Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Oct 2009 17:48:46 +0200
From:      "=?UTF-8?B?5paH6bOl?=" <bunchou@googlemail.com>
To:        Nico De Dobbeleer <nico@elico-it.be>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: freebsd-pf Digest, Vol 263, Issue 3
Message-ID:  <20091007174846.32846614@centaur.5550h.net>
In-Reply-To: <23087185.63661254924619867.JavaMail.root@zimbra-store>
References:  <24402806.63641254924566875.JavaMail.root@zimbra-store> <23087185.63661254924619867.JavaMail.root@zimbra-store>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Already many thanks for the info. I'v added already the "set
> block-policy drop". I'v done an nmap and it's apparently able to find
> out the setting below of my pf FW: 
> 
> MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.) 
> Warning: OSScan results may be unreliable because we could not find
> at least 1 open and 1 closed port Device type: general purpose 
> Running: FreeBSD 7.X 
> OS details: FreeBSD 7.1-PRERELEASE 
> Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009) 
> Network Distance: 1 hop 
> TCP Sequence Prediction: Difficulty=260 (Good luck!) 
> IP ID Sequence Generation: Incremental 
> Service Info: OS: FreeBSD 
> 
> 
> Is there a way to block this info? 

Possible, but may be disruptive to your networking, depending on
your network environment and what you block. As I know nothing about
your setup or pf.conf, and thus cannot tell you anything more specific,
I will just explain what you can do to investigate and reduce the flow
of data, but from there on you're on your own.

First of all, check what ICMP messages come through and consider
blocking these (take a look at the relevant RFCs first, though).

Secondly, you can capture the data that nmap sends and the other
end's replies using tcpdump, wireshark, whatever. Of interest are the
responses you actually get from the scanned host. Find out what
protocols those responses belong to (google, etc.), decide
whether it is worthwile to block that data and, finally, check 'man
pf.conf' to see how to do just that.

BTW: please limit the amount of text you quote.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091007174846.32846614>