Date: Fri, 6 Jul 2001 22:25:37 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: <appleseed@hushmail.com> Cc: <security@freebsd.org>, <avalon@coombs.anu.edu.au> Subject: Re: Hiding Versions Message-ID: <20010706222359.H18136-100000@achilles.silby.com> In-Reply-To: <200107070319.UAA11446@user7.hushmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Jul 2001 appleseed@hushmail.com wrote: > >wrong. > Okay, I'm running a gateway A. A receives packets incoming > on the internet interface to port 80 and forwards the request > on the condition that its a proper SYN packet with keep-state > enabled disallowing fragmentation etc. Verified, the data > is forwarded via NAT to the internal machine B at port X > assumed to be an integer greater than maximum privledge > port and less than maximum allowed TCP port. > -- request --> [ A:80 .nat.->] ---> [B:X .httpd.] > B's firewall rules verify what the router already knows and > sends back the proper packet. > I've never had nmap verify the OS of a system based on this > setup. Ever. > With all due respect prove me wrong. > northern_ > P.S. I was hoping you would respond the way u did, since, if u > did not we both know i wouldnt be using ipf anymore ;-) There are programs other than nmap, you know. You should be able to determine the OS version of a system by the syn-ack response alone; nmap just likes more info. And your setup seems too clever for it's own good. I doubt you're really protecting anything. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010706222359.H18136-100000>