RE: blocking nmap scans

Wed, 17 Dec 2003 14:23:29 -0800 

Thanks Max, saved me some keystrokes.
I would say that for *host* Firewalling, like XP's builtin FW,
could be easily done with PF.

In fact writing such a tool is a pretty trivial, but very useful
idea....e.g.
- block outbound echo-reply, unreachable and some other icmp.
- block outbound TCP RST packets ('closed port')
- allow outbound everything else, keeping state.
- allow inbound everything else, keeping state.

(this sounds back-to-front, but I this means that active ftp, and
other dirty protocol work fine, but portscanning is sloooooooow).

Does anyone know is TCP RST rate limiting (like ICMP) is possible
with 'stock' OpenBSD? 

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:[EMAIL PROTECTED]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Max Laier
Sent: Wednesday, December 17, 2003 3:42 PM
To: Afra, Ziad (London)
Cc: [EMAIL PROTECTED]
Subject: Re: blocking nmap scans

On Wednesday 17 December 2003 13:31, Afra, Ziad (London) wrote:
> So whats the syntax to block TCP connect() and SYN?

Okay, let's try to be a bit more polite ;)

If a service should be available to the internet, then you must not block a
(legal) TCP connect() to the port associated with this service, hence you
can not "block" a scanner using connect(). However, those scans will show up
in your logs. Additionally you can try to block portscanner by timeing, esp.
the new source tracking will assist you with that.

> Interesting that you say that given the fact that when I scan a linux 
> redhat machine running iptables it doesn't report any ports open (when 
> there are services running on ports < 1024).

No, iptables can not block portscanner and allow regular traffic at the same
time ...

And yes, building a firewall w/o (at least) basic knowledge of IP, TCP and
friends won't work - as long as you need something more then clicking
"enable firewall" in a fancy redhat or microsoft configuration tool, that
is.

-- 
Best regards,                           | [EMAIL PROTECTED]
Max Laier                               | ICQ #67774661
http://pf4freebsd.love2party.net/       | [EMAIL PROTECTED] #DragonFlyBSD

Reply via email to