From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 16 15:51:17 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1FD6F16A41F
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Sep 2005 15:51:17 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BAEEC43D46
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Sep 2005 15:51:16 +0000 (GMT) (envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id 1819C5E25;
	Fri, 16 Sep 2005 11:51:16 -0400 (EDT)
Received: from pi.codefab.com ([127.0.0.1])
	by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 84976-06; Fri, 16 Sep 2005 11:51:12 -0400 (EDT)
Received: from [192.168.1.3] (pool-68-161-68-11.ny325.east.verizon.net
	[68.161.68.11]) by pi.codefab.com (Postfix) with ESMTP id 0B7215DD6;
	Fri, 16 Sep 2005 11:51:11 -0400 (EDT)
Message-ID: <432AE9F2.2000003@mac.com>
Date: Fri, 16 Sep 2005 11:51:14 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.11) Gecko/20050801
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Boris Karloff <modelt20@canada.com>
References: <432addeb.e9.3d26.10012@canada.com>
In-Reply-To: <432addeb.e9.3d26.10012@canada.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
Cc: freebsd-questions@freebsd.org
Subject: Re: ct Re: NMAP probing of network ports
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2005 15:51:17 -0000

Boris Karloff wrote:
> Thank you for your reply.
> 
> Nmap is generating many tcp commands:
> 
> arp who-has 192.168.0.x tell 192.168.0.5 
> 
> where x is an incremented number from 0 through 255. The
> 192.168.0.5 address changes from scan to scan, so blocking
> the port 192.168.0.5 doesn't work. 

That's not a TCP command, that's layer-2 ARP traffic, used to map ethernet MAC 
addresses to IP addresses.  Unless you're being scanned from different machines 
on your LAN, or unless you are scanning from different machines on your LAN, 
such traffic will only come from the IP of the subnet's router.

While you could configure /etc/ethers and disable ARP, frankly, I suspect you 
are not solving the problem you think you'd be solving.

-- 
-Chuck