Date: Wed, 7 Oct 2009 17:11:33 +0200 From: "=?UTF-8?B?5paH6bOl?=" <bunchou@googlemail.com> To: "Helmut Schneider" <jumper99@gmx.de> Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus Message-ID: <20091007171133.21cf50ce@centaur.5550h.net> In-Reply-To: <hahnmk$ji6$1@ger.gmane.org> References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> <hag28i$26j$1@ger.gmane.org> <20091006210912.379434eb@centaur.5550h.net> <hahnmk$ji6$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Oct 2009 11:40:36 +0200 "Helmut Schneider" <jumper99@gmx.de> wrote: > =E6=96=87=E9=B3=A5 <bunchou@googlemail.com> wrote: > > On Tue, 6 Oct 2009 20:28:33 +0200 > > "Helmut Schneider" <jumper99@gmx.de> wrote: > > > >> =E6=96=87=E9=B3=A5 <bunchou@googlemail.com> wrote: > >>> On Tue, 6 Oct 2009 17:23:09 +0200 > >>> "Helmut Schneider" <jumper99@gmx.de> wrote: > >>> > >>>> From: "Nico De Dobbeleer" <nico@elico-it.be> > >>>>> I just finished installing FreeBSD 7.x with pf in transparant > >>>>> bridging mode as the servers behind the firewall need to have an > >>>>> public ipaddress. Now is everything working fine and the FW is > >>>>> doing his job as it should be. When I nmap the FW I see the open > >>>>> ports and closed ports. Is there a way the get the FW running in > >>>>> stealth mode so that isn't possible anymore with nmap or any > >>>>> other scanning tool to see the open or closed ports? > >>>> > >>>> There is no "stealth". If a service responds to a request the > >>>> port is "open". If not it's closed. > >>> > >>> There is: just use "block drop" in your pf config or "set > >>> block-policy drop" (see man 5 pf.conf). This effectively stops > >>> sending TCP RST or UDP unreach packets. > >> > >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 > >> port is open -> host not "stealth". > >> > >> But even if you "block drop" all incoming traffic to a host, if a > >> host is really down (and therefore stealth) the hosts' gateway > >> would send an ICMP type 3 packet (until you didn't cripple ICMP as > >> well). > >> > >> While sometimes it might be useful to "block drop" it has nothing > >> to do with being "stealth". > > > > Not replying to a probe in the mentioned way is exactly what is > > commonly referred to as "stealth mode" by consumer firewalls. Just > > try a simple google search for "stealth firewall" and you will see. >=20 > I know the term "stealth firewall" very well. It's a worthless > marketing buzzword. It suggests users that it could prevent an attack > or even the scan itself. Neither is correct. This is what I wanted to > point out and I was encouraged by the fact that the OP was talking > about "stealthing" open ports. Ok, I totally agree with your reasoning when it comes to the open ports and useless marketing hype. Nevertheless, I think that the word "stealth" fits very well in the case of closed ports as it makes it a (slight) bit harder to find if a host is up or not. Anyway, even if the OP's mail was a bit misleading, I think it would have helped him more if you had just explained what 'stealth' actually means, why you and steered him into the right direction in addition to what you wrote. And it would also have prevented this prolonged and utterly useless discussion we were leading ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091007171133.21cf50ce>