From owner-freebsd-questions@FreeBSD.ORG Fri Sep 16 14:59:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88EE516A41F for ; Fri, 16 Sep 2005 14:59:56 +0000 (GMT) (envelope-from modelt20@canada.com) Received: from canada.com (smtp-3.vancouver.ipapp.com [216.152.192.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CEC343D46 for ; Fri, 16 Sep 2005 14:59:56 +0000 (GMT) (envelope-from modelt20@canada.com) Received: from canada.com ([216.152.192.55]) by smtp-3.vancouver.ipapp.com ; Fri, 16 Sep 2005 07:59:55 -0700 Sender: modelt20@canada.com From: "Boris Karloff" To: freebsd-questions@freebsd.org X-Mailer: Quality Web Email v3.1m, http://netwinsite.com/refw.htm X-Originating-IP: 71.29.66.64 Date: Fri, 16 Sep 2005 09:59:55 -0500 Message-id: <432addeb.e9.3d26.10012@canada.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Rcpt-To: X-Country: CA Subject: Re: ct Re: NMAP probing of network ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2005 14:59:56 -0000 Thank you for your reply. Nmap is generating many tcp commands: arp who-has 192.168.0.x tell 192.168.0.5 where x is an incremented number from 0 through 255. The 192.168.0.5 address changes from scan to scan, so blocking the port 192.168.0.5 doesn't work. This behavior is similar to the W32.Welchia.Worm that plagues windoze boxes. Any thoughts on how to stop replying to this command? Thanks. Harold. >On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: >> It appears that when FreeBSD is sent an invalid packet >> without the SYN or ACK bits set, it responds with a RESET >> reply regardless of the ipfw rules. It appears this is one >> of the things nmap is exploiting. >> >> Any suggestions on how to modify this behavior? > >man blackhole > ---------------------------------------- Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information.