NMAP probing of network ports

Charles Swiger cswiger at mac.com
Thu Sep 15 12:40:32 PDT 2005

On Sep 15, 2005, at 2:43 PM, Boris Karloff wrote:
> How do I cause freeBSD 5.4 to not respond to an nmap
> inquiry? I have already tried creating a line in rc.firewall
> that says:
> ${fwcmd} deny all from any to any
> ${fwcmd} drop all from any to any
> I know these are active, since 1) I see them on the screen
> at startup, and 2) pinging from any computer to any computer
> results in a timeout.
> (both of these should drop all TCP packets; but apparently,
> they cause a RESET message to be sent.)

"Apparently" indicates a lack of reliable information.
You should use tcpdump to see what is really going on.

> I've also tried adding the following to sysctl.conf:
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
> Again, these don't seem to prevent my freeBSD from sending a
> packet (probably a RESET or UNREACHABLE-HOST ack).

Ditto.  Please obtain real data.

> Once the person sending the nmap to this machine has the IP,
> its a simple step for them to ip-flood this machine; or
> worse.

Yes.  Only, someone can issue a denial-of-service attack against an  
IP without bothering to nmap-scan it, first.  Nothing short of  
upstream intervention by your ISP can prevent a true DoS attack from  
flooding your inbound pipe's bandwidth.

Trying to prevent a DoS is not an especially useful thing to spend  
lots of time on, you would be better served by creating an effective  
security policy and setting up an appropriate firewall architecture,  
including a redundant connection if the cost of downtime justifies  
the expense.

> How do I make freeBSD not acknowledge the fingerprint from
> nmap?

Set up a firewall to block access to all ports but the ones you need  
for internet-reachable services.  You can recognize nmap traffic by  
the TCP option string of "WNMTE"; you can recognize nmap OS  
identification and the "Xmas" scan variants by TCP flag combinations  
of "SE" (SYN | ECE), "FPU" (FIN | PUSH | URG), and "FSPU"...


More information about the freebsd-questions mailing list