freebsd-pf Stealth Modus

文鳥 bunchou at googlemail.com
Wed Oct 7 15:11:40 UTC 2009 

On Wed, 7 Oct 2009 11:40:36 +0200
"Helmut Schneider" <jumper99 at gmx.de> wrote:

> 文鳥 <bunchou at googlemail.com> wrote:
> > On Tue, 6 Oct 2009 20:28:33 +0200
> > "Helmut Schneider" <jumper99 at gmx.de> wrote:
> >
> >> 文鳥 <bunchou at googlemail.com> wrote:
> >>> On Tue, 6 Oct 2009 17:23:09 +0200
> >>> "Helmut Schneider" <jumper99 at gmx.de> wrote:
> >>>
> >>>> From: "Nico De Dobbeleer" <nico at elico-it.be>
> >>>>> I just finished installing FreeBSD 7.x with pf in transparant
> >>>>> bridging mode as the servers behind the firewall need to have an
> >>>>> public ipaddress.  Now is everything working fine and the FW is
> >>>>> doing his job as it should be. When I nmap the FW I see the open
> >>>>> ports and closed ports. Is there a way the get the FW running in
> >>>>> stealth mode so that isn't possible anymore with nmap or any
> >>>>> other scanning tool to see the open or closed ports?
> >>>>
> >>>> There is no "stealth". If a service responds to a request the
> >>>> port is "open". If not it's closed.
> >>>
> >>> There is: just use "block drop" in your pf config or "set
> >>> block-policy drop" (see man 5 pf.conf). This effectively stops
> >>> sending TCP RST or UDP unreach packets.
> >>
> >> Consider a webserver where you pass HTTP and "block drop" SSH. 1
> >> port is open -> host not "stealth".
> >>
> >> But even if you "block drop" all incoming traffic to a host, if a
> >> host is really down (and therefore stealth) the hosts' gateway
> >> would send an ICMP type 3 packet (until you didn't cripple ICMP as
> >> well).
> >>
> >> While sometimes it might be useful to "block drop" it has nothing
> >> to do with being "stealth".
> >
> > Not replying to a probe in the mentioned way is exactly what is
> > commonly referred to as "stealth mode" by consumer firewalls. Just
> > try a simple google search for "stealth firewall" and you will see.
> 
> I know the term "stealth firewall" very well. It's a worthless
> marketing buzzword. It suggests users that it could prevent an attack
> or even the scan itself. Neither is correct. This is what I wanted to
> point out and I was encouraged by the fact that the OP was talking
> about "stealthing" open ports.

Ok, I totally agree with your reasoning when it comes to the open
ports and useless marketing hype. Nevertheless, I think that the word
"stealth" fits very well in the case of closed ports as it makes it
a (slight) bit harder to find if a host is up or not.

Anyway, even if the OP's mail was a bit misleading, I think
it would have helped him more if you had just explained what
'stealth' actually means, why you and steered him into the right
direction in addition to what you wrote. And it would also have
prevented this prolonged and utterly useless discussion we were
leading ;)

More information about the freebsd-pf mailing list