From owner-freebsd-pf@FreeBSD.ORG Wed Aug 20 21:45:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44EAA1065671 for ; Wed, 20 Aug 2008 21:45:23 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2D2148FC1F for ; Wed, 20 Aug 2008 21:45:23 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 11A241CC0BF; Wed, 20 Aug 2008 14:45:23 -0700 (PDT) Date: Wed, 20 Aug 2008 14:45:23 -0700 From: Jeremy Chadwick To: Leslie Jensen Message-ID: <20080820214523.GA57450@eos.sc1.parodius.com> References: <48AC266D.2030902@eskk.nu> <20080820143855.GA40160@eos.sc1.parodius.com> <48AC515B.7060409@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48AC515B.7060409@eskk.nu> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: #2... sorry typing error Re: port stealth mode? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2008 21:45:23 -0000 On Wed, Aug 20, 2008 at 07:16:11PM +0200, Leslie Jensen wrote: > Jeremy Chadwick skrev: >> On Wed, Aug 20, 2008 at 04:13:01PM +0200, Leslie Jensen wrote: >>> I've done some testing with Steve Gibsons "Shields up" >>> https://www.grc.com/x/ne.dll?bh0bkyd2 >>> >>> These tests lists the ports as closed but visible. >>> >>> Instead the site suggest that one uses stealth so that the ports are >>> not visible from the Internet. >>> >>> Is there a way to achieve this with PF? >> >> The "block" directive, along with "set block-policy drop" should suffice >> for accomplishing this in pf. >> > > Thank you Jeremy. > > I had "return" instead of "drop". > > Now when I do the test the ports 0, 1 and 53 are closed, not dropped. > > I do not have any rules to allow these ports. > > Any suggestions on what might be the reason for this? Based on my own attempts using Gibson's utility (grudgingly I might add), I have to assume he's talking about TCP ports and not UDP, and that there's only three result states returned: open, closed, or stealth. I assume the following: "Open" probably means a TCP connection was successfully made against the specific port -- meaning, the standard TCP connection handshake was successful (meaning a firewall is passing/allowing the TCP port, **and** there is a program listening on that TCP port). "Closed" probably means that a TCP connection failed against the specific port, but received either a TCP RST in response or an ICMP port unreachable message. "Stealth" probably means that a TCP connection failed against the specific port, and did not receive a TCP RST or ICMP port unreachable message. I can assure you that if you use pf's "block" directive, and ensure your block-policy is set to "drop", the FreeBSD box *will not* send back a TCP RST or an ICMP port unreachable when something attempts to connect to said port. Here's evidence: 72.20.106.125 attempts to connect to TCP port 89 on 72.20.106.126. 72.20.106.126 uses pf to block all incoming packets and only allow certain ports through -- TCP port 89 of which is NOT passed: 14:39:55.188088 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:39:58.186955 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:01.386830 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:04.586707 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 14:40:07.786585 IP 72.20.106.125.59153 > 72.20.106.126.89: S 3525520536:3525520536(0) win 65535 As you can see, there's no sign of TCP RST being emit by 72.20.106.126 in response to the connection, and there's also no ICMP port unreachable. If you're not using pf at all, you can use the sysctls described in the blackhole(4) manpage to achieve similar results -- but see the WARNING part of the manpage. Keep in mind that NAT port redirection can cause extra headaches, but it doesn't sound like you're testing against an IP that redirects ports via NAT. If you do use NAT, and have certain TCP redirected via a FreeBSD router to a machine on your local network, then there are further complications which need to be discussed. Again -- this is all speculative, because Gibson provides no technical data regarding how his utility works or what he's basing the results on. That is a serious problem, IMHO, and one reason why I tend to stay away from his utilities. Thirdly, regarding "ports 0 and 1" -- silly. Look at /etc/services; chances are you aren't using TCP or UDP port 1, and applications cannot bind to TCP or UDP port 0 (doing so, AFAIK, results in an application binding to an arbitrary/random port number), so I really have no idea what he's testing there. His own documentation even described this fact. Fourthly, you didn't state what FreeBSD version you're testing this against, or what your pf rules look like. Most importantly: you shouldn't base network/firewall security on the results of Gibson's utility. Meaning, if your goal is to make "Shields Up!" return a non-failure result, then you're probably wasting your time. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |