I was under the impression that you can configure portsentry to never
blacklist from certain hosts, no matter what they do.
On Wed, 2002-01-16 at 23:00, Bob Miller wrote:
> Jacob Meuser wrote:
>
> > scrub in on $ext_if all
> > block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
> > pass out on $ext_if inet proto tcp from { $my_ip(s) } to any modulate state
> >
> > Does a pretty good job.
>
> For those of you who are LINUX geeks, not OpenBSD geeks, that
> stuff Jacob wrote is pf rules. pf is to OpenBSD as iptables
> is to Linux: it's the packet filter.
>
> "scrub" means reassemble fragmented packets. Many TCP and IP
> implementations get confused by strangely fragmented packets,
> and nmap uses those to identify stacks.
>
> "block in ... FUP/FUP" means to drop any incoming TCP packets with
> the FIN, URG and PUSH bits all set. nmap creates these (illegal)
> packets.
>
> "pass out ... modulate state" means to allow all outgoing TCP
> connections, and to use a cryptographically strong improved random
> number for the sequence numbers. Some TCP implementations use
> predictable sequence numbers, which allows TCP sessions to be
> hijacked.
>
> Anyway, I agree with Jake and with the author of the Portsentry
> article. Portsentry isn't worth much, and it's easily fooled into
> DOS'ing the machine it's running on. Spoof a port scan from a useful
> host, and it'll blackhole the useful host. Not helpful.
>
> --
> Bob Miller K<bob>
> kbobsoft software consulting
> http://kbobsoft.com [EMAIL PROTECTED]
--
Christopher Maujean
IT Director, Premierelink Communications
[EMAIL PROTECTED]
http://www.premierelink.com/
541-344-8575x305
PGP:
---------------------------------------------------------------
http://www.keyserver.net/
KeyID: EFAF4176
Fingerprint: 55E6 4DE1 D7D3 361E F265 C094 46F2 7B62 EFAF 4176
---------------------------------------------------------------
