freebsd-pf Stealth Modus

Helmut Schneider jumper99 at gmx.de
Wed Oct 7 09:42:51 UTC 2009 

文鳥 <bunchou at googlemail.com> wrote:
> On Tue, 6 Oct 2009 20:28:33 +0200
> "Helmut Schneider" <jumper99 at gmx.de> wrote:
>
>> 文鳥 <bunchou at googlemail.com> wrote:
>>> On Tue, 6 Oct 2009 17:23:09 +0200
>>> "Helmut Schneider" <jumper99 at gmx.de> wrote:
>>>
>>>> From: "Nico De Dobbeleer" <nico at elico-it.be>
>>>>> I just finished installing FreeBSD 7.x with pf in transparant
>>>>> bridging mode as the servers behind the firewall need to have an
>>>>> public ipaddress.  Now is everything working fine and the FW is
>>>>> doing his job as it should be. When I nmap the FW I see the open
>>>>> ports and closed ports. Is there a way the get the FW running in
>>>>> stealth mode so that isn't possible anymore with nmap or any other
>>>>> scanning tool to see the open or closed ports?
>>>>
>>>> There is no "stealth". If a service responds to a request the port
>>>> is "open". If not it's closed.
>>>
>>> There is: just use "block drop" in your pf config or "set
>>> block-policy drop" (see man 5 pf.conf). This effectively stops
>>> sending TCP RST or UDP unreach packets.
>>
>> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port
>> is open -> host not "stealth".
>>
>> But even if you "block drop" all incoming traffic to a host, if a
>> host is really down (and therefore stealth) the hosts' gateway would
>> send an ICMP type 3 packet (until you didn't cripple ICMP as well).
>>
>> While sometimes it might be useful to "block drop" it has nothing to
>> do with being "stealth".
>
> Not replying to a probe in the mentioned way is exactly what is
> commonly referred to as "stealth mode" by consumer firewalls. Just try
> a simple google search for "stealth firewall" and you will see.

I know the term "stealth firewall" very well. It's a worthless marketing 
buzzword. It suggests users that it could prevent an attack or even the scan 
itself. Neither is correct. This is what I wanted to point out and I was 
encouraged by the fact that the OP was talking about "stealthing" open 
ports.

More information about the freebsd-pf mailing list