From owner-freebsd-questions Tue Feb 11 21:14:19 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A770A37B401 for ; Tue, 11 Feb 2003 21:14:15 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1DAD43FA3 for ; Tue, 11 Feb 2003 21:14:14 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (b4493574fda907fef40c7e581408efcf@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1C559jZ001403; Tue, 11 Feb 2003 23:05:09 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1C559sC001402; Tue, 11 Feb 2003 23:05:09 -0600 (CST) Date: Tue, 11 Feb 2003 23:05:09 -0600 From: Redmond Militante To: "Scott A. Moberly" , freebsd-questions@freebsd.org Subject: Re: portsentry in combination with ipfilter Message-ID: <20030212050509.GA1381@darkpossum> Reply-To: Redmond Militante References: <20030212043806.GA1267@darkpossum> <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: <3662.10.0.0.2.1045025758.squirrel@mail.karamazov.org> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi i've used portsentry on standalone workstations before with ipfilter setup = as a +firewall, and for some reason, now when i'm trying to use it on a ipf/ipnat +gateway box, it's being really verbose about the ports it's binding to. i= f i +nmap a standalone workstation i have configured ipfilter/portsentry on, i = don't +get the huge list of ports that it's binding to... i thought perhaps ther= e was +a config option to hide this information >=20 > > hi all > > > > i have an ipf/ipnat gateway machine protecting an internal network of - > > so far one, hopefully 2 or more - computers. the first thing i did > > after i observed that i have my setup successfully nat'ing, was to try > > to portscan myself from an outside machine, using nmap. at first i > > thought something was up, and that my ipf.rules were being ignored, > > because when i ran > > > > nmap -sS -v -O > > > > on my the public ip of my internal host - which was aliased to the > > external nic of my gateway box - it showed that a huge amount of tcp > > and udp ports were open. i could copy the nmap results, but they're > > long, and suffice it to say ports i thought were closed or inactive > > were shown as open. > > > > after discussing it with the -security listserv, and running a > > 'sockstat' on the gateway box, it turns out that portsentry was indeed > > listening on the great majority of ports that the nmap showed to be > > open. when i turn portsentry off and run nmap again on my setup, it > > only shows ports that i specially allow open in my ipf/ipnat rules like > > 80,22, etc. > > > > my question is: first if anyone knows how to get portsentry to not > > broadcast the fact that it's listening on a wide variety ports when the > > host is being portscanned. i checked the portsentry.conf file, there > > didn't seem to be an option for this. also - i have >=20 > This is exactly what portsentry is designed to do. Can't tell if a port > is hit without first binding to it. I have placed portsentry on other > machines than the firewall for just this sort of information. A better > solution on a firewall is to turn on logging for specific ports or rules > that you are interested in. >=20 > > block return-rst in log quick on xl0 proto tcp from any to any > > > > in my ipf.rules, so i thought that any ports not be nat'd would show up > > in portscans as not listening. not sure why this isn't working. >=20 > What ports exactly are still listening that aren't getting allowed throug= h? >=20 > when i turn portsentry off and nmap again, all appears as i expected it to = - only 80 22 and 21 are listed as open - as i defined it in my ipf.rules > also, i had wanted to run logcheck, portsentry, and snort or tripwire > > on my ipf/ipnat gateway box. is this a good combination of apps? as of > > now, i have portsentry turned off, but would like to use it or an app > > that performs the same function. >=20 > logcheck - not really syslog should be sent inside either via syslog or > msyslog (in ports) > logcheck is not a good idea? could you elaborate on this point please? portsentry - nope (see above) > would you recommend running portsentry on an internal host behind the gatew= ay machine? =20 thanks redmond snort - i 'spose (no harm per say) > tripwire - definately >=20 > > any thoughts? > > > > thanks again > > > > redmond >=20 > Hope this helps. >=20 > --=20 > Scott A. Moberly > smoberly@karamazov.org >=20 > "BASIC is the Computer Science equivalent of `Scientific Creationism'." >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message >=20 --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SdYEFNjun16SvHYRAll7AJ0SrmOHF7SayZj0HH5F2OjTy3yZfQCgiWc1 hz7rT3SqY87QNWq7jGKqPdw= =k3Xi -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message