[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: nmap->PF, strange results, why?



I went through this initially when I first migrated to OBSD and "pf" for 
my firewall but I no include the following rule in my pf.conf to keep 
from logging all of the broadcast crap:

#--------------------------------------------------------------------------
# Silently drop broadcasts (cable modem noise)
#
block in quick on $ext_if inet from any to { 255.255.255.255 }

When I look at my firewall state information via "pfctl", I see that 
this one rule is dropping 100,000 packets a month on the external side 
of my dual-homed firewall. (My present uptime for my firewall is 34 
days):

block drop in quick on tx0 inet from any to 255.255.255.255
[Evaluations: 399667  Packets: 119463  Bytes: 42821909  States: 0]

I do monitor my pf logs and all that broadcast junk just adds to the 
large amount of logging data I get from all of the port probes my 
firewall gets hit with on a daily basis on Comcast.

Tony

On Sunday 17 August 2003 16:49 pm, Wajihuddin Ahmed wrote:
> Yes i am a comcast subscriber.  I also the the following dhcp/bootp
> broadcast which is cluttering my pflog.
>
> Aug 17 19:26:06.813795 rule 0/0(match): block in on ep1:
> 10.69.xxx.xxx.67 > 255.255.255.255.68:  xid:0x5c76374 flags:0x8000
> Y:10.69.xxx.xxx S:172.30.xxx.xxx G:10.69.xxx.xxx ether 0:b:6:6e:7:ec
> [|bootp]
>
> Not sure what the "Y" stands for but this looks like some
> router/firewall is misconfigured, or could this be also trickling
> from one of my neighbours.
>
> Thx
>
> -Wajih
>
> Anthony Schlemmer <aschlemm_(_at_)_comcast_(_dot_)_net> wrote:
> >On Comcast.net they filter ports 137-139 all of the time otherwise
> >everyone on the same subnet would be able to see everyone's machine
> >through Network Neighborhood, etc. and access shares like files and
> >printers. It's sort of laughable that this reduces security problem
> >with Windows boxes given the recent viruii that have hit many
> > Windows systems and taken a whole lot of boxes down.
> >
> >It's bad enough when I've had neighbor's kids on the same subnet
> >repeatedly hit my OpenBSD firewall with PC Anywhere trying to get
> > into the box like it's a Windows box.
> >
> >Tony
> >
> >On Sunday 17 August 2003 12:47 pm, Wajihuddin Ahmed wrote:
> >> Hi,
> >>
> >> When i nmap my gateway OpenBSD machine, why does nmap show these
> >> ports as filtered.  I have nothing listening on these ports. 
> >> Perhaps its a nmap bug?  Or is this intentional to trick the other
> >> side in beliving that it is a windows machine.
> >>
> >> # nmap 68.xxx.xxx.xxx
> >>
> >> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> >> Interesting ports on  (68.xxx.xxx.xxx):
> >> (The 1595 ports scanned but not shown below are in state: closed)
> >> Port       State       Service
> >> 135/tcp    filtered    loc-srv
> >> 137/tcp    filtered    netbios-ns
> >> 138/tcp    filtered    netbios-dgm
> >> 139/tcp    filtered    netbios-ssn
> >> 445/tcp    filtered    microsoft-ds
> >> 1080/tcp   filtered    socks
> >>
> >> Nmap run completed -- 1 IP address (1 host up) scanned in 51
> >> seconds
> >>
> >> Thanks
> >>
> >> -Wajih
> >>
> >> __________________________________________________________________
> >> McAfee VirusScan Online from the Netscape Network.
> >> Comprehensive protection for your entire computer. Get your free
> >> trial today!
> >> http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=3
> >>933 97
> >>
> >> Get AOL Instant Messenger 5.1 free of charge.  Download Now!
> >> http://aim.aol.com/aimnew/Aim/register.adp?promo=380455
> >
> >--
> >Anthony Schlemmer
> >aschlemm_(_at_)_comcast_(_dot_)_net
>
> __________________________________________________________________
> McAfee VirusScan Online from the Netscape Network.
> Comprehensive protection for your entire computer. Get your free
> trial today!
> http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=3933
>97
>
> Get AOL Instant Messenger 5.1 free of charge.  Download Now!
> http://aim.aol.com/aimnew/Aim/register.adp?promo=380455

-- 
Anthony Schlemmer
aschlemm_(_at_)_comcast_(_dot_)_net