Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 11 Feb 2003 23:05:09 -0600
From:      Redmond Militante <r-militante@northwestern.edu>
To:        "Scott A. Moberly" <smoberly@karamazov.org>, freebsd-questions@freebsd.org
Subject:   Re: portsentry in combination with ipfilter
Message-ID:  <20030212050509.GA1381@darkpossum>
In-Reply-To: <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org>
References:  <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi
i've used portsentry on standalone workstations before with ipfilter setup =
as a
+firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat
+gateway box, it's being really verbose about the ports it's binding to.  i=
f i
+nmap a standalone workstation i have configured ipfilter/portsentry on, i =
don't
+get the huge list of ports that it's binding to...  i thought perhaps ther=
e was
+a config option to hide this information


>=20
> > hi all
> >
> >  i have an ipf/ipnat gateway machine protecting an internal network of -
> > so far one, hopefully 2 or more - computers. the first thing i did
> > after i observed that i have my setup successfully nat'ing, was to try
> > to portscan myself from an outside machine, using nmap. at first i
> > thought something was up, and that my ipf.rules were being ignored,
> > because when i ran
> >
> >  nmap -sS -v -O
> >
> >  on my the public ip of my internal host - which was aliased to the
> > external nic of my gateway box - it showed that a huge amount of tcp
> > and udp ports were open. i could copy the nmap results, but they're
> > long, and suffice it to say ports i thought were closed or inactive
> > were shown as open.
> >
> >  after discussing it with the -security listserv, and running a
> > 'sockstat' on the gateway box, it turns out that portsentry was indeed
> > listening on the great majority of ports that the nmap showed to be
> > open. when i turn portsentry off and run nmap again on my setup, it
> > only shows ports that i specially allow open in my ipf/ipnat rules like
> > 80,22, etc.
> >
> >  my question is: first if anyone knows how to get portsentry to not
> > broadcast the fact that it's listening on a wide variety ports when the
> > host is being portscanned. i checked the portsentry.conf file, there
> > didn't seem to be an option for this. also - i have
>=20
> This is exactly what portsentry is designed to do.  Can't tell if a port
> is hit without first binding to it.  I have placed portsentry on other
> machines than the firewall for just this sort of information.  A better
> solution on a firewall is to turn on logging for specific ports or rules
> that you are interested in.
>=20
> >  block return-rst in log quick on xl0 proto tcp from any to any
> >
> >  in my ipf.rules, so i thought that any ports not be nat'd would show up
> > in portscans as not listening. not sure why this isn't working.
>=20
> What ports exactly are still listening that aren't getting allowed throug=
h?
>=20
>

when i turn portsentry off and nmap again, all appears as i expected it to =
- only 80 22 and 21 are listed as open - as i defined it in my ipf.rules

 >  also, i had wanted to run logcheck, portsentry, and snort or tripwire
> > on my ipf/ipnat gateway box. is this a good combination of apps? as of
> > now, i have portsentry turned off, but would like to use it or an app
> > that performs the same function.
>=20
> logcheck - not really syslog should be sent inside either via syslog or
> msyslog (in ports)
>

logcheck is not a good idea?  could you elaborate on this point please?

 portsentry - nope (see above)
>

would you recommend running portsentry on an internal host behind the gatew=
ay machine? =20

thanks
redmond

 snort - i 'spose (no harm per say)
> tripwire - definately
>=20
> >  any thoughts?
> >
> >  thanks again
> >
> > redmond
>=20
> Hope this helps.
>=20
> --=20
> Scott A. Moberly
> smoberly@karamazov.org
>=20
> "BASIC is the Computer Science equivalent of `Scientific Creationism'."
>=20
>=20
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>=20

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+SdYEFNjun16SvHYRAll7AJ0SrmOHF7SayZj0HH5F2OjTy3yZfQCgiWc1
hz7rT3SqY87QNWq7jGKqPdw=
=k3Xi
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030212050509.GA1381>