ct Re: NMAP probing of network ports

Boris Karloff modelt20 at canada.com
Fri Sep 16 05:36:51 PDT 2005


>On Thu, Sep 15, 2005 at 01:43:56PM -0500, Boris Karloff
wrote:
>> Hello:
>> 
>> How do I cause freeBSD 5.4 to not respond to an nmap
>> inquiry? I have already tried creating a line in
rc.firewall
>> that says: 
>> 
>> ${fwcmd} deny all from any to any
>> ${fwcmd} drop all from any to any
>> 
>> I know these are active, since 1) I see them on the
screen
>> at startup, and 2) pinging from any computer to any
computer
>> results in a timeout.
>> 
>> (both of these should drop all TCP packets; but
apparently,
>> they cause a RESET message to be sent.)

>Umm, try putting the drop before the deny.  AFAIK, drop
just drops >the
>packet totally, and deny sends a RST back to the host. 
That is if >ipfw
>works that way (ICBW). You don't need both these lines
anyway, only >one
>of them.


Thank you for your reply. My first message may have been a
little misleading. I had tried each line separately (they
only differ in the 'deny' and 'drop'). I should have been
more clear. I had also restarted the computer between
changes, just to be sure.

If the two rules were used in a single file, the second line
would never be executed; since the first rule would
terminate the rule checking; or the second rule would not
test true if the first did not, because it is identical to
the first. These commands have to be used independently. I
meant to imply they were tried separately.

It appears that when FreeBSD is sent an invalid packet
without the SYN or ACK bits set, it responds with a RESET
reply regardless of the ipfw rules. It appears this is one
of the things nmap is exploiting.

Any suggestions on how to modify this behavior?

Thanks.

Harold.
----------------------------------------
Upgrade your account today for increased storage; mail
forwarding or POP enabled e-mail with automatic virus
scanning. Visit
http://www.canada.com/email/premiumservices.html for more
information.


More information about the freebsd-questions mailing list