Re: ct Re: NMAP probing of network ports
Boris Karloff wrote: Chris wrote: On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! That's Bela Lugosi... Actually, so is Boris --- Bela Lugosi famously died in the middle of filming Plan 9 from Outer Space (http://www.badmovies.org/movies/plannine/) and is eulogised in a Bauhaus song "Bela Lugosi's Dead" (http://www.waste.org/bauhaus/l/belalugosisdead.html) I imagine the original poster was being tongue in cheek, and so was I, if, perhaps, rather obscurely. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
>Chris wrote: >> On Fri, 16 Sep 2005, Boris Karloff wrote: >> >> Ain't you 'sposed to be dead?! >That's Bela Lugosi... >--Alex Actually, so is Boris --- My e-mail provider is upgrading the mail server, and apparently someone either mistyped my name when moving my account, or one of the employees there is making a joke. I get that a lot. I'm working with my e-mail provider now trying to get this fixed. For some reason, they seem to be a little busy at the moment -- upgrading an e-mail service isn't simple; and this has a low priority with them. I'm actually pleased someone noticed. Thanks guys. Harold Karloff. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Chris wrote: On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! That's Bela Lugosi... --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Boris Karloff wrote: Thank you for your reply. Nmap is generating many tcp commands: arp who-has 192.168.0.x tell 192.168.0.5 where x is an incremented number from 0 through 255. The 192.168.0.5 address changes from scan to scan, so blocking the port 192.168.0.5 doesn't work. That's not a TCP command, that's layer-2 ARP traffic, used to map ethernet MAC addresses to IP addresses. Unless you're being scanned from different machines on your LAN, or unless you are scanning from different machines on your LAN, such traffic will only come from the IP of the subnet's router. While you could configure /etc/ethers and disable ARP, frankly, I suspect you are not solving the problem you think you'd be solving. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! Best regards, Chris Fact is solidified opinion. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Thank you for your reply. Nmap is generating many tcp commands: arp who-has 192.168.0.x tell 192.168.0.5 where x is an incremented number from 0 through 255. The 192.168.0.5 address changes from scan to scan, so blocking the port 192.168.0.5 doesn't work. This behavior is similar to the W32.Welchia.Worm that plagues windoze boxes. Any thoughts on how to stop replying to this command? Thanks. Harold. >On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: >> It appears that when FreeBSD is sent an invalid packet >> without the SYN or ACK bits set, it responds with a RESET >> reply regardless of the ipfw rules. It appears this is one >> of the things nmap is exploiting. >> >> Any suggestions on how to modify this behavior? > >man blackhole > Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Thank you for your reply. As you can see from my first message, blackhole did not work. Harold On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: > It appears that when FreeBSD is sent an invalid packet > without the SYN or ACK bits set, it responds with a RESET > reply regardless of the ipfw rules. It appears this is one > of the things nmap is exploiting. > > Any suggestions on how to modify this behavior? man blackhole ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: > It appears that when FreeBSD is sent an invalid packet > without the SYN or ACK bits set, it responds with a RESET > reply regardless of the ipfw rules. It appears this is one > of the things nmap is exploiting. > > Any suggestions on how to modify this behavior? man blackhole ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ct Re: NMAP probing of network ports
>On Thu, Sep 15, 2005 at 01:43:56PM -0500, Boris Karloff wrote: >> Hello: >> >> How do I cause freeBSD 5.4 to not respond to an nmap >> inquiry? I have already tried creating a line in rc.firewall >> that says: >> >> ${fwcmd} deny all from any to any >> ${fwcmd} drop all from any to any >> >> I know these are active, since 1) I see them on the screen >> at startup, and 2) pinging from any computer to any computer >> results in a timeout. >> >> (both of these should drop all TCP packets; but apparently, >> they cause a RESET message to be sent.) >Umm, try putting the drop before the deny. AFAIK, drop just drops >the >packet totally, and deny sends a RST back to the host. That is if >ipfw >works that way (ICBW). You don't need both these lines anyway, only >one >of them. Thank you for your reply. My first message may have been a little misleading. I had tried each line separately (they only differ in the 'deny' and 'drop'). I should have been more clear. I had also restarted the computer between changes, just to be sure. If the two rules were used in a single file, the second line would never be executed; since the first rule would terminate the rule checking; or the second rule would not test true if the first did not, because it is identical to the first. These commands have to be used independently. I meant to imply they were tried separately. It appears that when FreeBSD is sent an invalid packet without the SYN or ACK bits set, it responds with a RESET reply regardless of the ipfw rules. It appears this is one of the things nmap is exploiting. Any suggestions on how to modify this behavior? Thanks. Harold. Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"