Date: Tue, 17 Dec 2002 09:02:59 -1000 From: Clifton Royston <cliftonr@lava.net> To: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org> Cc: stable@freebsd.org Subject: Re: ipfilter / ipnat quandry Message-ID: <20021217090259.C17469@lava.net> In-Reply-To: <bulk.5085.20021217103310@hub.freebsd.org>; from owner-freebsd-stable-digest@FreeBSD.ORG on Tue, Dec 17, 2002 at 10:33:10AM -0800 References: <bulk.5085.20021217103310@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
(This probably belonged on -security or -questions or someplace
else...)
> Date: Mon, 16 Dec 2002 13:55:48 -0500
> From: "Robin P. Blanchard" <robin.blanchard@georgiacenter.org>
> Subject: ipfilter / ipnat quandry
>
> - -STABLE (FreeBSD 4.7-STABLE #0: Mon Nov 25 14:22:58 EST 2002)
> gateway/firewall running:
> # ipf -V
> ipf: IP Filter: v3.4.29 (336)
> Kernel: IP Filter: v3.4.29
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
>
>
> The only external port I've allowed in is SSH, yet nmapping the box
> yields a slew of purportedly other open ports.
Look again - it says they are "filtered".
nmap can usually tell the difference between a TCP port that is
closed on the target (returns a RST) and one that is filtered by a
firewall (returns nothing.) In fact many of the ports shown as filtered
might not even really be open on your box.
> Have I broken my
> ruleset somewhere? Please advise.
No, it's simply not sophisticated enough for what you want it to do.
...
> (The 1581 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp open ssh
> 137/tcp filtered netbios-ns
...
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn
> 161/tcp filtered snmp
...
Note, for instance, that snmp is (normally) a UDP service, so it's
unlikely you actually have an open TCP port 161; but nmap can see
you're filtering it nonetheless.
ipf does have the ability to more correctly simulate a closed port.
I did a similar exercise on my personal OpenBSD firewall box earlier
this year; I won't go through your whole ruleset, but basically for
every TCP port you block, you need to add a return-rst, and for every
UDP port you block, you need to add return-icmp(port-unr). This
provides a pretty good simulation of a host running no services, if
that's what you want to look like.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr@lava.net
"If you ride fast enough, the Specialist can't catch you."
"What's the Specialist?" Samantha says.
"The Specialist wears a hat," says the babysitter. "The hat makes noises."
She doesn't say anything else.
Kelly Link, _The Specialist's Hat_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021217090259.C17469>