From owner-freebsd-security Mon Oct 15 12:24:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from oksala.org (modemcable005.86-201-24.timi.mc.videotron.ca [24.201.86.5]) by hub.freebsd.org (Postfix) with ESMTP id AA98F37B403 for ; Mon, 15 Oct 2001 12:24:50 -0700 (PDT) Received: from videotron.ca (silence [24.201.86.5]) by oksala.org (8.11.6/8.11.1) with ESMTP id f9FJNgh84725 for ; Mon, 15 Oct 2001 15:23:42 -0400 (EDT) (envelope-from "ghislainl"@videotron.ca) Message-Id: <200110151923.f9FJNgh84725@oksala.org> Date: Mon, 15 Oct 2001 15:23:42 -0400 From: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: FreeBSD IPFW References: <007f01c155a4$53166a60$03e2cbd8@server> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jeremiah Gowdy wrote: > > I'm using FreeBSD 4.4-STABLE with my transparent bridge/firewall setup to > protect my network. I'm wondering why ipfw is returning packets, which I > assume it's doing, when it filters a particular port like this: > > "139/tcp filtered netbios-ssn" > > result from an nmap scan. I would rather, like blackhole, just silently > drop the packet, which causes the port scanner to lag all to hell and wait > for the response timeout. Of course I have blackhole turned on, and that > works for the FreeBSD box itself, but it does not work for the packets > blocked by ipfw. Is there an IPFW option to drop a packet silently with no > RST or ICMP returned (or anything else) ? > I tried IPFilter with net.inet.tcp.blackhole and some return-icmp First I send "destination unreachable" using that rule block return-icmp (3) in quick on ed0 proto tcp from any to any port = 21 And I used nmap and it showed 21/tcp closed ftp And after that I try "IP header bad" block return-icmp (12) in quick on ed0 proto tcp from any to any port = 21 and It wasn't showed in the nmap ( 2.54BETA29 ) report  I don't know if it's what you want and I KNOW that IPFilter isn't IPFW ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message