From owner-freebsd-questions Tue Feb 11 20:47:15 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EF7037B401 for ; Tue, 11 Feb 2003 20:47:13 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AE2C43F85 for ; Tue, 11 Feb 2003 20:47:12 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (2d30ffc1ee241b6ab4b50c9e48679bcd@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1C4c7jZ001286 for ; Tue, 11 Feb 2003 22:38:07 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1C4c6T5001285 for freebsd-questions@freebsd.org; Tue, 11 Feb 2003 22:38:06 -0600 (CST) Date: Tue, 11 Feb 2003 22:38:06 -0600 From: Redmond Militante To: freebsd-questions@freebsd.org Subject: portsentry in combination with ipfilter Message-ID: <20030212043806.GA1267@darkpossum> Reply-To: Redmond Militante Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi all i have an ipf/ipnat gateway machine protecting an internal network of - so= far one, hopefully 2 or more - computers. the first thing i did after i observed that i have my setup successfully n= at'ing, was to try to portscan myself from an outside machine, using nmap. at first i thought something was up, and that my ipf.rules were being igno= red, because when i ran =20 nmap -sS -v -O=20 on my the public ip of my internal host - which was aliased to the externa= l nic of my gateway box - it showed that a huge amount of tcp and udp ports= were open. i could copy the nmap results, but they're long, and suffice it= to say ports i thought were closed or inactive were shown as open. =20 after discussing it with the -security listserv, and running a 'sockstat' = on the gateway box, it turns out that portsentry was indeed listening on th= e great majority of ports that the nmap showed to be open. when i turn port= sentry off and run nmap again on my setup, it only shows ports that i speci= ally allow open in my ipf/ipnat rules like 80,22, etc. =20 my question is: first if anyone knows how to get portsentry to not broadca= st the fact that it's listening on a wide variety ports when the host is be= ing portscanned. i checked the portsentry.conf file, there didn't seem to b= e an option for this. also - i have =20 block return-rst in log quick on xl0 proto tcp from any to any =20 in my ipf.rules, so i thought that any ports not be nat'd would show up in= portscans as not listening. not sure why this isn't working. =20 also, i had wanted to run logcheck, portsentry, and snort or tripwire on m= y ipf/ipnat gateway box. is this a good combination of apps? as of now, i h= ave portsentry turned off, but would like to use it or an app that performs= the same function. =20 any thoughts? =20 thanks again redmond --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+Sc+uFNjun16SvHYRAqXaAJ99tM0EzKiHEJAoei9VXRoy1XXUqwCgqgbc BhWJlLD6DA9W7ovzoxPLxh8= =5h7L -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message