From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> > Subject: ipfilter / ipnat quandry > > - -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002) > gateway/firewall running: > # ipf -V > ipf: IP Filter: v3.4.29 (336) > Kernel: IP Filter: v3.4.29 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > > > The only external port I've allowed in is SSH, yet nmapping the box > yields a slew of purportedly other open ports. Look again - it says they are "filtered". nmap can usually tell the difference between a TCP port that is closed on the target (returns a RST) and one that is filtered by a firewall (returns nothing.) In fact many of the ports shown as filtered might not even really be open on your box. > Have I broken my > ruleset somewhere? Please advise. No, it's simply not sophisticated enough for what you want it to do. ... > (The 1581 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 137/tcp filtered netbios-ns ... > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 161/tcp filtered snmp ... Note, for instance, that snmp is (normally) a UDP service, so it's unlikely you actually have an open TCP port 161; but nmap can see you're filtering it nonetheless. ipf does have the ability to more correctly simulate a closed port. I did a similar exercise on my personal OpenBSD firewall box earlier this year; I won't go through your whole ruleset, but basically for every TCP port you block, you need to add a return-rst, and for every UDP port you block, you need to add return-icmp(port-unr). This provides a pretty good simulation of a host running no services, if that's what you want to look like. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021217090259.C17469>