From owner-freebsd-security  Mon Oct 15 12:23: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from greg.cex.ca (h24-207-26-100.dlt.dccnet.com [24.207.26.100])
	by hub.freebsd.org (Postfix) with SMTP id B848437B408
	for <security@freebsd.org>; Mon, 15 Oct 2001 12:23:04 -0700 (PDT)
Received: (qmail 21586 invoked by uid 1001); 15 Oct 2001 18:55:56 -0000
Date: Mon, 15 Oct 2001 11:55:56 -0700
From: Greg White <gregw-freebsd-security@greg.cex.ca>
To: security@freebsd.org
Subject: Re: FreeBSD IPFW
Message-ID: <20011015115556.A16917@greg.cex.ca>
Mail-Followup-To: security@freebsd.org
References: <007f01c155a4$53166a60$03e2cbd8@server>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <007f01c155a4$53166a60$03e2cbd8@server>; from jgowdy@home.com on Mon, Oct 15, 2001 at 11:07:59AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Oct 15, 2001 at 11:07:59AM -0700, Jeremiah Gowdy wrote:
> I'm using FreeBSD 4.4-STABLE with my transparent bridge/firewall setup to
> protect my network.  I'm wondering why ipfw is returning packets, which I
> assume it's doing, when it filters a particular port like this:
> 
> "139/tcp    filtered    netbios-ssn"
> 
> result from an nmap scan.  I would rather, like blackhole, just silently
> drop the packet, which causes the port scanner to lag all to hell and wait
> for the response timeout.  Of course I have blackhole turned on, and that
> works for the FreeBSD box itself, but it does not work for the packets
> blocked by ipfw.  Is there an IPFW option to drop a packet silently with no
> RST or ICMP returned (or anything else) ?

Someone correct me if I'm wrong here, but in every instance I have seen
nmap return that result, it is _because_ of the behaviour you say you're
looking for. An unfiltered port would have responded with RST, and nmap
knows this, so that if no RST comes back, it calls the port 'filtered'.
Similar results for UDP with no returned port-unreachable.

Using ipfw's 'deny' should produce the results you saw above, and do
what you want.  

-- 
Greg White

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message