Re: freebsd-pf Stealth Modus

> From: "Nico De Dobbeleer" <nico@...>
> > I just finished installing FreeBSD 7.x with pf in transparant
> > bridging mode as the servers behind the firewall need to have an
> > public ipaddress.  Now is everything working fine and the FW is
> > doing his job as it should be. When I nmap the FW I see the open
> > ports and closed ports. Is there a way the get the FW running in
> > stealth mode so that isn't possible anymore with nmap or any other
> > scanning tool to see the open or closed ports?
>
> There is no "stealth". If a service responds to a request the port is
> "open". If not it's closed.
>
> Helmut

> On Tue, 6 Oct 2009 17:23:09 +0200
> "Helmut Schneider" <jumper99@...> wrote:
>
>> From: "Nico De Dobbeleer" <nico@...>
>>> I just finished installing FreeBSD 7.x with pf in transparant
>>> bridging mode as the servers behind the firewall need to have an
>>> public ipaddress.  Now is everything working fine and the FW is
>>> doing his job as it should be. When I nmap the FW I see the open
>>> ports and closed ports. Is there a way the get the FW running in
>>> stealth mode so that isn't possible anymore with nmap or any other
>>> scanning tool to see the open or closed ports?
>>
>> There is no "stealth". If a service responds to a request the port is
>> "open". If not it's closed.
>
> There is: just use "block drop" in your pf config or "set block-policy
> drop" (see man 5 pf.conf). This effectively stops sending TCP RST or
> UDP unreach packets.

> 文鳥 <bunchou@...> wrote:
> > On Tue, 6 Oct 2009 17:23:09 +0200
> > "Helmut Schneider" <jumper99@...> wrote:
> >
> >> From: "Nico De Dobbeleer" <nico@...>
> >>> I just finished installing FreeBSD 7.x with pf in transparant
> >>> bridging mode as the servers behind the firewall need to have an
> >>> public ipaddress.  Now is everything working fine and the FW is
> >>> doing his job as it should be. When I nmap the FW I see the open
> >>> ports and closed ports. Is there a way the get the FW running in
> >>> stealth mode so that isn't possible anymore with nmap or any other
> >>> scanning tool to see the open or closed ports?
> >>
> >> There is no "stealth". If a service responds to a request the port
> >> is "open". If not it's closed.
> >
> > There is: just use "block drop" in your pf config or "set
> > block-policy drop" (see man 5 pf.conf). This effectively stops
> > sending TCP RST or UDP unreach packets.
>
> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port
> is open -> host not "stealth".
>
> But even if you "block drop" all incoming traffic to a host, if a
> host is really down (and therefore stealth) the hosts' gateway would
> send an ICMP type 3 packet (until you didn't cripple ICMP as well).
>
> While sometimes it might be useful to "block drop" it has nothing to
> do with being "stealth".
>
> Helmut

> On Tue, 6 Oct 2009 20:28:33 +0200
> "Helmut Schneider" <jumper99@...> wrote:
>
>> 文鳥 <bunchou@...> wrote:
>>> On Tue, 6 Oct 2009 17:23:09 +0200
>>> "Helmut Schneider" <jumper99@...> wrote:
>>>
>>>> From: "Nico De Dobbeleer" <nico@...>
>>>>> I just finished installing FreeBSD 7.x with pf in transparant
>>>>> bridging mode as the servers behind the firewall need to have an
>>>>> public ipaddress.  Now is everything working fine and the FW is
>>>>> doing his job as it should be. When I nmap the FW I see the open
>>>>> ports and closed ports. Is there a way the get the FW running in
>>>>> stealth mode so that isn't possible anymore with nmap or any other
>>>>> scanning tool to see the open or closed ports?
>>>>
>>>> There is no "stealth". If a service responds to a request the port
>>>> is "open". If not it's closed.
>>>
>>> There is: just use "block drop" in your pf config or "set
>>> block-policy drop" (see man 5 pf.conf). This effectively stops
>>> sending TCP RST or UDP unreach packets.
>>
>> Consider a webserver where you pass HTTP and "block drop" SSH. 1 port
>> is open -> host not "stealth".
>>
>> But even if you "block drop" all incoming traffic to a host, if a
>> host is really down (and therefore stealth) the hosts' gateway would
>> send an ICMP type 3 packet (until you didn't cripple ICMP as well).
>>
>> While sometimes it might be useful to "block drop" it has nothing to
>> do with being "stealth".
>
> Not replying to a probe in the mentioned way is exactly what is
> commonly referred to as "stealth mode" by consumer firewalls. Just try
> a simple google search for "stealth firewall" and you will see.

> 文鳥 <bunchou@...> wrote:
> > On Tue, 6 Oct 2009 20:28:33 +0200
> > "Helmut Schneider" <jumper99@...> wrote:
> >
> >> 文鳥 <bunchou@...> wrote:
> >>> On Tue, 6 Oct 2009 17:23:09 +0200
> >>> "Helmut Schneider" <jumper99@...> wrote:
> >>>
> >>>> From: "Nico De Dobbeleer" <nico@...>
> >>>>> I just finished installing FreeBSD 7.x with pf in transparant
> >>>>> bridging mode as the servers behind the firewall need to have an
> >>>>> public ipaddress.  Now is everything working fine and the FW is
> >>>>> doing his job as it should be. When I nmap the FW I see the open
> >>>>> ports and closed ports. Is there a way the get the FW running in
> >>>>> stealth mode so that isn't possible anymore with nmap or any
> >>>>> other scanning tool to see the open or closed ports?
> >>>>
> >>>> There is no "stealth". If a service responds to a request the
> >>>> port is "open". If not it's closed.
> >>>
> >>> There is: just use "block drop" in your pf config or "set
> >>> block-policy drop" (see man 5 pf.conf). This effectively stops
> >>> sending TCP RST or UDP unreach packets.
> >>
> >> Consider a webserver where you pass HTTP and "block drop" SSH. 1
> >> port is open -> host not "stealth".
> >>
> >> But even if you "block drop" all incoming traffic to a host, if a
> >> host is really down (and therefore stealth) the hosts' gateway
> >> would send an ICMP type 3 packet (until you didn't cripple ICMP as
> >> well).
> >>
> >> While sometimes it might be useful to "block drop" it has nothing
> >> to do with being "stealth".
> >
> > Not replying to a probe in the mentioned way is exactly what is
> > commonly referred to as "stealth mode" by consumer firewalls. Just
> > try a simple google search for "stealth firewall" and you will see.
>
> I know the term "stealth firewall" very well. It's a worthless
> marketing buzzword. It suggests users that it could prevent an attack
> or even the scan itself. Neither is correct. This is what I wanted to
> point out and I was encouraged by the fact that the OP was talking
> about "stealthing" open ports.

> On Wed, 7 Oct 2009 11:40:36 +0200
> "Helmut Schneider" <jumper99@...> wrote:
>> I know the term "stealth firewall" very well. It's a worthless
>> marketing buzzword. It suggests users that it could prevent an attack
>> or even the scan itself. Neither is correct. This is what I wanted to
>> point out and I was encouraged by the fact that the OP was talking
>> about "stealthing" open ports.
>
> Ok, I totally agree with your reasoning when it comes to the open
> ports and useless marketing hype. Nevertheless, I think that the word
> "stealth" fits very well in the case of closed ports as it makes it
> a (slight) bit harder to find if a host is up or not.