From owner-freebsd-questions@FreeBSD.ORG Tue Mar 15 12:29:08 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 689C416A4CE for ; Tue, 15 Mar 2005 12:29:08 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AF8C43D31 for ; Tue, 15 Mar 2005 12:29:08 +0000 (GMT) (envelope-from emccoy@haystacks.org) Received: from [127.0.0.1] (c-24-98-109-41.hsd1.ga.comcast.net[24.98.109.41]) by comcast.net (rwcrmhc14) with ESMTP id <20050315122907014001hdb7e>; Tue, 15 Mar 2005 12:29:07 +0000 Message-ID: <4236D50F.5050307@haystacks.org> Date: Tue, 15 Mar 2005 07:29:03 -0500 From: Eric McCoy User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: daniel quinn References: <200503141152.55407.freebsd@danielquinn.org> In-Reply-To: <200503141152.55407.freebsd@danielquinn.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD Questions Subject: Re: ipfw and nmap X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 12:29:08 -0000 daniel quinn wrote: > i've been experimenting with ipfw since moving some of my machines from linux > to freebsd and i've run across an oddity wrt nmap and freebsd firewalls. it > doesn't seem to work and the activity isn't logged either. > > the firewall is working though. ssh goes through, while other ports are being > blocked (and logged). i've confirmed this with telnet. but nmap still comes > up empty. i'd like to be able to do a proper portscan, but is this a feature > with ipfw or a lack of feature in nmap? I am not entirely sure what problems you are seeing. It sounds like you are saying that the firewall works properly, and nmap correctly identifies open/closed/filtered ports, but you are getting nothing in your ipfw log indicating that a scan is happening. Is that correct? If so, the "problem" is that nmap has a variety of scans which are designed not to be caught by firewall logs. If you try a TCP connect() port scan (-sT I think) it will show up in the firewall's logs. If you want to catch all manner of port scans, you will have to use something like Snort.