From owner-freebsd-questions@FreeBSD.ORG Tue Sep 23 05:46:55 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53D27106564A for ; Tue, 23 Sep 2008 05:46:55 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C44128FC08 for ; Tue, 23 Sep 2008 05:46:54 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id m8N5klBV066474; Tue, 23 Sep 2008 06:46:48 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m8N5klBV066474 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1222148808; bh=WLu+gzqda+cE6Z oTOCCCEa1HENjQudKOF9zD663K2Ys=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<48D882C1.2050206@infracaninophile.co.uk>|Date:=20Tue,=2 023=20Sep=202008=2006:46:41=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.16=20(X11/20080726)|MIME-Version:=201 .0|To:=20David=20Allen=20|CC:=20fre ebsd-questions@freebsd.org|Subject:=20Re:=20Dealing=20with=20portsc ans|References:=20<2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mai l.gmail.com>=09<20080922200121.289abdcb.ghirai@ghirai.com>=09<2daa8 b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com>=09<48D80D54 .8060802@infracaninophile.co.uk>=20<2daa8b4e0809221512o5c85d286qb8d a358fb9d5ee66@mail.gmail.com>|In-Reply-To:=20<2daa8b4e0809221512o5c 85d286qb8da358fb9d5ee66@mail.gmail.com>|X-Enigmail-Version:=200.95. 6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0 A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"- -----------enigED83FD2BDE2E51809F05A291"; b=yHifSgw1EsUjItT8B2kut8c Rdi9nCSyZOgBTBWarraU1AOIc3GRfYwygePDt68S2sbdJV7HPqfTeGwbUyMyxFySbA+ mVSaHxr6euFkG0MGo6JeUB92LySgKWnWfjjBDGiq0cBTtRPSuwvRlhGQGpiY6w9fptU +K/5AyVgUUAKro= Message-ID: <48D882C1.2050206@infracaninophile.co.uk> Date: Tue, 23 Sep 2008 06:46:41 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.16 (X11/20080726) MIME-Version: 1.0 To: David Allen References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <20080922200121.289abdcb.ghirai@ghirai.com> <2daa8b4e0809221305v6f5000f1w11090e4a85c21162@mail.gmail.com> <48D80D54.8060802@infracaninophile.co.uk> <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com> In-Reply-To: <2daa8b4e0809221512o5c85d286qb8da358fb9d5ee66@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigED83FD2BDE2E51809F05A291" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Tue, 23 Sep 2008 06:46:48 +0100 (BST) X-Virus-Scanned: ClamAV 0.94/8314/Tue Sep 23 01:50:20 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Sep 2008 05:46:55 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigED83FD2BDE2E51809F05A291 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable David Allen wrote: > On 9/22/08, Matthew Seaman wrote: =20 >> Also consider the following sysctls: >> >> # Blackhole packets to ports without listeners >> net.inet.tcp.blackhole=3D1 >> net.inet.udp.blackhole=3D1 >> >> although these will be redundant if your firewalling is effective. >=20 > I wonder, though, would using a block-policy setting of return (which > I'm currently using) render the above redundant, or would the above > take precedence? I'll have to add that to the list of Stuff to Check. Yes. If the firewall disposes of the packet via a block rule, then those sysctls will not have any effect. The firewall can either drop the= packet or send an ICMP port unreachable message according to how it is c= onfigured. If the firewall passes the packet then either it is dealt with by a program listening on the appropriate port, or the network stack itself will generate an ICMP message (by default) or else just drop the packet if the blackhole sysctls are enabled. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigED83FD2BDE2E51809F05A291 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjYgsYACgkQ8Mjk52CukIym4ACffsmC7JUhOyQ5u/PZBjXcQD7R +/QAnRx/MJpjTP1s2RxzjQv1dxEp63rN =9R+/ -----END PGP SIGNATURE----- --------------enigED83FD2BDE2E51809F05A291--