Discussion:
how pf works against nmap?
evernine
2004-05-15 12:39:29 UTC
Permalink
hi all,
i have configured my openbsd box with PF to avoid nmap activity....
I found thanks to google this rules to block nmap.....

#no nmap
block in log quick on $ext inet proto tcp from any to any flags PUF/PUF
block in log quick on $ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext inet proto tcp from any to any flags /SFRA

Its this ok?
Then i tried to nmap my box from an outside machine.... this was the
result.....
(i have no services open to the internet)

Interesting ports on x.x.x.x:
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere

Too many fingerprints match this host to give specific OS details

The strange things are these closed ports.... what are these ports??? i
haven't any kind of services only a ftp-proxy for the LAN clients....

Thx,
evernine.

PS: i found this rule against smurf attacks...
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
Jesper Louis Andersen
2004-05-15 12:49:04 UTC
Permalink
Post by evernine
hi all,
i have configured my openbsd box with PF to avoid nmap activity....
I found thanks to google this rules to block nmap.....
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
Huh, why bother? And what syntax error do you recieve?
--
j.
evernine
2004-05-16 02:22:40 UTC
Permalink
Post by Jesper Louis Andersen
Post by evernine
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
Huh, why bother? And what syntax error do you recieve?
I receive this error:

# pfctl -n -f /etc/pf.conf
no IP address found for tun0:broadcast
/etc/pf.conf:33: could not parse host specification

thx,
evernine.
Cedric Berger
2004-05-16 12:13:29 UTC
Permalink
Post by evernine
Post by Jesper Louis Andersen
Post by evernine
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
Huh, why bother? And what syntax error do you recieve?
# pfctl -n -f /etc/pf.conf
no IP address found for tun0:broadcast
/etc/pf.conf:33: could not parse host specification
Because your tun0 interface is not configured as a broadcast interface.
Do "ifconfig tun0" and see if there is the BROADCAST flag.
If not, you cannot use "tun0:broadcast".
Cedric
Mark Brown
2004-05-15 15:41:37 UTC
Permalink
With the Built-In OS detection in pf, you can block generic NMAP SYN scans
and OS detection with

block from any os NMAP

This may not stop the other scan types. For example, TCP connect will not be
blocked but all SYN scans would be dropped. Also, the OS detection for TCP
ports would be blocked.

I could not get pf (obsd35) to give me an error for the block smurf rule.
Subject: how pf works against nmap?
Date: Sat, 15 May 2004 14:39:29 +0200
hi all,
i have configured my openbsd box with PF to avoid nmap activity....
I found thanks to google this rules to block nmap.....
#no nmap
block in log quick on $ext inet proto tcp from any to any flags PUF/PUF
block in log quick on $ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext inet proto tcp from any to any flags /SFRA
Its this ok?
Then i tried to nmap my box from an outside machine.... this was the
result.....
(i have no services open to the internet)
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere
Too many fingerprints match this host to give specific OS details
The strange things are these closed ports.... what are these ports??? i
haven't any kind of services only a ftp-proxy for the LAN clients....
Thx,
evernine.
PS: i found this rule against smurf attacks...
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
evernine
2004-05-15 16:39:29 UTC
Permalink
Post by Mark Brown
This may not stop the other scan types. For example, TCP connect will not be
blocked but all SYN scans would be dropped. Also, the OS detection for TCP
ports would be blocked.
Yes this is clear....
but...
Post by Mark Brown
Post by evernine
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere
Why these ports appear on my box?
i have a 3.5 obsd-release with no services.... but nmap found bo2k....
and other services tipically of a win machine...

PS: for the smurf i will try again and i will post the error exactly.

Thx,
evernine.
Fabio Olive Leite
2004-05-18 15:46:29 UTC
Permalink
Post by evernine
Post by evernine
PORT STATE SERVICE
[ ... ]
Why these ports appear on my box?
Perhaps because your provider filters it for you, in an attempt to
help users of a commonly vulnerable OS.
--
I drowned in the universal pool of entropy
Eris has saved me, and she has set me free
jared r r spiegel
2004-05-15 17:22:46 UTC
Permalink
Post by evernine
PS: i found this rule against smurf attacks...
#no smurf
#block in quick on $ext inet from any to $ext:broadcast
but i receive a syntax error.... where is the mistake?
when you set 'ext=something', is 'something' in quotes?
if not, put it in quotes.

as in:

ext = "fxp0"

rather than

ext = fxp0

jared
--
[ openbsd 3.5 GENERIC ( may 10 ) // i386 ]
evernine
2004-05-15 19:40:53 UTC
Permalink
Post by jared r r spiegel
when you set 'ext=something', is 'something' in quotes?
Yes sure!
i pasted only the part that creates problems....
i will past all my conf now....

/etc/pf.conf

###################################################################
ext="tun0" #external interface
int="ep0" #internal interface
loop="lo0" #loopback interface
intnet="192.168.x.y/24" #internal LAN
winemule="{ 192.168.x.y }" #Client with emule+WinXP
noroute="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255.255/32 }"
extser="{ 22 }" #ssh
tcpemule="{ 4662, 4661 }" #emule
udpemule="{ 4672, 4665 }" #aggiunta il 14 Maggio 2004 per l'UDP di
emule
###################################################################
set block-policy drop
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 5000, adaptive.end 12000 }
set limit { states 10000, frags 10000 }
set optimization aggressive
###################################################################
scrub in on { $ext, $int } all fragment reassemble
###################################################################
#nat rules
###################################################################
nat on $ext from $intnet to any -> $ext
rdr on $int proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#ftp-proxy for the LAN
rdr pass on $ext proto tcp from any to any port $tcpemule -> $winemule
rdr pass on $ext proto udp from any to any port $udpemule -> $winemule
###################################################################
#block rules
###################################################################
block log on $ext all
block in quick inet6 all
block out quick inet6 all
pass quick on $loop all
###################################################################
#no illegal flag combination
###################################################################
block in log quick on $ext inet proto tcp from any to any flags
UAPRSF/UAPRSF
###################################################################
#no nmap
###################################################################
block in log quick on $ext inet proto tcp from any to any flags PUF/PUF
block in log quick on $ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext inet proto tcp from any to any flags /SFRA
###################################################################
#no smurf
###################################################################
#block in quick on $ext inet from any to $ext:broadcast
block in log quick on $ext from $noroute to any
block out log quick on $ext from any to $noroute
#no cable modem noise (broadcasts)
block in quick on $ext from any to 255.255.255.255
###################################################################
#pass rules
###################################################################
#ftp-proxy for the LAN
pass in quick on $ext inet proto tcp from any to any port > 49151 flags S/SA
keep state
#ICMP
pass out quick on $ext inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext inet proto icmp all icmp-type 8 code 0 keep state
#services
pass in on $ext inet proto tcp from any to any port $extser flags S/SA keep
state
pass in quick on $ext inet proto tcp from any to $winemule port $emule keep
state #to avoid LOW ID on emule
pass out quick on $ext inet proto tcp from any to any port $emule #to avoid
LOW ID on emule
pass in quick on $ext inet proto udp from any to $winemule port $udpemule
keep state #to avoid LOW ID on emule
pass out quick on $ext inet proto udp from any to any port $udpemule #to
avoid LOW ID on emule
#
pass out on $ext proto tcp all modulate state flags S/SA
pass out on $ext proto { udp, icmp } all keep state

#END.

How these rules are?
Thx,
niubbo.

PS: how can u justify these ports founded by nmap?
Post by jared r r spiegel
Post by evernine
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere
Mark Brown
2004-05-15 21:54:17 UTC
Permalink
It means that nmap received a response from those ports indicating they were
closed. This could be because nmap sent a packet that did not match your
block filters. If you can repeat the scan with the same results, try using
the -d flag to see additional debugging information that might show you why
nmap thinks those ports are closed. Or you could try monitoring traffic on
the obsd box.

Why even both trying to block nmap? Would it not be better to block all in
and only allow services you want?
Subject: Re: how pf works against nmap?
Date: Sat, 15 May 2004 18:39:29 +0200
Post by Mark Brown
This may not stop the other scan types. For example, TCP connect will
not
be
Post by Mark Brown
blocked but all SYN scans would be dropped. Also, the OS detection for
TCP
Post by Mark Brown
ports would be blocked.
Yes this is clear....
but...
Post by Mark Brown
Post by evernine
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
49400/tcp closed compaqdiag
54320/tcp closed bo2k
61439/tcp closed netprowler-manager
61440/tcp closed netprowler-manager2
61441/tcp closed netprowler-sensor
65301/tcp closed pcanywhere
Why these ports appear on my box?
i have a 3.5 obsd-release with no services.... but nmap found bo2k....
and other services tipically of a win machine...
PS: for the smurf i will try again and i will post the error exactly.
Thx,
evernine.
Asenchi
2004-05-17 22:45:28 UTC
Permalink
On Sat, 15 May 2004 14:39:29 +0200
"evernine" <***@freaknet.org> so eloquently said:

+> hi all,
+> i have configured my openbsd box with PF to avoid nmap activity....
+> I found thanks to google this rules to block nmap.....

I believe that if you scrub the packets you won't have to specify all of
these rules.
From the PF FAQ (http://www.openbsd.org/faq/pf/filter.html#tcpflags) {
One should be careful with using flags -- understand what you are doing
and why, and be careful with the advice people give as a lot of it is
bad. Some people have suggested creating state "only if the SYN flag is
set and no others". Such a rule would end with:

. . . flags S/FSRPAUEW bad idea!!

The theory is, create state only on the start of the TCP session, and
the session should start with a SYN flag, and no others. The problem is
some sites are starting to use the ECN flag and any site using ECN that
tries to connect to you would be rejected by such a rule. A much better
guideline is:

. . . flags S/SAFR

While this is practical and safe, it is also unnecessary to check the
FIN and RST flags if traffic is also being scrubbed. The scrubbing
process will cause PF to drop any incoming packets with illegal TCP flag
combinations (such as SYN and FIN or SYN and RST). It's highly
recommended to always scrub incoming traffic:

scrub in on fxp0
.
.
.
pass in on fxp0 proto tcp from any to any port ssh flags S/SA \
keep state
}

--
-cbm

em: bsd-at-pal3-dot-org
www: http://xecho.pal3.org
Loading...