From owner-freebsd-questions@FreeBSD.ORG Mon Sep 4 22:06:11 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3342A16A4DF for ; Mon, 4 Sep 2006 22:06:11 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4219843D5E for ; Mon, 4 Sep 2006 22:06:03 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so3083710pye for ; Mon, 04 Sep 2006 15:06:03 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qKuUzxpXcBWUss82Io+Yc9Gls+AzKsDnqrWxmDzEs2uKhVE5Yj8knkhwIvgGt1VJj59GvrKv79ijcIwVGG5BBWt9i7eBkL5I29yIYcIXFBSkix06DPNoNB01E2+7OQdfcn1ur5H1bemRM4FL0SweGCmcGFiGep0xYPm7iblkOXA= Received: by 10.35.8.1 with SMTP id l1mr11056923pyi; Mon, 04 Sep 2006 15:06:03 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Mon, 4 Sep 2006 15:06:02 -0700 (PDT) Message-ID: Date: Mon, 4 Sep 2006 17:06:02 -0500 From: "Travis H." To: "Ted Johnson" In-Reply-To: <20060904213809.98691.qmail@web58409.mail.re3.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060904213809.98691.qmail@web58409.mail.re3.yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: How To Close Ports (OT?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2006 22:06:11 -0000 On 9/4/06, Ted Johnson wrote: > I also did a search of the document you suggested > and it doesn't even have the word "close" in it, therefore, it would appear > to not address the issue. From your reply, I'm missing something obvious > here. But would you point it out anyway? Fair enough. It's because dropping packets before they reach the port makes it irrelevant whether they are closed (that is, have no listening daemon) or not. If a port scanner says the port is closed, it generally means that it got an ICMP unreachable (UDP) or a TCP reset (TCP) back. This is helpful to attackers as they know quickly that the port is useless to them, and that the target is online. On the other hand, if you drop the incoming packets, the attacker cannot infer whether you are online, and most port scanners wait for some period and then decide that the target is not going to respond, so it slows down single-threaded scans. In general, it is better to drop than to reject to untrusted networks, since the scanners are generally hostile. Internal communication on your LAN can usually be rejected, because internal users are generally not hostile. This means that if they try to access a service that isn't running, they get a response right away that they made a mistake, instead of waiting for a response which will never come. Furthermore, a closed and an open port permit pretty good OS fingerprinting. I think that if you drop instead of reject, then an attacker cannot narrow down the OS as well. In summary: The way to close a port is to not run a program which listens on that port. This can be simulated by rejecting packets at the firewall. The way to block a port is with packet filters, and there's no way to do that without one (unless you disable reject messages at the kernel level). -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484