Date: Wed, 7 Oct 2009 16:10:19 +0200 (CEST) From: Nico De Dobbeleer <nico@elico-it.be> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 263, Issue 3 Message-ID: <23087185.63661254924619867.JavaMail.root@zimbra-store> In-Reply-To: <24402806.63641254924566875.JavaMail.root@zimbra-store>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Nico De Dobbeleer" <nico@elico-it.be> > I just finished installing FreeBSD 7.x with pf in transparant bridging > mode as the servers behind the firewall need to have an public > ipaddress. Now is everything working fine and the FW is doing his job as > it should be. When I nmap the FW I see the open ports and closed ports. > Is there a way the get the FW running in stealth mode so that isn't > possible anymore with nmap or any other scanning tool to see the open or > closed ports? There is no "stealth". If a service responds to a request the port is "open". If not it's closed. Helmut ------------------------------ Message: 3 Date: Tue, 6 Oct 2009 18:22:41 +0200 From: " ?? " <bunchou@googlemail.com> Subject: Re: freebsd-pf Stealth Modus To: "Helmut Schneider" <jumper99@gmx.de> Cc: Nico De Dobbeleer <nico@elico-it.be>, freebsd-pf@freebsd.org Message-ID: <20091006182241.79d16c8c@centaur.5550h.net> Content-Type: text/plain; charset=US-ASCII On Tue, 6 Oct 2009 17:23:09 +0200 "Helmut Schneider" <jumper99@gmx.de> wrote: > From: "Nico De Dobbeleer" <nico@elico-it.be> > > I just finished installing FreeBSD 7.x with pf in transparant > > bridging mode as the servers behind the firewall need to have an > > public ipaddress. Now is everything working fine and the FW is > > doing his job as it should be. When I nmap the FW I see the open > > ports and closed ports. Is there a way the get the FW running in > > stealth mode so that isn't possible anymore with nmap or any other > > scanning tool to see the open or closed ports? > > There is no "stealth". If a service responds to a request the port is > "open". If not it's closed. > > Helmut There is: just use "block drop" in your pf config or "set block-policy drop" (see man 5 pf.conf). This effectively stops sending TCP RST or UDP unreach packets. ------------------------------ Message: 4 Date: Tue, 6 Oct 2009 20:28:33 +0200 From: "Helmut Schneider" <jumper99@gmx.de> Subject: Re: freebsd-pf Stealth Modus To: freebsd-pf@freebsd.org Message-ID: <hag28i$26j$1@ger.gmane.org> Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original ������ <bunchou@googlemail.com> wrote: > On Tue, 6 Oct 2009 17:23:09 +0200 > "Helmut Schneider" <jumper99@gmx.de> wrote: > >> From: "Nico De Dobbeleer" <nico@elico-it.be> >>> I just finished installing FreeBSD 7.x with pf in transparant >>> bridging mode as the servers behind the firewall need to have an >>> public ipaddress. Now is everything working fine and the FW is >>> doing his job as it should be. When I nmap the FW I see the open >>> ports and closed ports. Is there a way the get the FW running in >>> stealth mode so that isn't possible anymore with nmap or any other >>> scanning tool to see the open or closed ports? >> >> There is no "stealth". If a service responds to a request the port is >> "open". If not it's closed. > > There is: just use "block drop" in your pf config or "set block-policy > drop" (see man 5 pf.conf). This effectively stops sending TCP RST or > UDP unreach packets. Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is open -> host not "stealth". But even if you "block drop" all incoming traffic to a host, if a host is really down (and therefore stealth) the hosts' gateway would send an ICMP type 3 packet (until you didn't cripple ICMP as well). While sometimes it might be useful to "block drop" it has nothing to do with being "stealth". Helmut ------------------------------ Message: 5 Date: Tue, 6 Oct 2009 21:09:12 +0200 From: " ?? " <bunchou@googlemail.com> Subject: Re: freebsd-pf Stealth Modus To: "Helmut Schneider" <jumper99@gmx.de> Cc: freebsd-pf@freebsd.org Message-ID: <20091006210912.379434eb@centaur.5550h.net> Content-Type: text/plain; charset=UTF-8 On Tue, 6 Oct 2009 20:28:33 +0200 "Helmut Schneider" <jumper99@gmx.de> wrote: > ������ <bunchou@googlemail.com> wrote: > > On Tue, 6 Oct 2009 17:23:09 +0200 > > "Helmut Schneider" <jumper99@gmx.de> wrote: > > > >> From: "Nico De Dobbeleer" <nico@elico-it.be> > >>> I just finished installing FreeBSD 7.x with pf in transparant > >>> bridging mode as the servers behind the firewall need to have an > >>> public ipaddress. Now is everything working fine and the FW is > >>> doing his job as it should be. When I nmap the FW I see the open > >>> ports and closed ports. Is there a way the get the FW running in > >>> stealth mode so that isn't possible anymore with nmap or any other > >>> scanning tool to see the open or closed ports? > >> > >> There is no "stealth". If a service responds to a request the port > >> is "open". If not it's closed. > > > > There is: just use "block drop" in your pf config or "set > > block-policy drop" (see man 5 pf.conf). This effectively stops > > sending TCP RST or UDP unreach packets. > > Consider a webserver where you pass HTTP and "block drop" SSH. 1 port > is open -> host not "stealth". > > But even if you "block drop" all incoming traffic to a host, if a > host is really down (and therefore stealth) the hosts' gateway would > send an ICMP type 3 packet (until you didn't cripple ICMP as well). > > While sometimes it might be useful to "block drop" it has nothing to > do with being "stealth". > > Helmut Not replying to a probe in the mentioned way is exactly what is commonly referred to as "stealth mode" by consumer firewalls. Just try a simple google search for "stealth firewall" and you will see. Besides, if only a few (uncommon) ports are open, a limited scan is unlikely to find them, thus calling it "stealth" (aka "low observability" according to wikipedia) is appropriate imho. There is a difference between stealth and invisibility. ------------------------------ Message: 6 Date: Wed, 7 Oct 2009 11:40:36 +0200 From: "Helmut Schneider" <jumper99@gmx.de> Subject: Re: freebsd-pf Stealth Modus To: freebsd-pf@freebsd.org Message-ID: <hahnmk$ji6$1@ger.gmane.org> Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original ������ <bunchou@googlemail.com> wrote: > On Tue, 6 Oct 2009 20:28:33 +0200 > "Helmut Schneider" <jumper99@gmx.de> wrote: > >> ������ <bunchou@googlemail.com> wrote: >>> On Tue, 6 Oct 2009 17:23:09 +0200 >>> "Helmut Schneider" <jumper99@gmx.de> wrote: >>> >>>> From: "Nico De Dobbeleer" <nico@elico-it.be> >>>>> I just finished installing FreeBSD 7.x with pf in transparant >>>>> bridging mode as the servers behind the firewall need to have an >>>>> public ipaddress. Now is everything working fine and the FW is >>>>> doing his job as it should be. When I nmap the FW I see the open >>>>> ports and closed ports. Is there a way the get the FW running in >>>>> stealth mode so that isn't possible anymore with nmap or any other >>>>> scanning tool to see the open or closed ports? >>>> >>>> There is no "stealth". If a service responds to a request the port >>>> is "open". If not it's closed. >>> >>> There is: just use "block drop" in your pf config or "set >>> block-policy drop" (see man 5 pf.conf). This effectively stops >>> sending TCP RST or UDP unreach packets. >> >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port >> is open -> host not "stealth". >> >> But even if you "block drop" all incoming traffic to a host, if a >> host is really down (and therefore stealth) the hosts' gateway would >> send an ICMP type 3 packet (until you didn't cripple ICMP as well). >> >> While sometimes it might be useful to "block drop" it has nothing to >> do with being "stealth". > > Not replying to a probe in the mentioned way is exactly what is > commonly referred to as "stealth mode" by consumer firewalls. Just try > a simple google search for "stealth firewall" and you will see. I know the term "stealth firewall" very well. It's a worthless marketing buzzword. It suggests users that it could prevent an attack or even the scan itself. Neither is correct. This is what I wanted to point out and I was encouraged by the fact that the OP was talking about "stealthing" open ports. ------------------- Already many thanks for the info. I'v added already the "set block-policy drop". I'v done an nmap and it's apparently able to find out the setting below of my pf FW: MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: FreeBSD 7.X OS details: FreeBSD 7.1-PRERELEASE Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: FreeBSD Is there a way to block this info?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23087185.63661254924619867.JavaMail.root>