From owner-freebsd-security  Mon Oct 15 12:24:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from oksala.org (modemcable005.86-201-24.timi.mc.videotron.ca [24.201.86.5])
	by hub.freebsd.org (Postfix) with ESMTP id AA98F37B403
	for <security@freebsd.org>; Mon, 15 Oct 2001 12:24:50 -0700 (PDT)
Received: from videotron.ca (silence [24.201.86.5])
	by oksala.org (8.11.6/8.11.1) with ESMTP id f9FJNgh84725
	for <security@freebsd.org>; Mon, 15 Oct 2001 15:23:42 -0400 (EDT)
	(envelope-from "ghislainl"@videotron.ca)
Message-Id: <200110151923.f9FJNgh84725@oksala.org>
Date: Mon, 15 Oct 2001 15:23:42 -0400
From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= <ghislainl@videotron.ca>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: security@freebsd.org
Subject: Re: FreeBSD IPFW
References: <007f01c155a4$53166a60$03e2cbd8@server>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Jeremiah Gowdy wrote:
> 
> I'm using FreeBSD 4.4-STABLE with my transparent bridge/firewall setup to
> protect my network.  I'm wondering why ipfw is returning packets, which I
> assume it's doing, when it filters a particular port like this:
> 
> "139/tcp    filtered    netbios-ssn"
> 
> result from an nmap scan.  I would rather, like blackhole, just silently
> drop the packet, which causes the port scanner to lag all to hell and wait
> for the response timeout.  Of course I have blackhole turned on, and that
> works for the FreeBSD box itself, but it does not work for the packets
> blocked by ipfw.  Is there an IPFW option to drop a packet silently with no
> RST or ICMP returned (or anything else) ?
> 

I tried IPFilter with net.inet.tcp.blackhole and some return-icmp
First I send "destination unreachable" using that rule 

block return-icmp (3) in quick on ed0 proto tcp from any to any port =
21

And I used nmap and it showed 
21/tcp     closed      ftp

And after that I try "IP header bad" 

block return-icmp (12) in quick on ed0 proto tcp from any to any port =
21
and It wasn't showed in the nmap ( 2.54BETA29 ) report 

I don't know if it's what you want and I KNOW that IPFilter isn't IPFW !

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message