From owner-freebsd-stable Tue Dec 17 11: 3:10 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02C0D37B404 for ; Tue, 17 Dec 2002 11:03:08 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id F30EB43EC2 for ; Tue, 17 Dec 2002 11:03:06 -0800 (PST) (envelope-from cliftonr@lava.net) Received: from localhost (3064 bytes) by malasada.lava.net; Tue, 17 Dec 2002 09:03:00 -1000 (HST) via sendmail [stdio] id for Date: Tue, 17 Dec 2002 09:02:59 -1000 From: Clifton Royston To: "Robin P. Blanchard" Cc: stable@freebsd.org Subject: Re: ipfilter / ipnat quandry Message-ID: <20021217090259.C17469@lava.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from owner-freebsd-stable-digest@FreeBSD.ORG on Tue, Dec 17, 2002 at 10:33:10AM -0800 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG (This probably belonged on -security or -questions or someplace else...) > Date: Mon, 16 Dec 2002 13:55:48 -0500 > From: "Robin P. Blanchard" > Subject: ipfilter / ipnat quandry > > - -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002) > gateway/firewall running: > # ipf -V > ipf: IP Filter: v3.4.29 (336) > Kernel: IP Filter: v3.4.29 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > > > The only external port I've allowed in is SSH, yet nmapping the box > yields a slew of purportedly other open ports. Look again - it says they are "filtered". nmap can usually tell the difference between a TCP port that is closed on the target (returns a RST) and one that is filtered by a firewall (returns nothing.) In fact many of the ports shown as filtered might not even really be open on your box. > Have I broken my > ruleset somewhere? Please advise. No, it's simply not sophisticated enough for what you want it to do. ... > (The 1581 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 137/tcp filtered netbios-ns ... > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 161/tcp filtered snmp ... Note, for instance, that snmp is (normally) a UDP service, so it's unlikely you actually have an open TCP port 161; but nmap can see you're filtering it nonetheless. ipf does have the ability to more correctly simulate a closed port. I did a similar exercise on my personal OpenBSD firewall box earlier this year; I won't go through your whole ruleset, but basically for every TCP port you block, you need to add a return-rst, and for every UDP port you block, you need to add return-icmp(port-unr). This provides a pretty good simulation of a host running no services, if that's what you want to look like. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net "If you ride fast enough, the Specialist can't catch you." "What's the Specialist?" Samantha says. "The Specialist wears a hat," says the babysitter. "The hat makes noises." She doesn't say anything else. Kelly Link, _The Specialist's Hat_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message