Date: Wed, 7 Oct 2009 11:40:36 +0200 From: "Helmut Schneider" <jumper99@gmx.de> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus Message-ID: <hahnmk$ji6$1@ger.gmane.org> References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de><20091006182241.79d16c8c@centaur.5550h.net><hag28i$26j$1@ger.gmane.org> <20091006210912.379434eb@centaur.5550h.net>
next in thread | previous in thread | raw e-mail | index | archive | help
文鳥 <bunchou@googlemail.com> wrote: > On Tue, 6 Oct 2009 20:28:33 +0200 > "Helmut Schneider" <jumper99@gmx.de> wrote: > >> 文鳥 <bunchou@googlemail.com> wrote: >>> On Tue, 6 Oct 2009 17:23:09 +0200 >>> "Helmut Schneider" <jumper99@gmx.de> wrote: >>> >>>> From: "Nico De Dobbeleer" <nico@elico-it.be> >>>>> I just finished installing FreeBSD 7.x with pf in transparant >>>>> bridging mode as the servers behind the firewall need to have an >>>>> public ipaddress. Now is everything working fine and the FW is >>>>> doing his job as it should be. When I nmap the FW I see the open >>>>> ports and closed ports. Is there a way the get the FW running in >>>>> stealth mode so that isn't possible anymore with nmap or any other >>>>> scanning tool to see the open or closed ports? >>>> >>>> There is no "stealth". If a service responds to a request the port >>>> is "open". If not it's closed. >>> >>> There is: just use "block drop" in your pf config or "set >>> block-policy drop" (see man 5 pf.conf). This effectively stops >>> sending TCP RST or UDP unreach packets. >> >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port >> is open -> host not "stealth". >> >> But even if you "block drop" all incoming traffic to a host, if a >> host is really down (and therefore stealth) the hosts' gateway would >> send an ICMP type 3 packet (until you didn't cripple ICMP as well). >> >> While sometimes it might be useful to "block drop" it has nothing to >> do with being "stealth". > > Not replying to a probe in the mentioned way is exactly what is > commonly referred to as "stealth mode" by consumer firewalls. Just try > a simple google search for "stealth firewall" and you will see. I know the term "stealth firewall" very well. It's a worthless marketing buzzword. It suggests users that it could prevent an attack or even the scan itself. Neither is correct. This is what I wanted to point out and I was encouraged by the fact that the OP was talking about "stealthing" open ports.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hahnmk$ji6$1>