Re: ipfilter / ipnat quandry

Tue, 17 Dec 2002 11:03:56 -0800 

  (This probably belonged on -security or -questions or someplace
else...)

> Date: Mon, 16 Dec 2002 13:55:48 -0500
> From: "Robin P. Blanchard" <[EMAIL PROTECTED]>
> Subject: ipfilter / ipnat quandry
> 
> - -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002) 
> gateway/firewall running:
> # ipf -V
> ipf: IP Filter: v3.4.29 (336)
> Kernel: IP Filter: v3.4.29              
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> 
> 
> The only external port I've allowed in is SSH, yet nmapping the box 
> yields a slew of purportedly other open ports. 

  Look again - it says they are "filtered".  

  nmap can usually tell the difference between a TCP port that is
closed on the target (returns a RST) and one that is filtered by a
firewall (returns nothing.) In fact many of the ports shown as filtered
might not even really be open on your box.

> Have I broken my 
> ruleset somewhere? Please advise.
 
  No, it's simply not sophisticated enough for what you want it to do.

...
> (The 1581 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh                     
> 137/tcp    filtered    netbios-ns              
...

> 138/tcp    filtered    netbios-dgm             
> 139/tcp    filtered    netbios-ssn             
> 161/tcp    filtered    snmp                    
...

  Note, for instance, that snmp is (normally) a UDP service, so it's
unlikely you actually have an open TCP port 161; but nmap can see
you're filtering it nonetheless.

  ipf does have the ability to more correctly simulate a closed port. 
I did a similar exercise on my personal OpenBSD firewall box earlier
this year; I won't go through your whole ruleset, but basically for
every TCP port you block, you need to add a return-rst, and for every
UDP port you block, you need to add return-icmp(port-unr).  This
provides a pretty good simulation of a host running no services, if
that's what you want to look like.

  -- Clifton

-- 
     Clifton Royston  --  LavaNet Systems Architect --  [EMAIL PROTECTED]

  "If you ride fast enough, the Specialist can't catch you."
  "What's the Specialist?" Samantha says. 
  "The Specialist wears a hat," says the babysitter. "The hat makes noises."
  She doesn't say anything else.  
                      Kelly Link, _The Specialist's Hat_

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message

Reply via email to