freebsd-pf Digest, Vol 263, Issue 3

Nico De Dobbeleer nico at elico-it.be
Wed Oct 7 14:10:29 UTC 2009 


From: "Nico De Dobbeleer" <nico at elico-it.be> 
> I just finished installing FreeBSD 7.x with pf in transparant bridging 
> mode as the servers behind the firewall need to have an public 
> ipaddress. Now is everything working fine and the FW is doing his job as 
> it should be. When I nmap the FW I see the open ports and closed ports. 
> Is there a way the get the FW running in stealth mode so that isn't 
> possible anymore with nmap or any other scanning tool to see the open or 
> closed ports? 

There is no "stealth". If a service responds to a request the port is 
"open". If not it's closed. 

Helmut 



------------------------------ 

Message: 3 
Date: Tue, 6 Oct 2009 18:22:41 +0200 
From: " ?? " <bunchou at googlemail.com> 
Subject: Re: freebsd-pf Stealth Modus 
To: "Helmut Schneider" <jumper99 at gmx.de> 
Cc: Nico De Dobbeleer <nico at elico-it.be>, freebsd-pf at freebsd.org 
Message-ID: <20091006182241.79d16c8c at centaur.5550h.net> 
Content-Type: text/plain; charset=US-ASCII 

On Tue, 6 Oct 2009 17:23:09 +0200 
"Helmut Schneider" <jumper99 at gmx.de> wrote: 

> From: "Nico De Dobbeleer" <nico at elico-it.be> 
> > I just finished installing FreeBSD 7.x with pf in transparant 
> > bridging mode as the servers behind the firewall need to have an 
> > public ipaddress. Now is everything working fine and the FW is 
> > doing his job as it should be. When I nmap the FW I see the open 
> > ports and closed ports. Is there a way the get the FW running in 
> > stealth mode so that isn't possible anymore with nmap or any other 
> > scanning tool to see the open or closed ports? 
> 
> There is no "stealth". If a service responds to a request the port is 
> "open". If not it's closed. 
> 
> Helmut 

There is: just use "block drop" in your pf config or "set block-policy 
drop" (see man 5 pf.conf). This effectively stops sending TCP RST or 
UDP unreach packets. 


------------------------------ 

Message: 4 
Date: Tue, 6 Oct 2009 20:28:33 +0200 
From: "Helmut Schneider" <jumper99 at gmx.de> 
Subject: Re: freebsd-pf Stealth Modus 
To: freebsd-pf at freebsd.org 
Message-ID: <hag28i$26j$1 at ger.gmane.org> 
Content-Type: text/plain; format=flowed; charset="UTF-8"; 
reply-type=original 

������ <bunchou at googlemail.com> wrote: 
> On Tue, 6 Oct 2009 17:23:09 +0200 
> "Helmut Schneider" <jumper99 at gmx.de> wrote: 
> 
>> From: "Nico De Dobbeleer" <nico at elico-it.be> 
>>> I just finished installing FreeBSD 7.x with pf in transparant 
>>> bridging mode as the servers behind the firewall need to have an 
>>> public ipaddress. Now is everything working fine and the FW is 
>>> doing his job as it should be. When I nmap the FW I see the open 
>>> ports and closed ports. Is there a way the get the FW running in 
>>> stealth mode so that isn't possible anymore with nmap or any other 
>>> scanning tool to see the open or closed ports? 
>> 
>> There is no "stealth". If a service responds to a request the port is 
>> "open". If not it's closed. 
> 
> There is: just use "block drop" in your pf config or "set block-policy 
> drop" (see man 5 pf.conf). This effectively stops sending TCP RST or 
> UDP unreach packets. 

Consider a webserver where you pass HTTP and "block drop" SSH. 1 port is 
open -> host not "stealth". 

But even if you "block drop" all incoming traffic to a host, if a host is 
really down (and therefore stealth) the hosts' gateway would send an ICMP 
type 3 packet (until you didn't cripple ICMP as well). 

While sometimes it might be useful to "block drop" it has nothing to do with 
being "stealth". 

Helmut 




------------------------------ 

Message: 5 
Date: Tue, 6 Oct 2009 21:09:12 +0200 
From: " ?? " <bunchou at googlemail.com> 
Subject: Re: freebsd-pf Stealth Modus 
To: "Helmut Schneider" <jumper99 at gmx.de> 
Cc: freebsd-pf at freebsd.org 
Message-ID: <20091006210912.379434eb at centaur.5550h.net> 
Content-Type: text/plain; charset=UTF-8 

On Tue, 6 Oct 2009 20:28:33 +0200 
"Helmut Schneider" <jumper99 at gmx.de> wrote: 

> ������ <bunchou at googlemail.com> wrote: 
> > On Tue, 6 Oct 2009 17:23:09 +0200 
> > "Helmut Schneider" <jumper99 at gmx.de> wrote: 
> > 
> >> From: "Nico De Dobbeleer" <nico at elico-it.be> 
> >>> I just finished installing FreeBSD 7.x with pf in transparant 
> >>> bridging mode as the servers behind the firewall need to have an 
> >>> public ipaddress. Now is everything working fine and the FW is 
> >>> doing his job as it should be. When I nmap the FW I see the open 
> >>> ports and closed ports. Is there a way the get the FW running in 
> >>> stealth mode so that isn't possible anymore with nmap or any other 
> >>> scanning tool to see the open or closed ports? 
> >> 
> >> There is no "stealth". If a service responds to a request the port 
> >> is "open". If not it's closed. 
> > 
> > There is: just use "block drop" in your pf config or "set 
> > block-policy drop" (see man 5 pf.conf). This effectively stops 
> > sending TCP RST or UDP unreach packets. 
> 
> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port 
> is open -> host not "stealth". 
> 
> But even if you "block drop" all incoming traffic to a host, if a 
> host is really down (and therefore stealth) the hosts' gateway would 
> send an ICMP type 3 packet (until you didn't cripple ICMP as well). 
> 
> While sometimes it might be useful to "block drop" it has nothing to 
> do with being "stealth". 
> 
> Helmut 

Not replying to a probe in the mentioned way is exactly what is 
commonly referred to as "stealth mode" by consumer firewalls. Just try 
a simple google search for "stealth firewall" and you will see. 
Besides, if only a few (uncommon) ports are open, a limited scan is 
unlikely to find them, thus calling it "stealth" (aka "low 
observability" according to wikipedia) is appropriate imho. There is a 
difference between stealth and invisibility. 


------------------------------ 

Message: 6 
Date: Wed, 7 Oct 2009 11:40:36 +0200 
From: "Helmut Schneider" <jumper99 at gmx.de> 
Subject: Re: freebsd-pf Stealth Modus 
To: freebsd-pf at freebsd.org 
Message-ID: <hahnmk$ji6$1 at ger.gmane.org> 
Content-Type: text/plain; format=flowed; charset="UTF-8"; 
reply-type=original 

������ <bunchou at googlemail.com> wrote: 
> On Tue, 6 Oct 2009 20:28:33 +0200 
> "Helmut Schneider" <jumper99 at gmx.de> wrote: 
> 
>> ������ <bunchou at googlemail.com> wrote: 
>>> On Tue, 6 Oct 2009 17:23:09 +0200 
>>> "Helmut Schneider" <jumper99 at gmx.de> wrote: 
>>> 
>>>> From: "Nico De Dobbeleer" <nico at elico-it.be> 
>>>>> I just finished installing FreeBSD 7.x with pf in transparant 
>>>>> bridging mode as the servers behind the firewall need to have an 
>>>>> public ipaddress. Now is everything working fine and the FW is 
>>>>> doing his job as it should be. When I nmap the FW I see the open 
>>>>> ports and closed ports. Is there a way the get the FW running in 
>>>>> stealth mode so that isn't possible anymore with nmap or any other 
>>>>> scanning tool to see the open or closed ports? 
>>>> 
>>>> There is no "stealth". If a service responds to a request the port 
>>>> is "open". If not it's closed. 
>>> 
>>> There is: just use "block drop" in your pf config or "set 
>>> block-policy drop" (see man 5 pf.conf). This effectively stops 
>>> sending TCP RST or UDP unreach packets. 
>> 
>> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port 
>> is open -> host not "stealth". 
>> 
>> But even if you "block drop" all incoming traffic to a host, if a 
>> host is really down (and therefore stealth) the hosts' gateway would 
>> send an ICMP type 3 packet (until you didn't cripple ICMP as well). 
>> 
>> While sometimes it might be useful to "block drop" it has nothing to 
>> do with being "stealth". 
> 
> Not replying to a probe in the mentioned way is exactly what is 
> commonly referred to as "stealth mode" by consumer firewalls. Just try 
> a simple google search for "stealth firewall" and you will see. 

I know the term "stealth firewall" very well. It's a worthless marketing 
buzzword. It suggests users that it could prevent an attack or even the scan 
itself. Neither is correct. This is what I wanted to point out and I was 
encouraged by the fact that the OP was talking about "stealthing" open 
ports. 


------------------- 
Already many thanks for the info. I'v added already the "set block-policy drop". 
I'v done an nmap and it's apparently able to find out the setting below of my pf FW: 

MAC Address: 00:0E:2E:xx:xx:xx (Edimax Technology Co.) 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port 
Device type: general purpose 
Running: FreeBSD 7.X 
OS details: FreeBSD 7.1-PRERELEASE 
Uptime guess: 0.000 days (since Wed Oct 07 16:02:00 2009) 
Network Distance: 1 hop 
TCP Sequence Prediction: Difficulty=260 (Good luck!) 
IP ID Sequence Generation: Incremental 
Service Info: OS: FreeBSD 


Is there a way to block this info?

More information about the freebsd-pf mailing list