OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules

From: Stefan Kell (skba.opbsdgmx.de)
Date: Mon Feb 07 2005 - 11:30:14 CST

Hm,

I suspect that someone from the inside is scanning the ISA-Server, maybe a
trojan. You definitly should capture the traffic on OpenBSD with tcpdump
filtering on one of those ip-adresses. And the same on the ISA-Server

Regards

Stefan Kell

On Mon, 7 Feb 2005, forums wrote:

> " Someone " is not telling me that it is leaking :-) I control that Fw
> myself and i see the entry's getting in the log file. This message is part
> of a longer message...
>
> Its about maybe 10 a day, random ip addresses...I myself, scanning from the
> outside, are not getting trough...(it does not register my nmaps).
>
> I dont see anything wrong with my pf.conf and logging traffic trying to
> getting (using log) tells me that everything is blocked (my nmap as well)...
>
> =====================================
>
>
> Hello,
>
> I have the following situation, OpenBSD 3.6 is my Front-Firewall, the NIC on
> the Internet side is FXP0 On the inside I have a NIC called XL0 which is
> connected to a Back-Firewall (cross cable).
>
> I only want traffic going to the internet if it was setup/requested by the
> back-firewall first (statefull of course).
>
> Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet
>
> So, i have this :
>
> # pfctl -s rules
> scrub in all fragment reassemble
> block drop in all
> block drop out all
> block return-rst in on fxp0 inet proto tcp from any to any port = auth
>
> pass in on xl0 inet from <ip back firewall> to any pass out on xl0 inet from
> any to <ip back firewall>
>
> pass out on fxp0 proto tcp all flags S/SA modulate state pass out on fxp0
> proto udp all keep state pass out on fxp0 proto icmp all keep state
>
> Now, my back-firewall still tells me that it is getting port scans from the
> Internet, but i would think the system would not be reachable at all because
> I block everything in that direction unless it was setup first ?
> Both systems do have a internet ip address, devided by subnetting. So there
> is no NAT being done.
>
> What am I missing here ? Why do port scans still reach my internal Firewall
> ?
>
> regards
> Willem
>
>
> -----Oorspronkelijk bericht-----
> Van: knitti [mailto:knittigmail.com]
> Verzonden: maandag 7 februari 2005 16:26
> Aan: forums
> CC: miscopenbsd.org
> Onderwerp: Re: Getting port scans while I would think that the system that i
> s sc anned is not reachable because of my pf rules
>
> On Mon, 7 Feb 2005 14:31:18 +0100, forums <forumvanleeuwen.nl> wrote:
> > It tells me so, in the log of that system (ISA2004). for example :
> >
> > ISA Server detected an all port scan attack from Internet Protocol
> > (IP) address 12.130.12.31 ISA Server detected an all port scan attack
> > from Internet Protocol (IP) address 64.14.128.201 ISA Server detected
> > an all port scan attack from Internet Protocol (IP) address
> > 213.239.154.35.
> > etc...
>
> I don't know how frequent you get these, but a starting point would
> definately be looking with tcpdump a the connection between your front fw
> and your back fw. find out which traffic caused these, and compare with your
> rules.
> If you got the traffic, and don't know what to make of it, it will be far
> easier for people on the list to tell what could be wrong, as just saying
> "someone told me my firewall is leaking"
>
> --knitti