|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules
From: forums (forum
vanleeuwen.nl)
Date: Mon Feb 07 2005 - 07:31:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It tells me so, in the log of that system (ISA2004). for example :
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 12.130.12.31
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 64.14.128.201
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 213.239.154.35.
etc...
-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba.opbsdgmx.de]
Verzonden: maandag 7 februari 2005 14:27
Aan: forums
CC: miscopenbsd.org
Onderwerp: Re: Getting port scans while I would think that the system that
is sc anned is not reachable because of my pf rules
Hi,
what causes the back-firewall to think it is getting portscans?
Regards
Stefan Kell
On Mon, 7 Feb 2005, forums wrote:
> > Hello,
> >
> > I have the following situation, OpenBSD 3.6 is my Front-Firewall,
> > the NIC on the Internet side is FXP0 On the inside I have a NIC
> > called XL0 which is connected to a Back-Firewall (cross cable).
> >
> > I only want traffic going to the internet if it was setup/requested
> > by the back-firewall first (statefull of course).
> >
> > Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet
> >
> > So, i have this :
> >
> > # pfctl -s rules
> > scrub in all fragment reassemble
> > block drop in all
> > block drop out all
> > block return-rst in on fxp0 inet proto tcp from any to any port =
> > auth
> >
> > pass in on xl0 inet from <ip back firewall> to any pass out on xl0
> > inet from any to <ip back firewall>
> >
> > pass out on fxp0 proto tcp all flags S/SA modulate state pass out on
> > fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep
> > state
> >
> > Now, my back-firewall still tells me that it is getting port scans
> > from the Internet, but i would think the system would not be
> > reachable at all because I block everything in that direction unless it
was setup first ?
> > Both systems do have a internet ip address, devided by subnetting.
> > So there is no NAT being done.
> >
> > What am I missing here ? Why do port scans still reach my internal
> > Firewall ?
> >
> > regards
> > Willem
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]