From owner-freebsd-pf@FreeBSD.ORG Sun Oct 4 01:40:15 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7893F106566B for ; Sun, 4 Oct 2009 01:40:15 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 125598FC14 for ; Sun, 4 Oct 2009 01:40:14 +0000 (UTC) Received: by bwz27 with SMTP id 27so1697378bwz.43 for ; Sat, 03 Oct 2009 18:40:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.143.79 with SMTP id t15mr1496627fau.2.1254620413763; Sat, 03 Oct 2009 18:40:13 -0700 (PDT) In-Reply-To: References: <772ca7d0909241942n5ce78cc9sd9855bdd4c1e9c26@mail.gmail.com> <772ca7d0910031229w6c395db3x7cde66029ec6c5cf@mail.gmail.com> Date: Sat, 3 Oct 2009 22:40:13 -0300 Message-ID: <772ca7d0910031840g10fe62e8x3855bf4f92e580f8@mail.gmail.com> From: "Luiz Gustavo S. Costa" To: Scott Ullrich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: altq over vlan: patch exists ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2009 01:40:15 -0000 Thanks Scott !!! and thank for the work on the pfSense ! but.... what a reason for this not in production on FreeBSD ? 2009/10/3 Scott Ullrich : > On Sat, Oct 3, 2009 at 3:29 PM, Luiz Gustavo S. Costa > wrote: >> Hi guys, >> >> The configuration Altq on one interface VLAN is working on OpenBSD and >> DragonFlyBSD, but FreeBSD no ! >> >> exists any patch for this ? or .. why no working ? any reason ? > > http://cvs.pfsense.org/~sullrich/altq_if_vlan.c.diff > > But this assumes you know why you want to use this. =A0Max has spoken on > this topic quite a bit in the archives. > > Scott > --=20 Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Blog: http://www.luizgustavo.pro.br From owner-freebsd-pf@FreeBSD.ORG Sun Oct 4 03:50:02 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1D6A1065676 for ; Sun, 4 Oct 2009 03:50:02 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 3A8968FC16 for ; Sun, 4 Oct 2009 03:50:01 +0000 (UTC) Received: by ewy5 with SMTP id 5so1260092ewy.36 for ; Sat, 03 Oct 2009 20:50:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=m+hRIjFvcYNgGEGBlp8A+gkO+rxL58z7E7UsZiAtOeo=; b=tNoD59KXu/lGHF4tlcpLw06RTLMZemwBvW5lfUGjesZTWbd6aAnLGpTpzEBUibEID/ dI+RGdERkWvwwniI8EmOZo4FmlIsSH5P2K7k7AUfAsaH/aIpptKeRnOMNq1t5IH3E3bm PCR/6eW33UMnzCCLn5bIoZ9AbLg81FGNS7xgE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=tu/FydEWIP3TvF+yeypMnOeRTxMNxZvGZJoZw1IXWpB4ZnfL4kNR842rsYHgvJw2ct Ezw39UH2a5JdHqtk6i7x16/kA9v28drG42l7VKQfc4YcEb5GsGJiQW2BZJ9gmKU4iOJX 7o6MtRZ3e7csFzRt8km8vB3Z1lpR8aWujKVfM= MIME-Version: 1.0 Received: by 10.211.155.20 with SMTP id h20mr1638751ebo.44.1254628201213; Sat, 03 Oct 2009 20:50:01 -0700 (PDT) In-Reply-To: <772ca7d0910031840g10fe62e8x3855bf4f92e580f8@mail.gmail.com> References: <772ca7d0909241942n5ce78cc9sd9855bdd4c1e9c26@mail.gmail.com> <772ca7d0910031229w6c395db3x7cde66029ec6c5cf@mail.gmail.com> <772ca7d0910031840g10fe62e8x3855bf4f92e580f8@mail.gmail.com> From: Scott Ullrich Date: Sat, 3 Oct 2009 23:49:41 -0400 Message-ID: To: "Luiz Gustavo S. Costa" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: altq over vlan: patch exists ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2009 03:50:02 -0000 On Sat, Oct 3, 2009 at 9:40 PM, Luiz Gustavo S. Costa wrote: > but.... what a reason for this not in production on FreeBSD ? That is the part I was speaking of. :) Max has outlined why this patch is not in production and it boils down to being used incorrectly, I think. Scott From owner-freebsd-pf@FreeBSD.ORG Mon Oct 5 11:06:58 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32193106568F for ; Mon, 5 Oct 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 16BD68FC1C for ; Mon, 5 Oct 2009 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n95B6vol088758 for ; Mon, 5 Oct 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n95B6v67088756 for freebsd-pf@FreeBSD.org; Mon, 5 Oct 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Oct 2009 11:06:57 GMT Message-Id: <200910051106.n95B6v67088756@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 36 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Oct 5 19:20:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6E9010656A9 for ; Mon, 5 Oct 2009 19:20:42 +0000 (UTC) (envelope-from it85@inbox.lv) Received: from shark1.inbox.lv (shark1.inbox.lv [89.111.3.81]) by mx1.freebsd.org (Postfix) with ESMTP id 5D76D8FC13 for ; Mon, 5 Oct 2009 19:20:42 +0000 (UTC) Received: by shark1.inbox.lv (Postfix, from userid 1000) id D97EE178B5; Mon, 5 Oct 2009 22:01:20 +0300 (EEST) Received: from localhost (w12 [10.0.1.22]) by shark1-plain-b64d2.inbox.lv (Postfix) with ESMTP id 987F21726F for ; Mon, 5 Oct 2009 22:01:20 +0300 (EEST) Received: from 87.226.51.250 ( [87.226.51.250]) by mail.inbox.lv with HTTP; Mon, 05 Oct 2009 22:01:20 +0300 X-LOCAL: 1 X-Compose: web=mail.inbox.lv, node=w12, l=lv, prefs=HTML, sess=unset, fck=Incompatible, compose=Plaintext X-REMOTE-ADDR: 87.226.51.250 X-HTTP-USER-AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.21 Safari/532.0 Message-ID: <1254769280.4aca428097378@mail.inbox.lv> Date: Mon, 05 Oct 2009 22:01:20 +0300 Content-Transfer-Encoding: quoted-printable From: it85@inbox.lv To: freebsd-pf@freebsd.org User-Agent: Inbox.lv Webmail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Subject: PF and HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 19:20:42 -0000 Hello, I'm interested in PF and HFSC. There is one limit in HFSC - classes, which = are only 64. So I am interesting why 64? Can You tell me, why are so or there is some information about that? I want= to find this out. Maybe I can write about=20 that researh and find out why and how to improve this algorithm?=20 Ilvars From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 09:13:08 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D8EE1065693 for ; Tue, 6 Oct 2009 09:13:08 +0000 (UTC) (envelope-from gaurav@subisu.net.np) Received: from mx-02.subisu.net.np (smtp.subisu.net.np [202.63.240.2]) by mx1.freebsd.org (Postfix) with ESMTP id E6C418FC2A for ; Tue, 6 Oct 2009 09:13:07 +0000 (UTC) Received: from localhost (mx-02.subisu.net.np [127.0.0.1]) by mx-02.subisu.net.np (Postfix) with ESMTP id 523C91C012D; Tue, 6 Oct 2009 14:58:04 +0545 (NPT) X-Virus-Scanned: amavisd-new at subisu.net.np Received: from mx-02.subisu.net.np ([127.0.0.1]) by localhost (mx-02.subisu.net.np [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIRIKsZrzpAl; Tue, 6 Oct 2009 14:57:54 +0545 (NPT) Received: from [202.63.244.34] (unknown [202.63.244.34]) by mx-02.subisu.net.np (Postfix) with ESMTP id 503C01C012A; Tue, 6 Oct 2009 14:57:54 +0545 (NPT) Message-ID: <4ACB0A16.4000806@subisu.net.np> Date: Tue, 06 Oct 2009 14:57:54 +0545 From: Gaurav Ghimire User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Kevin References: <4AADC15B.5060501@subisu.net.np> <4AAFE24A.2040602@uffner.com> <020001ca381e$4b8bade0$e2a309a0$@com> In-Reply-To: <020001ca381e$4b8bade0$e2a309a0$@com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Packet Filter alerting system. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gaurav@subisu.net.np List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 09:13:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin wrote: >> Gaurav Ghimire wrote: >>> Just curious to know if we have something, some alerting system or >> mechanism that provides the administrator with the daily reports that >> pf itself or some other >>> tool collects on pf's behalf. >>> >>> That probably reports the admin of: >>> ~ Total connection counts matched on each rulesets. >>> ~ Total number of counts matched on deny rules. >> /etc/periodic/security/520.pfdenied >> >> it should be enabled by default if you haven't done anything unnatural >> to >> the /etc/periodic system >> >> > ~ IP/Port attack logs and relatives. >> >> only if you specify "log" in one or more of your pf rules, in which >> case you will find it in /var/log/pflog, /var/log/pflog.?.bz2, and >> /var/log/pf.{today,yesterday} >> >> tom > > > I wrote a script that compiles a daily report on any pf table based > threshold breaches -- something that could be modified to produce many > different types of daily pf based reports : > > > http://blog.stardothosting.com/2009/08/12/freebsd-pf-packet-filter-shell-scr > ipt-to-report-on-hacking-attempts/ > > > > Something to look at anyways. > > Hi all, Thanks for all your help. After a few workarounds I managed to get what I required. I wrote a script to get an easy to read report on all the traffic matching the block rule in my pf. The script could be modified to get reports on other specific rulesets you intend to, however, for that to work you might have to define another logging interface using pflogd and slap it to the rules you want to get reports on. Here is it if you guys wanna have a look on. http://nixify.blogspot.com/2009/10/getting-reports-on-intrusion-attempts.html Regards, - -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal http://www.subisu.net.np (An ISO 9001:2000 Certified Company) - -- Gaurav Ghimire System Administrator Subisu Cablenet (P.) Ltd. 148 Thirbum Sadak Baluwatar, Kathmandu Nepal T: 00977 1 4429616/17 Ext.: 110 F: 00977 1 4430572 http://www.subisu.net.np (An ISO 9001:2000 Certified Company) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrLChIACgkQnfv7imVnL2tV7ACglNlu13pvAchgHAkYE5zE7cD2 KYAAnj5aDhKy2Olq3/d+i6h1hhx4DEOp =Zs9B -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 13:30:45 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EED91065676 for ; Tue, 6 Oct 2009 13:30:45 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id 082AB8FC08 for ; Tue, 6 Oct 2009 13:30:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id F13F34784BD for ; Tue, 6 Oct 2009 15:14:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSzKMDHWQqFf for ; Tue, 6 Oct 2009 15:14:54 +0200 (CEST) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id E0A6A4783F7 for ; Tue, 6 Oct 2009 15:14:53 +0200 (CEST) Date: Tue, 6 Oct 2009 15:14:53 +0200 (CEST) From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Message-ID: <6422287.58441254834893591.JavaMail.root@zimbra-store> In-Reply-To: <20091006120027.160901065786@hub.freebsd.org> MIME-Version: 1.0 X-Originating-IP: [195.13.1.169] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - [unknown] (Linux)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 13:30:45 -0000 Hello, I just finished installing FreeBSD 7.x with pf in transparant bridging mode as the servers behind the firewall need to have an public ipaddress. Now is everything working fine and the FW is doing his job as it should be. When I nmap the FW I see the open ports and closed ports. Is there a way the get the FW running in stealth mode so that isn't possible anymore with nmap or any other scanning tool to see the open or closed ports? When I look around I hear roomers that there's something like blackhole that can be added in the sysctl. Anyone an idea? Kind regards, Nico From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 15:49:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD04B106566B for ; Tue, 6 Oct 2009 15:49:52 +0000 (UTC) (envelope-from jumper99@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 2BA728FC0C for ; Tue, 6 Oct 2009 15:49:51 +0000 (UTC) Received: (qmail invoked by alias); 06 Oct 2009 15:23:10 -0000 Received: from unknown (EHLO wsa096) [91.205.197.96] by mail.gmx.net (mp018) with SMTP; 06 Oct 2009 17:23:10 +0200 X-Authenticated: #682707 X-Provags-ID: V01U2FsdGVkX19YIAgd1axYMCWmeSfs+4ondrg8iMLuSUCXV0bYkK Q/c07oz2HGdsKN Message-ID: <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> From: "Helmut Schneider" To: "Nico De Dobbeleer" , References: <6422287.58441254834893591.JavaMail.root@zimbra-store> Date: Tue, 6 Oct 2009 17:23:09 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5843 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.72 Cc: Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 15:49:52 -0000 From: "Nico De Dobbeleer" > I just finished installing FreeBSD 7.x with pf in transparant bridging > mode as the servers behind the firewall need to have an public > ipaddress. Now is everything working fine and the FW is doing his job as > it should be. When I nmap the FW I see the open ports and closed ports. > Is there a way the get the FW running in stealth mode so that isn't > possible anymore with nmap or any other scanning tool to see the open or > closed ports? There is no "stealth". If a service responds to a request the port is "open". If not it's closed. Helmut From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 16:43:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41F341065676 for ; Tue, 6 Oct 2009 16:43:59 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from mail-fx0-f222.google.com (mail-fx0-f222.google.com [209.85.220.222]) by mx1.freebsd.org (Postfix) with ESMTP id C5A598FC27 for ; Tue, 6 Oct 2009 16:43:58 +0000 (UTC) Received: by fxm22 with SMTP id 22so3988360fxm.36 for ; Tue, 06 Oct 2009 09:43:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=PiYaKhml+HMEbkYx0sRC5w3ESLSVge0wPakGhTuTuKQ=; b=mM8TyD2YN4C6q5a8SamxM3Odrrij/X4BkBLdF78U2mmwDbhHfvxwduV2H/9NWEwS7b 47KT45Glku8N5+M2jLnQJm1Godm+zT2TCu5Kmew7LffZ6PcIVt2t/nyqJQJxWNrPgZA+ ilS9NdAcCpmWSxhNxVGCUmZQLCAXKZmgGZl7U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=yCsyxWoBm99q5VoJwY07nuQHev4A0otQMwLvGD+eKq8gVB7krYDtxDTcm+9cNCihGc dYJQdtpfeNoNcXYuKE32qcxbn3KG0+rWr5BODEk1YlmGH8Vb8ZvlSuW4pBoqS/qW3xbf nZMsn1f0F2SoDGP+x0lRIHP1lQKGaSTDs7lOA= Received: by 10.103.86.38 with SMTP id o38mr795995mul.114.1254846167180; Tue, 06 Oct 2009 09:22:47 -0700 (PDT) Received: from centaur.5550h.net ([93.216.234.69]) by mx.google.com with ESMTPS id s10sm325479mue.52.2009.10.06.09.22.44 (version=SSLv3 cipher=RC4-MD5); Tue, 06 Oct 2009 09:22:45 -0700 (PDT) Date: Tue, 6 Oct 2009 18:22:41 +0200 From: "=?UTF-8?B?5paH6bOl?=" To: "Helmut Schneider" Message-ID: <20091006182241.79d16c8c@centaur.5550h.net> In-Reply-To: <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Nico De Dobbeleer , freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 16:43:59 -0000 On Tue, 6 Oct 2009 17:23:09 +0200 "Helmut Schneider" wrote: > From: "Nico De Dobbeleer" > > I just finished installing FreeBSD 7.x with pf in transparant > > bridging mode as the servers behind the firewall need to have an > > public ipaddress. Now is everything working fine and the FW is > > doing his job as it should be. When I nmap the FW I see the open > > ports and closed ports. Is there a way the get the FW running in > > stealth mode so that isn't possible anymore with nmap or any other > > scanning tool to see the open or closed ports? > > There is no "stealth". If a service responds to a request the port is > "open". If not it's closed. > > Helmut There is: just use "block drop" in your pf config or "set block-policy drop" (see man 5 pf.conf). This effectively stops sending TCP RST or UDP unreach packets. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 18:51:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62E33106568D for ; Tue, 6 Oct 2009 18:51:30 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 19B368FC1A for ; Tue, 6 Oct 2009 18:51:29 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1MvEmU-0003yg-Bj for freebsd-pf@freebsd.org; Tue, 06 Oct 2009 20:29:02 +0200 Received: from p5798ae1e.dip.t-dialin.net ([87.152.174.30]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Oct 2009 20:29:02 +0200 Received: from jumper99 by p5798ae1e.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Oct 2009 20:29:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Tue, 6 Oct 2009 20:28:33 +0200 Lines: 32 Message-ID: References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: p5798ae1e.dip.t-dialin.net X-MSMail-Priority: Normal X-Newsreader: vi with a tiny GUI... X-MimeOLE: Huh, what?! Sender: news Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 18:51:30 -0000 文鳥 wrote: > On Tue, 6 Oct 2009 17:23:09 +0200 > "Helmut Schneider" wrote: > >> From: "Nico De Dobbeleer" >>> I just finished installing FreeBSD 7.x with pf in transparant >>> bridging mode as the servers behind the firewall need to have an >>> public ipaddress. Now is everything working fine and the FW is >>> doing his job as it should be. When I nmap the FW I see the open >>> ports and closed ports. Is there a way the get the FW running in >>> stealth mode so that isn't possible anymore with nmap or any other >>> scanning tool to see the open or closed ports? >> >> There is no "stealth". If a service responds to a request the port is >> "open". If not it's closed. > > There is: just use "block drop" in your pf config or "set block-policy > drop" (see man 5 pf.conf). This effectively stops sending TCP RST or > UDP unreach packets. Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is open -> host not "stealth". But even if you "block drop" all incoming traffic to a host, if a host is really down (and therefore stealth) the hosts' gateway would send an ICMP type 3 packet (until you didn't cripple ICMP as well). While sometimes it might be useful to "block drop" it has nothing to do with being "stealth". Helmut From owner-freebsd-pf@FreeBSD.ORG Tue Oct 6 19:09:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D46891065676 for ; Tue, 6 Oct 2009 19:09:18 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by mx1.freebsd.org (Postfix) with ESMTP id 5A7878FC15 for ; Tue, 6 Oct 2009 19:09:17 +0000 (UTC) Received: by bwz27 with SMTP id 27so3297899bwz.43 for ; Tue, 06 Oct 2009 12:09:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=TIKjIdVSFTUhKUbgdAPfUNL75SqM7Juxfmo2a40wKsw=; b=b6jvbGqBX9HTcM+q103Sjsb59Jg82rk47rgutFm/e3PMt1jgLTb9wynx/pEMZ0u3uX nTg+sHU6rR/hj/4D89dBbFyW3M4ID7g0PNFg6IcmmZLv3K69nNpyQIr8OinLHNcsd62Y KOUzKGZhlPJD9zA4NqXk7RhGJ6eYIQ2/YLJHI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=ckMKUaK3DGdykczr3MUQBLchf5gZVOJnj4kWUIU93URORH8UUGCZ8Q/5bdqE6Q2xpn B4pY8H+CyPEMWrMcbmoQSmdNctiD4R2Y2f244LXS7Y0FWmJmQLz/2aCpBghw4cr1brsL qJdqP9Il+Py1Z4NpEFBSkgfRAL04AnjoaR5nc= Received: by 10.102.248.14 with SMTP id v14mr550556muh.74.1254856156326; Tue, 06 Oct 2009 12:09:16 -0700 (PDT) Received: from centaur.5550h.net ([93.216.234.69]) by mx.google.com with ESMTPS id j10sm35845mue.14.2009.10.06.12.09.14 (version=SSLv3 cipher=RC4-MD5); Tue, 06 Oct 2009 12:09:15 -0700 (PDT) Date: Tue, 6 Oct 2009 21:09:12 +0200 From: "=?UTF-8?B?5paH6bOl?=" To: "Helmut Schneider" Message-ID: <20091006210912.379434eb@centaur.5550h.net> In-Reply-To: References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 19:09:19 -0000 On Tue, 6 Oct 2009 20:28:33 +0200 "Helmut Schneider" wrote: > =E6=96=87=E9=B3=A5 wrote: > > On Tue, 6 Oct 2009 17:23:09 +0200 > > "Helmut Schneider" wrote: > > > >> From: "Nico De Dobbeleer" > >>> I just finished installing FreeBSD 7.x with pf in transparant > >>> bridging mode as the servers behind the firewall need to have an > >>> public ipaddress. Now is everything working fine and the FW is > >>> doing his job as it should be. When I nmap the FW I see the open > >>> ports and closed ports. Is there a way the get the FW running in > >>> stealth mode so that isn't possible anymore with nmap or any other > >>> scanning tool to see the open or closed ports? > >> > >> There is no "stealth". If a service responds to a request the port > >> is "open". If not it's closed. > > > > There is: just use "block drop" in your pf config or "set > > block-policy drop" (see man 5 pf.conf). This effectively stops > > sending TCP RST or UDP unreach packets. >=20 > Consider a webserver where you pass HTTP and "block drop" SSH. 1 port > is open -> host not "stealth". >=20 > But even if you "block drop" all incoming traffic to a host, if a > host is really down (and therefore stealth) the hosts' gateway would > send an ICMP type 3 packet (until you didn't cripple ICMP as well). >=20 > While sometimes it might be useful to "block drop" it has nothing to > do with being "stealth". >=20 > Helmut=20 Not replying to a probe in the mentioned way is exactly what is commonly referred to as "stealth mode" by consumer firewalls. Just try a simple google search for "stealth firewall" and you will see. Besides, if only a few (uncommon) ports are open, a limited scan is unlikely to find them, thus calling it "stealth" (aka "low observability" according to wikipedia) is appropriate imho. There is a difference between stealth and invisibility. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 09:42:51 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33A72106568D for ; Wed, 7 Oct 2009 09:42:51 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id B555F8FC17 for ; Wed, 7 Oct 2009 09:42:50 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1MvT2E-0005i6-2A for freebsd-pf@freebsd.org; Wed, 07 Oct 2009 11:42:14 +0200 Received: from 91.205.197.96 ([91.205.197.96]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 07 Oct 2009 11:42:14 +0200 Received: from jumper99 by 91.205.197.96 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 07 Oct 2009 11:42:14 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Wed, 7 Oct 2009 11:40:36 +0200 Lines: 44 Message-ID: References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de><20091006182241.79d16c8c@centaur.5550h.net> <20091006210912.379434eb@centaur.5550h.net> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 91.205.197.96 X-MSMail-Priority: Normal X-Newsreader: vi with a tiny little GUI X-MimeOLE: Huh, what?! Sender: news Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 09:42:51 -0000 文鳥 wrote: > On Tue, 6 Oct 2009 20:28:33 +0200 > "Helmut Schneider" wrote: > >> 文鳥 wrote: >>> On Tue, 6 Oct 2009 17:23:09 +0200 >>> "Helmut Schneider" wrote: >>> >>>> From: "Nico De Dobbeleer" >>>>> I just finished installing FreeBSD 7.x with pf in transparant >>>>> bridging mode as the servers behind the firewall need to have an >>>>> public ipaddress. Now is everything working fine and the FW is >>>>> doing his job as it should be. When I nmap the FW I see the open >>>>> ports and closed ports. Is there a way the get the FW running in >>>>> stealth mode so that isn't possible anymore with nmap or any other >>>>> scanning tool to see the open or closed ports? >>>> >>>> There is no "stealth". If a service responds to a request the port >>>> is "open". If not it's closed. >>> >>> There is: just use "block drop" in your pf config or "set >>> block-policy drop" (see man 5 pf.conf). This effectively stops >>> sending TCP RST or UDP unreach packets. >> >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port >> is open -> host not "stealth". >> >> But even if you "block drop" all incoming traffic to a host, if a >> host is really down (and therefore stealth) the hosts' gateway would >> send an ICMP type 3 packet (until you didn't cripple ICMP as well). >> >> While sometimes it might be useful to "block drop" it has nothing to >> do with being "stealth". > > Not replying to a probe in the mentioned way is exactly what is > commonly referred to as "stealth mode" by consumer firewalls. Just try > a simple google search for "stealth firewall" and you will see. I know the term "stealth firewall" very well. It's a worthless marketing buzzword. It suggests users that it could prevent an attack or even the scan itself. Neither is correct. This is what I wanted to point out and I was encouraged by the fact that the OP was talking about "stealthing" open ports. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 14:10:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B2D410656C0 for ; Wed, 7 Oct 2009 14:10:29 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id B7A978FC16 for ; Wed, 7 Oct 2009 14:10:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id CBCAB4780E0 for ; Wed, 7 Oct 2009 16:10:25 +0200 (CEST) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QOZOitQyB2Nt for ; Wed, 7 Oct 2009 16:10:20 +0200 (CEST) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 96D41478097 for ; Wed, 7 Oct 2009 16:10:20 +0200 (CEST) Date: Wed, 7 Oct 2009 16:10:19 +0200 (CEST) From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Message-ID: <23087185.63661254924619867.JavaMail.root@zimbra-store> In-Reply-To: <24402806.63641254924566875.JavaMail.root@zimbra-store> MIME-Version: 1.0 X-Originating-IP: [213.118.152.199] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - FF3.0 (Win)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-pf Digest, Vol 263, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 14:10:29 -0000 From: "Nico De Dobbeleer" =20 > I just finished installing FreeBSD 7.x with pf in transparant bridging=20 > mode as the servers behind the firewall need to have an public=20 > ipaddress. Now is everything working fine and the FW is doing his job as= =20 > it should be. When I nmap the FW I see the open ports and closed ports.= =20 > Is there a way the get the FW running in stealth mode so that isn't=20 > possible anymore with nmap or any other scanning tool to see the open or= =20 > closed ports?=20 There is no "stealth". If a service responds to a request the port is=20 "open". If not it's closed.=20 Helmut=20 ------------------------------=20 Message: 3=20 Date: Tue, 6 Oct 2009 18:22:41 +0200=20 From: " ?? " =20 Subject: Re: freebsd-pf Stealth Modus=20 To: "Helmut Schneider" =20 Cc: Nico De Dobbeleer , freebsd-pf@freebsd.org=20 Message-ID: <20091006182241.79d16c8c@centaur.5550h.net>=20 Content-Type: text/plain; charset=3DUS-ASCII=20 On Tue, 6 Oct 2009 17:23:09 +0200=20 "Helmut Schneider" wrote:=20 > From: "Nico De Dobbeleer" =20 > > I just finished installing FreeBSD 7.x with pf in transparant=20 > > bridging mode as the servers behind the firewall need to have an=20 > > public ipaddress. Now is everything working fine and the FW is=20 > > doing his job as it should be. When I nmap the FW I see the open=20 > > ports and closed ports. Is there a way the get the FW running in=20 > > stealth mode so that isn't possible anymore with nmap or any other=20 > > scanning tool to see the open or closed ports?=20 >=20 > There is no "stealth". If a service responds to a request the port is=20 > "open". If not it's closed.=20 >=20 > Helmut=20 There is: just use "block drop" in your pf config or "set block-policy=20 drop" (see man 5 pf.conf). This effectively stops sending TCP RST or=20 UDP unreach packets.=20 ------------------------------=20 Message: 4=20 Date: Tue, 6 Oct 2009 20:28:33 +0200=20 From: "Helmut Schneider" =20 Subject: Re: freebsd-pf Stealth Modus=20 To: freebsd-pf@freebsd.org=20 Message-ID: =20 Content-Type: text/plain; format=3Dflowed; charset=3D"UTF-8";=20 reply-type=3Doriginal=20 =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD wrote:=20 > On Tue, 6 Oct 2009 17:23:09 +0200=20 > "Helmut Schneider" wrote:=20 >=20 >> From: "Nico De Dobbeleer" =20 >>> I just finished installing FreeBSD 7.x with pf in transparant=20 >>> bridging mode as the servers behind the firewall need to have an=20 >>> public ipaddress. Now is everything working fine and the FW is=20 >>> doing his job as it should be. When I nmap the FW I see the open=20 >>> ports and closed ports. Is there a way the get the FW running in=20 >>> stealth mode so that isn't possible anymore with nmap or any other=20 >>> scanning tool to see the open or closed ports?=20 >>=20 >> There is no "stealth". If a service responds to a request the port is=20 >> "open". If not it's closed.=20 >=20 > There is: just use "block drop" in your pf config or "set block-policy=20 > drop" (see man 5 pf.conf). This effectively stops sending TCP RST or=20 > UDP unreach packets.=20 Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is=20 open -> host not "stealth".=20 But even if you "block drop" all incoming traffic to a host, if a host is= =20 really down (and therefore stealth) the hosts' gateway would send an ICMP= =20 type 3 packet (until you didn't cripple ICMP as well).=20 While sometimes it might be useful to "block drop" it has nothing to do wit= h=20 being "stealth".=20 Helmut=20 ------------------------------=20 Message: 5=20 Date: Tue, 6 Oct 2009 21:09:12 +0200=20 From: " ?? " =20 Subject: Re: freebsd-pf Stealth Modus=20 To: "Helmut Schneider" =20 Cc: freebsd-pf@freebsd.org=20 Message-ID: <20091006210912.379434eb@centaur.5550h.net>=20 Content-Type: text/plain; charset=3DUTF-8=20 On Tue, 6 Oct 2009 20:28:33 +0200=20 "Helmut Schneider" wrote:=20 > =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD wrote:=20 > > On Tue, 6 Oct 2009 17:23:09 +0200=20 > > "Helmut Schneider" wrote:=20 > >=20 > >> From: "Nico De Dobbeleer" =20 > >>> I just finished installing FreeBSD 7.x with pf in transparant=20 > >>> bridging mode as the servers behind the firewall need to have an=20 > >>> public ipaddress. Now is everything working fine and the FW is=20 > >>> doing his job as it should be. When I nmap the FW I see the open=20 > >>> ports and closed ports. Is there a way the get the FW running in=20 > >>> stealth mode so that isn't possible anymore with nmap or any other=20 > >>> scanning tool to see the open or closed ports?=20 > >>=20 > >> There is no "stealth". If a service responds to a request the port=20 > >> is "open". If not it's closed.=20 > >=20 > > There is: just use "block drop" in your pf config or "set=20 > > block-policy drop" (see man 5 pf.conf). This effectively stops=20 > > sending TCP RST or UDP unreach packets.=20 >=20 > Consider a webserver where you pass HTTP and "block drop" SSH. 1 port=20 > is open -> host not "stealth".=20 >=20 > But even if you "block drop" all incoming traffic to a host, if a=20 > host is really down (and therefore stealth) the hosts' gateway would=20 > send an ICMP type 3 packet (until you didn't cripple ICMP as well).=20 >=20 > While sometimes it might be useful to "block drop" it has nothing to=20 > do with being "stealth".=20 >=20 > Helmut=20 Not replying to a probe in the mentioned way is exactly what is=20 commonly referred to as "stealth mode" by consumer firewalls. Just try=20 a simple google search for "stealth firewall" and you will see.=20 Besides, if only a few (uncommon) ports are open, a limited scan is=20 unlikely to find them, thus calling it "stealth" (aka "low=20 observability" according to wikipedia) is appropriate imho. There is a=20 difference between stealth and invisibility.=20 ------------------------------=20 Message: 6=20 Date: Wed, 7 Oct 2009 11:40:36 +0200=20 From: "Helmut Schneider" =20 Subject: Re: freebsd-pf Stealth Modus=20 To: freebsd-pf@freebsd.org=20 Message-ID: =20 Content-Type: text/plain; format=3Dflowed; charset=3D"UTF-8";=20 reply-type=3Doriginal=20 =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD wrote:=20 > On Tue, 6 Oct 2009 20:28:33 +0200=20 > "Helmut Schneider" wrote:=20 >=20 >> =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD wrote:=20 >>> On Tue, 6 Oct 2009 17:23:09 +0200=20 >>> "Helmut Schneider" wrote:=20 >>>=20 >>>> From: "Nico De Dobbeleer" =20 >>>>> I just finished installing FreeBSD 7.x with pf in transparant=20 >>>>> bridging mode as the servers behind the firewall need to have an=20 >>>>> public ipaddress. Now is everything working fine and the FW is=20 >>>>> doing his job as it should be. When I nmap the FW I see the open=20 >>>>> ports and closed ports. Is there a way the get the FW running in=20 >>>>> stealth mode so that isn't possible anymore with nmap or any other=20 >>>>> scanning tool to see the open or closed ports?=20 >>>>=20 >>>> There is no "stealth". If a service responds to a request the port=20 >>>> is "open". If not it's closed.=20 >>>=20 >>> There is: just use "block drop" in your pf config or "set=20 >>> block-policy drop" (see man 5 pf.conf). This effectively stops=20 >>> sending TCP RST or UDP unreach packets.=20 >>=20 >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port=20 >> is open -> host not "stealth".=20 >>=20 >> But even if you "block drop" all incoming traffic to a host, if a=20 >> host is really down (and therefore stealth) the hosts' gateway would=20 >> send an ICMP type 3 packet (until you didn't cripple ICMP as well).=20 >>=20 >> While sometimes it might be useful to "block drop" it has nothing to=20 >> do with being "stealth".=20 >=20 > Not replying to a probe in the mentioned way is exactly what is=20 > commonly referred to as "stealth mode" by consumer firewalls. Just try=20 > a simple google search for "stealth firewall" and you will see.=20 I know the term "stealth firewall" very well. It's a worthless marketing=20 buzzword. It suggests users that it could prevent an attack or even the sca= n=20 itself. Neither is correct. This is what I wanted to point out and I was=20 encouraged by the fact that the OP was talking about "stealthing" open=20 ports.=20 -------------------=20 Already many thanks for the info. I'v added already the "set block-policy d= rop".=20 I'v done an nmap and it's apparently able to find out the setting below of = my pf FW:=20 MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.)=20 Warning: OSScan results may be unreliable because we could not find at leas= t 1 open and 1 closed port=20 Device type: general purpose=20 Running: FreeBSD 7.X=20 OS details: FreeBSD 7.1-PRERELEASE=20 Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009)=20 Network Distance: 1 hop=20 TCP Sequence Prediction: Difficulty=3D260 (Good luck!)=20 IP ID Sequence Generation: Incremental=20 Service Info: OS: FreeBSD=20 Is there a way to block this info?=20 From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 15:11:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8F75106566B for ; Wed, 7 Oct 2009 15:11:39 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 606D18FC18 for ; Wed, 7 Oct 2009 15:11:39 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id 16so1689356fgg.13 for ; Wed, 07 Oct 2009 08:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=F1AePF1G1pININtJo1FXJlvDGFfPTFYOO7L6sGpKHgs=; b=xZrt7XLcx+leYE8tX5DFnHEUaIMDoSw78VNG+ke/hd3LXY0mLpYbJqi3CdyW2u60Pm dFW5xsRRR2PUQsXbYEHl2KMc5nOxagJWmomAmX6ATbHJJCaf04Cmv+wWNQSquhNIhYXy aeGCvSbs2gAHS4N09hvcMLaBR309UN20zTQKk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=kcEOvFnOl6IabWAXI9YIB+YNcgSzbbVStEb06gFZJeUU6QXVS3a0/YBGtsD7NFhVmr +tjOkbEkQbll1tIiTRDixxGvdj1Spm5EMTOQp4LDiUv6u6SZPY6utSEy/+DXT9diX/67 MW+JDDqEd4Q+EJACGndqnM9wra4rlykww/2bU= Received: by 10.86.13.36 with SMTP id 36mr75887fgm.25.1254928297679; Wed, 07 Oct 2009 08:11:37 -0700 (PDT) Received: from centaur.5550h.net ([93.216.215.126]) by mx.google.com with ESMTPS id 12sm740501fgg.8.2009.10.07.08.11.35 (version=SSLv3 cipher=RC4-MD5); Wed, 07 Oct 2009 08:11:36 -0700 (PDT) Date: Wed, 7 Oct 2009 17:11:33 +0200 From: "=?UTF-8?B?5paH6bOl?=" To: "Helmut Schneider" Message-ID: <20091007171133.21cf50ce@centaur.5550h.net> In-Reply-To: References: <6422287.58441254834893591.JavaMail.root@zimbra-store> <49F0693DC96541B4B9D7B61599A12CA4@vpe.de> <20091006182241.79d16c8c@centaur.5550h.net> <20091006210912.379434eb@centaur.5550h.net> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 15:11:40 -0000 On Wed, 7 Oct 2009 11:40:36 +0200 "Helmut Schneider" wrote: > =E6=96=87=E9=B3=A5 wrote: > > On Tue, 6 Oct 2009 20:28:33 +0200 > > "Helmut Schneider" wrote: > > > >> =E6=96=87=E9=B3=A5 wrote: > >>> On Tue, 6 Oct 2009 17:23:09 +0200 > >>> "Helmut Schneider" wrote: > >>> > >>>> From: "Nico De Dobbeleer" > >>>>> I just finished installing FreeBSD 7.x with pf in transparant > >>>>> bridging mode as the servers behind the firewall need to have an > >>>>> public ipaddress. Now is everything working fine and the FW is > >>>>> doing his job as it should be. When I nmap the FW I see the open > >>>>> ports and closed ports. Is there a way the get the FW running in > >>>>> stealth mode so that isn't possible anymore with nmap or any > >>>>> other scanning tool to see the open or closed ports? > >>>> > >>>> There is no "stealth". If a service responds to a request the > >>>> port is "open". If not it's closed. > >>> > >>> There is: just use "block drop" in your pf config or "set > >>> block-policy drop" (see man 5 pf.conf). This effectively stops > >>> sending TCP RST or UDP unreach packets. > >> > >> Consider a webserver where you pass HTTP and "block drop" SSH. 1 > >> port is open -> host not "stealth". > >> > >> But even if you "block drop" all incoming traffic to a host, if a > >> host is really down (and therefore stealth) the hosts' gateway > >> would send an ICMP type 3 packet (until you didn't cripple ICMP as > >> well). > >> > >> While sometimes it might be useful to "block drop" it has nothing > >> to do with being "stealth". > > > > Not replying to a probe in the mentioned way is exactly what is > > commonly referred to as "stealth mode" by consumer firewalls. Just > > try a simple google search for "stealth firewall" and you will see. >=20 > I know the term "stealth firewall" very well. It's a worthless > marketing buzzword. It suggests users that it could prevent an attack > or even the scan itself. Neither is correct. This is what I wanted to > point out and I was encouraged by the fact that the OP was talking > about "stealthing" open ports. Ok, I totally agree with your reasoning when it comes to the open ports and useless marketing hype. Nevertheless, I think that the word "stealth" fits very well in the case of closed ports as it makes it a (slight) bit harder to find if a host is up or not. Anyway, even if the OP's mail was a bit misleading, I think it would have helped him more if you had just explained what 'stealth' actually means, why you and steered him into the right direction in addition to what you wrote. And it would also have prevented this prolonged and utterly useless discussion we were leading ;) From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 15:48:51 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74AD5106566B for ; Wed, 7 Oct 2009 15:48:51 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id F26C48FC2A for ; Wed, 7 Oct 2009 15:48:50 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so1116946fga.13 for ; Wed, 07 Oct 2009 08:48:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=vq+2pPxfmu5rVV8NgYqC3C/9SdqFi9V7MauBt09oLeg=; b=vUxjzS77h14rT2787k23RMZL+KD/EnK9Kyw7JrU9DtQ8Yg9/igYYhbjXBuAls/EhP8 dxcsk7Can1HPdy+nO2GzBYvoQJQmPdLZ9XUp8EoopWtl6Po0EQd21OnV7iPQywvfCdk6 q7GLVh1+2Wy7EjQ81kkDoA7pfeU5x1uKdxZ+U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=ZcawDSAMAE3YQl1Pimh6AvhZz7z7Oly+hgOldSEycpoqcvaJLSnCtkhUmQQhJ53AnH RSkS0nSf/jirkGQt5O3JFxlL7UsqTNJAixoW/nvqPMZ46MWnJ+B47g9Ic/sCebNs4Pzk I73xiVrV/TGoD6ktifh2OG/PuyFdmwSU+yVUU= Received: by 10.86.192.34 with SMTP id p34mr113458fgf.28.1254930529753; Wed, 07 Oct 2009 08:48:49 -0700 (PDT) Received: from centaur.5550h.net ([93.216.215.126]) by mx.google.com with ESMTPS id 3sm382452fge.6.2009.10.07.08.48.47 (version=SSLv3 cipher=RC4-MD5); Wed, 07 Oct 2009 08:48:48 -0700 (PDT) Date: Wed, 7 Oct 2009 17:48:46 +0200 From: "=?UTF-8?B?5paH6bOl?=" To: Nico De Dobbeleer Message-ID: <20091007174846.32846614@centaur.5550h.net> In-Reply-To: <23087185.63661254924619867.JavaMail.root@zimbra-store> References: <24402806.63641254924566875.JavaMail.root@zimbra-store> <23087185.63661254924619867.JavaMail.root@zimbra-store> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 263, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 15:48:51 -0000 > Already many thanks for the info. I'v added already the "set > block-policy drop". I'v done an nmap and it's apparently able to find > out the setting below of my pf FW: > > MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.) > Warning: OSScan results may be unreliable because we could not find > at least 1 open and 1 closed port Device type: general purpose > Running: FreeBSD 7.X > OS details: FreeBSD 7.1-PRERELEASE > Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009) > Network Distance: 1 hop > TCP Sequence Prediction: Difficulty=260 (Good luck!) > IP ID Sequence Generation: Incremental > Service Info: OS: FreeBSD > > > Is there a way to block this info? Possible, but may be disruptive to your networking, depending on your network environment and what you block. As I know nothing about your setup or pf.conf, and thus cannot tell you anything more specific, I will just explain what you can do to investigate and reduce the flow of data, but from there on you're on your own. First of all, check what ICMP messages come through and consider blocking these (take a look at the relevant RFCs first, though). Secondly, you can capture the data that nmap sends and the other end's replies using tcpdump, wireshark, whatever. Of interest are the responses you actually get from the scanned host. Find out what protocols those responses belong to (google, etc.), decide whether it is worthwile to block that data and, finally, check 'man pf.conf' to see how to do just that. BTW: please limit the amount of text you quote. From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 19:02:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB96C1065670 for ; Wed, 7 Oct 2009 19:02:41 +0000 (UTC) (envelope-from simon.haller@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 589C28FC08 for ; Wed, 7 Oct 2009 19:02:41 +0000 (UTC) Received: (qmail invoked by alias); 07 Oct 2009 18:35:59 -0000 Received: from chello062178210160.9.15.univie.teleweb.at (EHLO venom) [62.178.210.160] by mail.gmx.net (mp001) with SMTP; 07 Oct 2009 20:35:59 +0200 X-Authenticated: #6691994 X-Provags-ID: V01U2FsdGVkX1/editP+jveppNgSifHuZRlraKCZA5epAMigtsJLK cRNxpYuPX0a+ok Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "Nico De Dobbeleer" , =?utf-8?B?5paH6bOl?= References: <24402806.63641254924566875.JavaMail.root@zimbra-store> <23087185.63661254924619867.JavaMail.root@zimbra-store> <20091007174846.32846614@centaur.5550h.net> Date: Wed, 07 Oct 2009 20:35:58 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable From: "Simon Haller" Organization: simhal.net Message-ID: In-Reply-To: <20091007174846.32846614@centaur.5550h.net> User-Agent: Opera Mail/10.00 (Win32) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.48 Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 263, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 19:02:42 -0000 just to add my two cents (some of it already mentioned): the default nmap-scan, depending on how initial tcp-handshake (SYN packe= t) = with a particular port is carried out, displays 1.) "open" if a TCP SYN-packet is answered by a TCP SYN/ACK packet. 2.) "closed" if a TCP SYN-packet is answered by TCP RST packet. 3.) "filtered" if either no response is received (after retransmission o= f = the TCP SYN-packet) or it is answered by a ICMP type 3 packet (unreachab= le = error). so actually there is a difference between "closed" and "filtered" ports.= .. *) "stealth-mode" a.k.a. "block-policy drop;" will let the firewall igno= re = TCP SYN requests to open ports (the port will appear as "filtered"), whi= le *) "block-policy return;" will let the firewall return a TCP RST packet = = (the port will appear as "closed"), if a "TCP SYN" packet is sent to a = blocked port. the OS-detection of nmap is based on different response tests using = different types of packets to different ports (by default nmap scans the= = 1000 most common ports): all the above mentioned packets "TCP SYN/ACK", "TCP RST" and "ICMP type = 3" = give away information about the operating system. also responses to UDP packets and ICMP request give away information abo= ut = the OS. without knowledge of the firewall and network setup it is not possible t= o = say if it is possible and how to prevent the os detecting in the mention= ed = case... BR, simon haller Am 07.10.2009, 17:48 Uhr, schrieb =E6=96=87=E9=B3=A5 : >> Already many thanks for the info. I'v added already the "set >> block-policy drop". I'v done an nmap and it's apparently able to find= >> out the setting below of my pf FW: >> >> MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.) >> Warning: OSScan results may be unreliable because we could not find >> at least 1 open and 1 closed port Device type: general purpose >> Running: FreeBSD 7.X >> OS details: FreeBSD 7.1-PRERELEASE >> Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009) >> Network Distance: 1 hop >> TCP Sequence Prediction: Difficulty=3D260 (Good luck!) >> IP ID Sequence Generation: Incremental >> Service Info: OS: FreeBSD >> >> >> Is there a way to block this info? > > Possible, but may be disruptive to your networking, depending on > your network environment and what you block. As I know nothing about > your setup or pf.conf, and thus cannot tell you anything more specific= , > I will just explain what you can do to investigate and reduce the flow= > of data, but from there on you're on your own. > > First of all, check what ICMP messages come through and consider > blocking these (take a look at the relevant RFCs first, though). > > Secondly, you can capture the data that nmap sends and the other > end's replies using tcpdump, wireshark, whatever. Of interest are the > responses you actually get from the scanned host. Find out what > protocols those responses belong to (google, etc.), decide > whether it is worthwile to block that data and, finally, check 'man > pf.conf' to see how to do just that. > > BTW: please limit the amount of text you quote. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- = Erstellt mit Operas revolution=C3=A4rem E-Mail-Modul: http://www.opera.c= om/mail/ From owner-freebsd-pf@FreeBSD.ORG Wed Oct 7 20:17:22 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 830511065672 for ; Wed, 7 Oct 2009 20:17:22 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id CB9288FC0A for ; Wed, 7 Oct 2009 20:17:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 7C28F478151; Wed, 7 Oct 2009 22:17:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B1koeQ5ajIY5; Wed, 7 Oct 2009 22:17:16 +0200 (CEST) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 21385478097; Wed, 7 Oct 2009 22:17:16 +0200 (CEST) Date: Wed, 7 Oct 2009 22:17:15 +0200 (CEST) From: Nico De Dobbeleer To: Simon Haller Message-ID: <32213363.66501254946635517.JavaMail.root@zimbra-store> In-Reply-To: <25442608.66481254946506174.JavaMail.root@zimbra-store> MIME-Version: 1.0 X-Originating-IP: [213.118.152.199] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - FF3.0 (Win)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 263, Issue 3 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 20:17:22 -0000 Hey,=20 Ok It's true, I need to provide you all with more info. This is the situati= on:=20 My firewall has 3 networkcards 2 off them are in bridge (em0 and em1), 1 is= used for administration (rl0). The goal is to use the bridge to filter all= traffic to my servers behind the firewall. BUT the server behind the firew= all must have a public ip-address hence the setup with the bridge because N= AT is out of the question.=20 The range of my severs is 62.213.196.60/28. In the config file you will see= 10.0.0.0/8 addresses but that's just for testing purposes at home.=20 @home there is a 10.0.0.50 ubuntu connected to a router and the router into= the bridge of the FW. The admin NC has 10.0.0.200. This will all change in= to the 62.213.196.160/28 range once I put it in production.=20 Hereby my config file I'm still testing so here and there you will see unco= mmented options):=20 ___________________________________________________________________________= _=20 #######################=20 # Tables=20 #######################=20 table { 10.0.0.0/8, 62.213.196.160/28 }=20 table { 10.0.0.50, 62.213.196.174, 62.213.196.173, 62.213.19= 6.172, 62.213.196.171, 62.213.196.170 }=20 table { 10.0.0.200, 62.213.196.166, 62.213.196.167, 62.213.196.= 168, 62.213.196.169 }=20 table { 62.213.196.164, 62.213.196.165 }=20 ###########################################################################= #=20 # Normalization rules:=20 ###########################################################################= #=20 #set block-policy drop=20 set fingerprints "/etc/pf.os"=20 set block-policy return=20 # scrub incoming packets=20 scrub in on { $ext_if, $int_if } all fragment reassemble min-ttl 15 max-mss= 1400=20 scrub in on { $ext_if, $int_if } all no-df=20 scrub on { $ext_if, $int_if } all reassemble tcp=20 # Don't filter on the loopback interface=20 set skip on $loop_if=20 # this should block OS fingerprints??=20 block in log quick proto tcp flags FUP/WEUAPRSF=20 block in log quick proto tcp flags WEUAPRSF/WEUAPRSF=20 block in log quick proto tcp flags SRAFU/WEUAPRSF=20 block in log quick proto tcp flags /WEUAPRSF=20 block in log quick proto tcp flags SR/SR=20 block in log quick proto tcp flags SF/SF=20 block drop in on em0 all=20 block drop out on em0 all=20 block drop in on em1 all=20 block drop out on em1 all=20 block drop in on rl0 all=20 block drop out on rl0 all=20 # thwart nmap scans=20 block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags FUP= /FUP=20 block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags FU= P/FUP=20 ###########################################################################= #=20 # Filter rules:=20 ###########################################################################= #=20 # Allow public services to customers IP=20 pass in quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <= customer_ips> port $public_services=20 pass out quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to = port $public_services=20 # Allow admin services to admin servers=20 pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <= admin_ips> port $admin_services=20 pass out quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to = port $admin_services=20 # Allow access to powerboots=20 pass in quick on { $ext_if, $int_if } inet proto tcp from any to port $power_services=20 pass out quick on { $ext_if, $int_if } inet proto tcp from any to port $power_services=20 ___________________________________________________________________________= _________________=20 I hope you have more info now?=20 Nico=20 ----- Oorspronkelijk bericht -----=20 Van: "Simon Haller" =20 Aan: "Nico De Dobbeleer" , "=E6=96=87=E9=B3=A5" =20 Cc: freebsd-pf@freebsd.org=20 Verzonden: Woensdag 7 oktober 2009 20:35:58=20 Onderwerp: Re: freebsd-pf Digest, Vol 263, Issue 3=20 just to add my two cents (some of it already mentioned):=20 the default nmap-scan, depending on how initial tcp-handshake (SYN packet)= =20 with a particular port is carried out, displays=20 1.) "open" if a TCP SYN-packet is answered by a TCP SYN/ACK packet.=20 2.) "closed" if a TCP SYN-packet is answered by TCP RST packet.=20 3.) "filtered" if either no response is received (after retransmission of= =20 the TCP SYN-packet) or it is answered by a ICMP type 3 packet (unreachable= =20 error).=20 so actually there is a difference between "closed" and "filtered" ports...= =20 *) "stealth-mode" a.k.a. "block-policy drop;" will let the firewall ignore= =20 TCP SYN requests to open ports (the port will appear as "filtered"), while= =20 *) "block-policy return;" will let the firewall return a TCP RST packet=20 (the port will appear as "closed"), if a "TCP SYN" packet is sent to a=20 blocked port.=20 the OS-detection of nmap is based on different response tests using=20 different types of packets to different ports (by default nmap scans the=20 1000 most common ports):=20 all the above mentioned packets "TCP SYN/ACK", "TCP RST" and "ICMP type 3"= =20 give away information about the operating system.=20 also responses to UDP packets and ICMP request give away information about= =20 the OS.=20 without knowledge of the firewall and network setup it is not possible to= =20 say if it is possible and how to prevent the os detecting in the mentioned= =20 case...=20 BR, simon haller=20 Am 07.10.2009, 17:48 Uhr, schrieb =E6=96=87=E9=B3=A5 :=20 >> Already many thanks for the info. I'v added already the "set=20 >> block-policy drop". I'v done an nmap and it's apparently able to find=20 >> out the setting below of my pf FW:=20 >>=20 >> MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.)=20 >> Warning: OSScan results may be unreliable because we could not find=20 >> at least 1 open and 1 closed port Device type: general purpose=20 >> Running: FreeBSD 7.X=20 >> OS details: FreeBSD 7.1-PRERELEASE=20 >> Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009)=20 >> Network Distance: 1 hop=20 >> TCP Sequence Prediction: Difficulty=3D260 (Good luck!)=20 >> IP ID Sequence Generation: Incremental=20 >> Service Info: OS: FreeBSD=20 >>=20 >>=20 >> Is there a way to block this info?=20 >=20 > Possible, but may be disruptive to your networking, depending on=20 > your network environment and what you block. As I know nothing about=20 > your setup or pf.conf, and thus cannot tell you anything more specific,= =20 > I will just explain what you can do to investigate and reduce the flow=20 > of data, but from there on you're on your own.=20 >=20 > First of all, check what ICMP messages come through and consider=20 > blocking these (take a look at the relevant RFCs first, though).=20 >=20 > Secondly, you can capture the data that nmap sends and the other=20 > end's replies using tcpdump, wireshark, whatever. Of interest are the=20 > responses you actually get from the scanned host. Find out what=20 > protocols those responses belong to (google, etc.), decide=20 > whether it is worthwile to block that data and, finally, check 'man=20 > pf.conf' to see how to do just that.=20 >=20 > BTW: please limit the amount of text you quote.=20 > _______________________________________________=20 > freebsd-pf@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-pf=20 > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"=20 --=20 Erstellt mit Operas revolution=C3=A4rem E-Mail-Modul: http://www.opera.com/= mail/=20 From owner-freebsd-pf@FreeBSD.ORG Thu Oct 8 10:02:39 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E54C1065672 for ; Thu, 8 Oct 2009 10:02:39 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 091238FC25 for ; Thu, 8 Oct 2009 10:02:39 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.50) id 1MvppW-0007gf-13 for freebsd-pf@freebsd.org; Thu, 08 Oct 2009 12:02:38 +0200 Received: from 91.205.197.96 ([91.205.197.96]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 08 Oct 2009 12:02:37 +0200 Received: from jumper99 by 91.205.197.96 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 08 Oct 2009 12:02:37 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: "Helmut Schneider" Date: Thu, 8 Oct 2009 12:02:14 +0200 Lines: 29 Message-ID: References: <6422287.58441254834893591.JavaMail.root@zimbra-store><49F0693DC96541B4B9D7B61599A12CA4@vpe.de><20091006182241.79d16c8c@centaur.5550h.net><20091006210912.379434eb@centaur.5550h.net> <20091007171133.21cf50ce@centaur.5550h.net> Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 91.205.197.96 X-MSMail-Priority: Normal X-Newsreader: vi with a tiny little GUI X-MimeOLE: Huh, what?! Sender: news Subject: Re: freebsd-pf Stealth Modus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 10:02:39 -0000 文鳥 wrote: > On Wed, 7 Oct 2009 11:40:36 +0200 > "Helmut Schneider" wrote: >> I know the term "stealth firewall" very well. It's a worthless >> marketing buzzword. It suggests users that it could prevent an attack >> or even the scan itself. Neither is correct. This is what I wanted to >> point out and I was encouraged by the fact that the OP was talking >> about "stealthing" open ports. > > Ok, I totally agree with your reasoning when it comes to the open > ports and useless marketing hype. Nevertheless, I think that the word > "stealth" fits very well in the case of closed ports as it makes it > a (slight) bit harder to find if a host is up or not. Well, I still disagree. > Anyway, even if the OP's mail was a bit misleading, I think > it would have helped him more if you had just explained what > 'stealth' actually means, why you and steered him into the right > direction in addition to what you wrote. And it would also have > prevented this prolonged and utterly useless discussion we were > leading ;) Again I disagree, I expect this discussion to be useful for many others. But I agree, we should stop at that point. :) Helmut From owner-freebsd-pf@FreeBSD.ORG Sat Oct 10 02:40:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 47360106568F for ; Sat, 10 Oct 2009 02:40:18 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f195.google.com (mail-qy0-f195.google.com [209.85.221.195]) by mx1.freebsd.org (Postfix) with ESMTP id F10858FC1E for ; Sat, 10 Oct 2009 02:40:17 +0000 (UTC) Received: by qyk33 with SMTP id 33so7548091qyk.29 for ; Fri, 09 Oct 2009 19:40:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:subject :message-id:user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint :mime-version:content-type; bh=IdbzjEbqx3F5lJMue7EYwjQkqRJeHYjAk8tiOjHPfj0=; b=czi+9ktX70Da4A77lyNlhuzRvnEUe2NT/DxmRL/WVNsAjFPmLR7IdFvPMClPbvSTs3 NOWP6uoEyByK9hAOwIXPI3NXsjFflMO9FcNU8JmJgxbdRyyilag0LG3gT2yrKZcomfa4 jO/Oqb1kHWOVuSvbXXI+tVJIWht5DezNytEUA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; b=aut0X5WtE+SgkNHsT5VhfjR7nopdcE4RX1uBWRgZk5lwbhabnmYsYjHWbGuKhhizUt 2CvfNjnnh/ue24Mp6BbzJDcBpK4qJbEVvzLweue3TxdoNUxHwTNXlfenu5lygRszXk6G 6rgREnrW5XhxiKniX5/87p2INn1zlazvpwh7w= Received: by 10.224.95.21 with SMTP id b21mr3283496qan.243.1255140580549; Fri, 09 Oct 2009 19:09:40 -0700 (PDT) Received: from dimension.5p.local (adsl-99-19-46-114.dsl.klmzmi.sbcglobal.net [99.19.46.114]) by mx.google.com with ESMTPS id 6sm345410qwd.17.2009.10.09.19.09.38 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 09 Oct 2009 19:09:39 -0700 (PDT) Sender: "J. Hellenthal" Date: Fri, 9 Oct 2009 22:09:34 -0400 From: jhell To: freebsd-pf@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Subject: return-icmp() relative question to ipf rule. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Oct 2009 02:40:18 -0000 I have a rule I used in ipfilter probably around 2 or so years ago and I am now getting around to trying to implement in it my pf rules. So far any results I have achieved have failed with no response back from the server and get dropped. The rule in ipf syntax: block return-icmp-as-dest(13) in log first quick proto icmp all icmp-type 8 The above ipf rule returns a result of "Destination Administratively Prohibited" when ping'd The following pf syntax: block return-icmp(3,13) in quick inet proto icmp from any to any icmp-type 8 code 0 The above pf rule returns a result of "Nothing ........" when ping'd Just to be sure I wasn't mucking up the chain of rules I added this as the only rule to test it out and have achieved the same result multiple times on a test machine. Can anyone shed some light on the syntax and help me out with getting this rule to make the system respond to a echo request with admin-prohib as the destination system ? Thanks -- ;; dataix.net!jhell 2048R/89D8547E 2009-09-30 ;; BSD since FreeBSD 4.2 Linux since Slackware 2.1 ;; 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E