Date: Tue, 6 Oct 2009 21:09:12 +0200 From: "=?UTF-8?B?5paH6bOl?=" <bunchou@googlemail.com> To: "Helmut Schneider" <jumper99@gmx.de> Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus Message-ID: <20091006210912.379434eb@centaur.5550h.net> In-Reply-To: <hag28i$26j$1@ger.gmane.org> References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> <hag28i$26j$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 Oct 2009 20:28:33 +0200 "Helmut Schneider" <jumper99@gmx.de> wrote: > =E6=96=87=E9=B3=A5 <bunchou@googlemail.com> wrote: > > On Tue, 6 Oct 2009 17:23:09 +0200 > > "Helmut Schneider" <jumper99@gmx.de> wrote: > > > >> From: "Nico De Dobbeleer" <nico@elico-it.be> > >>> I just finished installing FreeBSD 7.x with pf in transparant > >>> bridging mode as the servers behind the firewall need to have an > >>> public ipaddress. Now is everything working fine and the FW is > >>> doing his job as it should be. When I nmap the FW I see the open > >>> ports and closed ports. Is there a way the get the FW running in > >>> stealth mode so that isn't possible anymore with nmap or any other > >>> scanning tool to see the open or closed ports? > >> > >> There is no "stealth". If a service responds to a request the port > >> is "open". If not it's closed. > > > > There is: just use "block drop" in your pf config or "set > > block-policy drop" (see man 5 pf.conf). This effectively stops > > sending TCP RST or UDP unreach packets. >=20 > Consider a webserver where you pass HTTP and "block drop" SSH. 1 port > is open -> host not "stealth". >=20 > But even if you "block drop" all incoming traffic to a host, if a > host is really down (and therefore stealth) the hosts' gateway would > send an ICMP type 3 packet (until you didn't cripple ICMP as well). >=20 > While sometimes it might be useful to "block drop" it has nothing to > do with being "stealth". >=20 > Helmut=20 Not replying to a probe in the mentioned way is exactly what is commonly referred to as "stealth mode" by consumer firewalls. Just try a simple google search for "stealth firewall" and you will see. Besides, if only a few (uncommon) ports are open, a limited scan is unlikely to find them, thus calling it "stealth" (aka "low observability" according to wikipedia) is appropriate imho. There is a difference between stealth and invisibility.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091006210912.379434eb>