From owner-freebsd-questions@FreeBSD.ORG Fri Sep 16 12:36:51 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AB1A16A41F for ; Fri, 16 Sep 2005 12:36:51 +0000 (GMT) (envelope-from modelt20@canada.com) Received: from canada.com (smtp-3.vancouver.ipapp.com [216.152.192.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CB0043D5A for ; Fri, 16 Sep 2005 12:36:49 +0000 (GMT) (envelope-from modelt20@canada.com) Received: from canada.com ([216.152.192.56]) by smtp-3.vancouver.ipapp.com ; Fri, 16 Sep 2005 05:36:36 -0700 Sender: modelt20@canada.com From: "Boris Karloff" To: John Oxley ,freebsd-questions@freebsd.org X-Mailer: Quality Web Email v3.1m, http://netwinsite.com/refw.htm X-Originating-IP: 71.29.66.64 Date: Fri, 16 Sep 2005 07:36:36 -0500 Message-id: <432abc54.2b3.6a6c.3021@canada.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Country: CA Cc: Subject: ct Re: NMAP probing of network ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2005 12:36:51 -0000 >On Thu, Sep 15, 2005 at 01:43:56PM -0500, Boris Karloff wrote: >> Hello: >> >> How do I cause freeBSD 5.4 to not respond to an nmap >> inquiry? I have already tried creating a line in rc.firewall >> that says: >> >> ${fwcmd} deny all from any to any >> ${fwcmd} drop all from any to any >> >> I know these are active, since 1) I see them on the screen >> at startup, and 2) pinging from any computer to any computer >> results in a timeout. >> >> (both of these should drop all TCP packets; but apparently, >> they cause a RESET message to be sent.) >Umm, try putting the drop before the deny. AFAIK, drop just drops >the >packet totally, and deny sends a RST back to the host. That is if >ipfw >works that way (ICBW). You don't need both these lines anyway, only >one >of them. Thank you for your reply. My first message may have been a little misleading. I had tried each line separately (they only differ in the 'deny' and 'drop'). I should have been more clear. I had also restarted the computer between changes, just to be sure. If the two rules were used in a single file, the second line would never be executed; since the first rule would terminate the rule checking; or the second rule would not test true if the first did not, because it is identical to the first. These commands have to be used independently. I meant to imply they were tried separately. It appears that when FreeBSD is sent an invalid packet without the SYN or ACK bits set, it responds with a RESET reply regardless of the ipfw rules. It appears this is one of the things nmap is exploiting. Any suggestions on how to modify this behavior? Thanks. Harold. ---------------------------------------- Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information.