Re: ct Re: NMAP probing of network ports
Boris Karloff wrote: Chris wrote: On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! That's Bela Lugosi... Actually, so is Boris --- Bela Lugosi famously died in the middle of filming Plan 9 from Outer Space (http://www.badmovies.org/movies/plannine/) and is eulogised in a Bauhaus song "Bela Lugosi's Dead" (http://www.waste.org/bauhaus/l/belalugosisdead.html) I imagine the original poster was being tongue in cheek, and so was I, if, perhaps, rather obscurely. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
>Chris wrote: >> On Fri, 16 Sep 2005, Boris Karloff wrote: >> >> Ain't you 'sposed to be dead?! >That's Bela Lugosi... >--Alex Actually, so is Boris --- My e-mail provider is upgrading the mail server, and apparently someone either mistyped my name when moving my account, or one of the employees there is making a joke. I get that a lot. I'm working with my e-mail provider now trying to get this fixed. For some reason, they seem to be a little busy at the moment -- upgrading an e-mail service isn't simple; and this has a low priority with them. I'm actually pleased someone noticed. Thanks guys. Harold Karloff. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Chris wrote: On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! That's Bela Lugosi... --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Boris Karloff wrote: Thank you for your reply. Nmap is generating many tcp commands: arp who-has 192.168.0.x tell 192.168.0.5 where x is an incremented number from 0 through 255. The 192.168.0.5 address changes from scan to scan, so blocking the port 192.168.0.5 doesn't work. That's not a TCP command, that's layer-2 ARP traffic, used to map ethernet MAC addresses to IP addresses. Unless you're being scanned from different machines on your LAN, or unless you are scanning from different machines on your LAN, such traffic will only come from the IP of the subnet's router. While you could configure /etc/ethers and disable ARP, frankly, I suspect you are not solving the problem you think you'd be solving. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
On Fri, 16 Sep 2005, Boris Karloff wrote: Ain't you 'sposed to be dead?! Best regards, Chris Fact is solidified opinion. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Thank you for your reply. Nmap is generating many tcp commands: arp who-has 192.168.0.x tell 192.168.0.5 where x is an incremented number from 0 through 255. The 192.168.0.5 address changes from scan to scan, so blocking the port 192.168.0.5 doesn't work. This behavior is similar to the W32.Welchia.Worm that plagues windoze boxes. Any thoughts on how to stop replying to this command? Thanks. Harold. >On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: >> It appears that when FreeBSD is sent an invalid packet >> without the SYN or ACK bits set, it responds with a RESET >> reply regardless of the ipfw rules. It appears this is one >> of the things nmap is exploiting. >> >> Any suggestions on how to modify this behavior? > >man blackhole > Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
Thank you for your reply. As you can see from my first message, blackhole did not work. Harold On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: > It appears that when FreeBSD is sent an invalid packet > without the SYN or ACK bits set, it responds with a RESET > reply regardless of the ipfw rules. It appears this is one > of the things nmap is exploiting. > > Any suggestions on how to modify this behavior? man blackhole ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Upgrade your account today for increased storage; mail forwarding or POP enabled e-mail with automatic virus scanning. Visit http://www.canada.com/email/premiumservices.html for more information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ct Re: NMAP probing of network ports
On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff wrote: > It appears that when FreeBSD is sent an invalid packet > without the SYN or ACK bits set, it responds with a RESET > reply regardless of the ipfw rules. It appears this is one > of the things nmap is exploiting. > > Any suggestions on how to modify this behavior? man blackhole ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ct Re: NMAP probing of network ports
>On Thu, Sep 15, 2005 at 01:43:56PM -0500, Boris Karloff
wrote:
>> Hello:
>>
>> How do I cause freeBSD 5.4 to not respond to an nmap
>> inquiry? I have already tried creating a line in
rc.firewall
>> that says:
>>
>> ${fwcmd} deny all from any to any
>> ${fwcmd} drop all from any to any
>>
>> I know these are active, since 1) I see them on the
screen
>> at startup, and 2) pinging from any computer to any
computer
>> results in a timeout.
>>
>> (both of these should drop all TCP packets; but
apparently,
>> they cause a RESET message to be sent.)
>Umm, try putting the drop before the deny. AFAIK, drop
just drops >the
>packet totally, and deny sends a RST back to the host.
That is if >ipfw
>works that way (ICBW). You don't need both these lines
anyway, only >one
>of them.
Thank you for your reply. My first message may have been a
little misleading. I had tried each line separately (they
only differ in the 'deny' and 'drop'). I should have been
more clear. I had also restarted the computer between
changes, just to be sure.
If the two rules were used in a single file, the second line
would never be executed; since the first rule would
terminate the rule checking; or the second rule would not
test true if the first did not, because it is identical to
the first. These commands have to be used independently. I
meant to imply they were tried separately.
It appears that when FreeBSD is sent an invalid packet
without the SYN or ACK bits set, it responds with a RESET
reply regardless of the ipfw rules. It appears this is one
of the things nmap is exploiting.
Any suggestions on how to modify this behavior?
Thanks.
Harold.
Upgrade your account today for increased storage; mail
forwarding or POP enabled e-mail with automatic virus
scanning. Visit
http://www.canada.com/email/premiumservices.html for more
information.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
