From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 08:59:52 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C7616A4CE for ; Fri, 28 Nov 2003 08:59:52 -0800 (PST) Received: from out002.verizon.net (out002pub.verizon.net [206.46.170.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06DD643F75 for ; Fri, 28 Nov 2003 08:59:51 -0800 (PST) (envelope-from leblanc@keyslapper.org) Received: from keyslapper.org ([151.199.43.207]) by out002.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20031128165950.FIQQ6358.out002.verizon.net@keyslapper.org> for ; Fri, 28 Nov 2003 10:59:50 -0600 Received: from keyslapper.org (localhost [127.0.0.1]) by keyslapper.org (8.12.8p1/8.12.8) with ESMTP id hASGxpfa058025 for ; Fri, 28 Nov 2003 11:59:51 -0500 (EST) (envelope-from leblanc@keyslapper.org) Received: (from leblanc@localhost) by keyslapper.org (8.12.8p1/8.12.8/Submit) id hASGxptv058024 for freebsd-questions@FreeBSD.org; Fri, 28 Nov 2003 11:59:51 -0500 (EST) Date: Fri, 28 Nov 2003 11:59:51 -0500 From: Louis LeBlanc To: FreeBSD Questions Message-ID: <20031128165951.GA44168@keyslapper.org> Mail-Followup-To: FreeBSD Questions Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.5.1i X-Authentication-Info: Submitted using SMTP AUTH at out002.verizon.net from [151.199.43.207] at Fri, 28 Nov 2003 10:59:49 -0600 Subject: adaptive stealth in ipfw? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 16:59:52 -0000 I have a question about 'adaptive stealthing' for port 113. First, adaptive stealth means that unless the remote system has a previous relationship with the local system, any request on the stealthed port results in a dropped packet, or an unreachable host. I assume that means the unreach keyword is used in the ipfw command, but please correct me if I'm wrong. I was introduced to a fantastic web site, http://www.grc.com/ which has some impressive information about security and a number of other things. Steve Gibsons 'Shields Up' web service will scan your system and tell you where your vulnerabilities lie, and explain the ports in pretty good detail. One thing I found is that port 113 is a tricky problem. Simply stealthing the port altogether can cause potential problems with connectivity. Leaving it closed avoids the problem, but may be an invite to aggressive and unscrupulous individuals. Steve describes the practice of adaptive stealthing, which is practiced by the 'Zone Alarm' personal firewall (a Windows based Freeware product). So I got curious about this and read up a little on ipfw(8). The real problem is that I'm a bit slow with the finer points of intelligent firewalls and can't seem to pick up the nontrivial technical details - short span of attention when I get time to look at it, probably. So I'd like to hear some thoughts on the subject from those that have done it or are familiar with it. I'm fully aware that it may be an unnecessary step, given that I still have other ports open, but I am curious about it and would appreciate an explanation on how it can be done through ipfw. Thanks all Lou -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ problem drinker, n.: A man who never buys.