freebsd-pf Stealth Modus

[文鳥]

On Tue, 6 Oct 2009 20:28:33 +0200
"Helmut Schneider" <jumper99 at gmx.de> wrote:

> 文鳥 <bunchou at googlemail.com> wrote:
> > On Tue, 6 Oct 2009 17:23:09 +0200
> > "Helmut Schneider" <jumper99 at gmx.de> wrote:
> >
> >> From: "Nico De Dobbeleer" <nico at elico-it.be>
> >>> I just finished installing FreeBSD 7.x with pf in transparant
> >>> bridging mode as the servers behind the firewall need to have an
> >>> public ipaddress.  Now is everything working fine and the FW is
> >>> doing his job as it should be. When I nmap the FW I see the open
> >>> ports and closed ports. Is there a way the get the FW running in
> >>> stealth mode so that isn't possible anymore with nmap or any other
> >>> scanning tool to see the open or closed ports?
> >>
> >> There is no "stealth". If a service responds to a request the port
> >> is "open". If not it's closed.
> >
> > There is: just use "block drop" in your pf config or "set
> > block-policy drop" (see man 5 pf.conf). This effectively stops
> > sending TCP RST or UDP unreach packets.
> 
> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port
> is open -> host not "stealth".
> 
> But even if you "block drop" all incoming traffic to a host, if a
> host is really down (and therefore stealth) the hosts' gateway would
> send an ICMP type 3 packet (until you didn't cripple ICMP as well).
> 
> While sometimes it might be useful to "block drop" it has nothing to
> do with being "stealth".
> 
> Helmut 

Not replying to a probe in the mentioned way is exactly what is
commonly referred to as "stealth mode" by consumer firewalls. Just try
a simple google search for "stealth firewall" and you will see.
Besides, if only a few (uncommon) ports are open, a limited scan is
unlikely to find them, thus calling it "stealth" (aka "low
observability" according to wikipedia) is appropriate imho. There is a
difference between stealth and invisibility.