Sebastian Rother wrote:
Hello everybody,
PF offers a great OS-Detection wich enable me to block all Packets from
NMAP (OS: NMAP).
But I thought about another problem.
How can I drop the IP of an nmap-scanning computer into a table?
Such an overload-option (like for max-src-conn) would be very neat
because a host which tried to scan could try e.g. a brute-force either
(or simply use other tools not detectable by ospf).
So does somebody know how to handle such situations?
Kind regards,
Sebastian
I am not sure if this would work, but quickly, I don't see why not. Use
the same way should have the results intended. However if you already
block all the NMAP, why do you want to limit them then? I may not have
understood that part to well obviously.
But here is some food for thought.
# define macros for each network interface
ext_if="fxp0"
nmap_services = "{ xx, yy }"
...
# Define some variable for clarity
NMAP_LIMIT="(max-src-conn-rate 5/30, overload <bad_nmap> flush global)"
...
# Table directive
table <bad_nmap> persist file "/var/log/bad_nmap"
...
pass in on $ext_if inet proto tcp from !<bad_nmap> \
to $ext_if port $nmap_services flags S/SA keep state \
$NMAP_LIMIT label "nmap"
Then setup your nmap ports in the $nmap_services above and you should be
fine. Also run a cronjob like this:
/sbin/pfctl -T show -t bad_nmap > /var/log/bad_nmap
or similar to update your table when ever you see fit.
I didn't spend to much time on this one, but I think the above should
give you an idea as to how to go about it. Might work just as is if you
add the ports you want to protect inside your LAN, or may need some
minor changes, but it is sure very close to what you might need I think.
Daniel
