Date: Mon, 15 Oct 2001 22:18:21 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Greg White <gregw-freebsd-security@greg.cex.ca>, Jeremiah Gowdy <jgowdy@home.com> Cc: security@FreeBSD.ORG Subject: Re: FreeBSD IPFW Message-ID: <Pine.BSF.4.21.0110152201330.424-100000@lhotse.zaraska.dhs.org> In-Reply-To: <20011015115556.A16917@greg.cex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Oct 2001, Greg White wrote: > On Mon, Oct 15, 2001 at 11:07:59AM -0700, Jeremiah Gowdy wrote: > > I'm using FreeBSD 4.4-STABLE with my transparent bridge/firewall setup to > > protect my network. I'm wondering why ipfw is returning packets, which I > > assume it's doing, when it filters a particular port like this: > > > > "139/tcp filtered netbios-ssn" > > > > result from an nmap scan. I would rather, like blackhole, just silently > > drop the packet, which causes the port scanner to lag all to hell and wait > > for the response timeout. Of course I have blackhole turned on, and that > > works for the FreeBSD box itself, but it does not work for the packets > > blocked by ipfw. Is there an IPFW option to drop a packet silently with no > > RST or ICMP returned (or anything else) ? > > Someone correct me if I'm wrong here, but in every instance I have seen > nmap return that result, it is _because_ of the behaviour you say you're > looking for. An unfiltered port would have responded with RST, and nmap > knows this, so that if no RST comes back, it calls the port 'filtered'. > Similar results for UDP with no returned port-unreachable. > > Using ipfw's 'deny' should produce the results you saw above, and do > what you want. Yes, this is right. 'deny' just drops the packet on the floor silently. If you want to make sure, just run tcpdump on scanning box and lunch nmap. You should see only "one-way" traffic -- that is, from scanning host to scanned host. As of blackhole turned on -- well, since you told ipfw to drop the packet before it reaches TCP stack this will have no effect here. Please also note, that if you are doing UDP scan on filtered port nmap may report it as open. This is due to the fact that open UDP port returns no reply while a closed one returns ICMP Port Unreachable. Since a blocked port also returns no reply, it may be reported as open, while it is filtered. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0110152201330.424-100000>