I don't like to rain on such a neat breakdown/howto for PF
loadbalancing, but this is really macievellian, and means you can only
do state-respecting scans, no SFRU etc.
I'd also do:
set limit { states 100000, frags 50000 }
and diddle with the PF timeouts, in case the dest host is firewalled.
It would be easier (for TCP scanning) to:
- portscanner sends spoofed SYNs from x.x.x.a/c/b to whatever,
at your max upstream rate.
- PF passes the packets out WITHOUT keeping state.
- PF "block return-rst in log on $ext_if" 'SA' packets coming back in.
- You check the PF logs for ports that reply :-)
Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Tel. 07855 805 271
http://www.devitto.com mailto:[EMAIL PROTECTED]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Ste Jones
Sent: Saturday, June 28, 2003 12:09 AM
To: [EMAIL PROTECTED]
Subject: Distributed port scanning using OpenBSD's packet filter
Network Penetration
networkpenetration.com
Copyright (c) 2003 Ste Jones
[EMAIL PROTECTED]
Distributed port scanning using OpenBSD's packet filter (Another good
reason to use OpenBSD)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::
By using openBSD's packet filter pf one can utilize the NAT address
pools added into OpenBSD 3.3 to aid in distributed port scanning.
How it works
::::::::::::
http://www.openbsd.org/faq/pf/pools.html#nat - NAT Address Pool
As the text explains NAT can be used in a large network to split
outgoing connections over multiple source IP addresses. Under normal
circumstances NAT is
normally used to hide a internal network behind a single external public
IP address. By using multiple external IP addresses a host on the
internal network
can port scan with multiple source IP's.
Technical Breakdown
::::::::::::::::::-
1. Port scan from internal network: send a SYN packet to a target to
initiate a connection. The packets source IP address for example
192.168.0.1.
2. Packet passes through NAT gateway: The packets source IP address is
now changed to the external IP assigned to the NAT gateway. Each new
connection passing
through the gateway has its source IP address translated to the one /
many IP addresses assigned to the NAT gateway. For example 1.1.1.*
3. The packet reaches the host and reply is returned to the NAT gateway.
The packet returned has a destination IP address of the external
interface on the NAT
gateway. So in this example 1.1.1.1
4. The NAT gateway translates this packets destination IP address back
to 192.168.0.1 and the packet is sent to the source.
OpenBSD 3.3 Pf setup
::::::::::::::::::::
Replace your existing NAT rule for the one below. This enables PF to do
NAT translation over multiple source IP addresses. It has its problems
with things
such as web page connection tracking. Check the OpenBSD FAQ for more
info.
nat on $ext_if inet from any to any -> { x.x.x.a, x.x.x.b, x.x.x.c }
You will probably have to tweak some of your other rules to get it
working correctly
You will also need to edit your /etc/hostname.interface file
inet x.x.x.a 255.255.255.0 NONE
inet alias x.x.x.b 255.255.255.0 NONE
inet alias x.x.x.c 255.255.255.0 NONE
This is all performed by PF's stateful connection tracking.... thanks
guys
Note: I presume this would also work on a single machine running pf :)
Thanks to HacK of LuB for letting me abuse his firewall
original paper can be found at www.networkpenetration.com
