From owner-freebsd-questions@FreeBSD.ORG Thu Sep 15 19:40:32 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52BA316A41F for ; Thu, 15 Sep 2005 19:40:32 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FA0A43D48 for ; Thu, 15 Sep 2005 19:40:31 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/8.12.11/smtpout11/MantshX 4.0) with ESMTP id j8FJeSlY028498; Thu, 15 Sep 2005 12:40:28 -0700 (PDT) Received: from [10.1.1.209] (nfw1.codefab.com [199.103.21.225]) (authenticated bits=0) by mac.com (Xserve/smtpin07/MantshX 4.0) with ESMTP id j8FJeQId027617; Thu, 15 Sep 2005 12:40:27 -0700 (PDT) In-Reply-To: <4329c0ec.244.232.3162@canada.com> References: <4329c0ec.244.232.3162@canada.com> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <2CCFF297-E085-4F90-A8B4-E9CBA6CECE74@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Thu, 15 Sep 2005 15:40:12 -0400 To: Boris Karloff X-Mailer: Apple Mail (2.734) Cc: freebsd-questions@freebsd.org Subject: Re: NMAP probing of network ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Sep 2005 19:40:32 -0000 On Sep 15, 2005, at 2:43 PM, Boris Karloff wrote: > How do I cause freeBSD 5.4 to not respond to an nmap > inquiry? I have already tried creating a line in rc.firewall > that says: > > ${fwcmd} deny all from any to any > ${fwcmd} drop all from any to any > > I know these are active, since 1) I see them on the screen > at startup, and 2) pinging from any computer to any computer > results in a timeout. > > (both of these should drop all TCP packets; but apparently, > they cause a RESET message to be sent.) "Apparently" indicates a lack of reliable information. You should use tcpdump to see what is really going on. > I've also tried adding the following to sysctl.conf: > > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > > Again, these don't seem to prevent my freeBSD from sending a > packet (probably a RESET or UNREACHABLE-HOST ack). Ditto. Please obtain real data. > Once the person sending the nmap to this machine has the IP, > its a simple step for them to ip-flood this machine; or > worse. Yes. Only, someone can issue a denial-of-service attack against an IP without bothering to nmap-scan it, first. Nothing short of upstream intervention by your ISP can prevent a true DoS attack from flooding your inbound pipe's bandwidth. Trying to prevent a DoS is not an especially useful thing to spend lots of time on, you would be better served by creating an effective security policy and setting up an appropriate firewall architecture, including a redundant connection if the cost of downtime justifies the expense. > How do I make freeBSD not acknowledge the fingerprint from > nmap? Set up a firewall to block access to all ports but the ones you need for internet-reachable services. You can recognize nmap traffic by the TCP option string of "WNMTE"; you can recognize nmap OS identification and the "Xmas" scan variants by TCP flag combinations of "SE" (SYN | ECE), "FPU" (FIN | PUSH | URG), and "FSPU"... -- -Chuck