Date: Wed, 14 Jul 1999 11:41:07 +1000 From: "Wyatt, Anthony" <Anthony.Wyatt@its.csiro.au> To: 'Stephen Hocking-Senior Programmer PGS Tensor Perth' <shocking@prth.pgs.com> Cc: "'hackers@freebsd.org'" <hackers@freebsd.org> Subject: RE: Setting up a firewall with dynamic IPs Message-ID: <F232EAD3304FD211BD3C00A0C99AFA9F014DB809@hermes.la.csiro.au>
next in thread | raw e-mail | index | archive | help
> Stephen Hocking wrote: > you discover when RTFMing. Oddly enough, running nmap with > the Christmas tree > scan (after I've allowed only smtp & ssh to be connected to) > gives the > following - > > Initiating FIN,NULL, UDP, or Xmas stealth scan against foo.bar.com > Nmap run completed -- 1 IP address (1 host up) scanned in 64 seconds > > Any attempt to connect to the ports listed above (apart from > ssh & smtp) just > hangs. I take it that this is expected behaiviour of the > firewall accepting > the connection and then ahnging onto it in order to slow > attackers down? The scan you have run above sets all the flags in the TCP header (ACK, SYN, RST, QLC, and PSH), if you have a rule that says something like if ACK set let it in, then this scan will work. I get around this by setting the rule that allows ACK traffic back in with port limits 1024-65535, you would have to limit it to 1024-2048 and 2050-65535 so your nfs traffic could pass. You could also consider setting IP address ranges to the nfs port ACK rule. Beware of ssh configuration options that may want to connect to ports below 1024, you can change this behaviour (see the man page). This should stop scans of services you run but don't want to advertise. You will still see ssh and snmp. Anthony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F232EAD3304FD211BD3C00A0C99AFA9F014DB809>