|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules
From: Stefan Kell (skba.opbsd
gmx.de)
Date: Mon Feb 07 2005 - 09:50:15 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
you did enable pf, didn't you? What gives "sudo pfctl -s info"? It should
show some blocked packets.
Regards
Stefan Kell
On Mon, 7 Feb 2005, forums wrote:
> It tells me so, in the log of that system (ISA2004). for example :
>
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 12.130.12.31
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 64.14.128.201
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 213.239.154.35.
> etc...
>
>
> -----Oorspronkelijk bericht-----
> Van: Stefan Kell [mailto:skba.opbsdgmx.de]
> Verzonden: maandag 7 februari 2005 14:27
> Aan: forums
> CC: miscopenbsd.org
> Onderwerp: Re: Getting port scans while I would think that the system that
> is sc anned is not reachable because of my pf rules
>
> Hi,
>
> what causes the back-firewall to think it is getting portscans?
>
> Regards
>
> Stefan Kell
>
> On Mon, 7 Feb 2005, forums wrote:
>
> > > Hello,
> > >
> > > I have the following situation, OpenBSD 3.6 is my Front-Firewall,
> > > the NIC on the Internet side is FXP0 On the inside I have a NIC
> > > called XL0 which is connected to a Back-Firewall (cross cable).
> > >
> > > I only want traffic going to the internet if it was setup/requested
> > > by the back-firewall first (statefull of course).
> > >
> > > Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet
> > >
> > > So, i have this :
> > >
> > > # pfctl -s rules
> > > scrub in all fragment reassemble
> > > block drop in all
> > > block drop out all
> > > block return-rst in on fxp0 inet proto tcp from any to any port =
> > > auth
> > >
> > > pass in on xl0 inet from <ip back firewall> to any pass out on xl0
> > > inet from any to <ip back firewall>
> > >
> > > pass out on fxp0 proto tcp all flags S/SA modulate state pass out on
> > > fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep
> > > state
> > >
> > > Now, my back-firewall still tells me that it is getting port scans
> > > from the Internet, but i would think the system would not be
> > > reachable at all because I block everything in that direction unless it
> was setup first ?
> > > Both systems do have a internet ip address, devided by subnetting.
> > > So there is no NAT being done.
> > >
> > > What am I missing here ? Why do port scans still reach my internal
> > > Firewall ?
> > >
> > > regards
> > > Willem
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]