From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 18:51:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62E33106568D for ; Tue, 6 Oct 2009 18:51:30 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 19B368FC1A for ; Tue, 6 Oct 2009 18:51:29 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1MvEmU-0003yg-Bj for freebsd-pf@freebsd.org; Tue, 06 Oct 2009 20:29:02 +0200 Received: from p5798ae1e.dip.t-dialin.net ([87.152.174.30]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Oct 2009 20:29:02 +0200 Received: from jumper99 by p5798ae1e.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Oct 2009 20:29:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Tue, 6 Oct 2009 20:28:33 +0200 Lines: 32 Message-ID: References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: p5798ae1e.dip.t-dialin.net X-MSMail-Priority: Normal X-Newsreader: vi with a tiny GUI... X-MimeOLE: Huh, what?! Sender: news Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 18:51:30 -0000 文鳥 wrote: > On Tue, 6 Oct 2009 17:23:09 +0200 > "Helmut Schneider" wrote: > >> From: "Nico De Dobbeleer" >>> I just finished installing FreeBSD 7.x with pf in transparant >>> bridging mode as the servers behind the firewall need to have an >>> public ipaddress. Now is everything working fine and the FW is >>> doing his job as it should be. When I nmap the FW I see the open >>> ports and closed ports. Is there a way the get the FW running in >>> stealth mode so that isn't possible anymore with nmap or any other >>> scanning tool to see the open or closed ports? >> >> There is no "stealth". If a service responds to a request the port is >> "open". If not it's closed. > > There is: just use "block drop" in your pf config or "set block-policy > drop" (see man 5 pf.conf). This effectively stops sending TCP RST or > UDP unreach packets. Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is open -> host not "stealth". But even if you "block drop" all incoming traffic to a host, if a host is really down (and therefore stealth) the hosts' gateway would send an ICMP type 3 packet (until you didn't cripple ICMP as well). While sometimes it might be useful to "block drop" it has nothing to do with being "stealth". Helmut