[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules



It tells me so, in the log of that system (ISA2004). for example :

ISA Server detected an all port scan attack from Internet Protocol (IP)
address 12.130.12.31 
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 64.14.128.201
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 213.239.154.35. 
etc...


-----Oorspronkelijk bericht-----
Van: Stefan Kell [mailto:skba_(_dot_)_opbsd_(_at_)_gmx_(_dot_)_de] 
Verzonden: maandag 7 februari 2005 14:27
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: Getting port scans while I would think that the system that
is sc anned is not reachable because of my pf rules

Hi,

what causes the back-firewall to think it is getting portscans?

Regards

Stefan Kell

On Mon, 7 Feb 2005, forums wrote:

> > Hello,
> >
> > I have the following situation, OpenBSD 3.6 is my Front-Firewall, 
> > the NIC on the Internet side is FXP0 On the inside I have a NIC 
> > called XL0 which is connected to a Back-Firewall (cross cable).
> >
> > I only want traffic going to the internet if it was setup/requested 
> > by the back-firewall first (statefull of course).
> >
> > Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet
> >
> > So, i have this :
> >
> > # pfctl -s rules
> > scrub in all fragment reassemble
> > block drop in all
> > block drop out all
> > block return-rst in on fxp0 inet proto tcp from any to any port = 
> > auth
> >
> > pass in on xl0 inet from <ip back firewall> to any pass out on xl0 
> > inet from any to <ip back firewall>
> >
> > pass out on fxp0 proto tcp all flags S/SA modulate state pass out on 
> > fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep 
> > state
> >
> > Now, my back-firewall still tells me that it is getting port scans 
> > from the Internet, but i would think the system would not be 
> > reachable at all because I block everything in that direction unless it
was setup first ?
> > Both systems do have a internet ip address, devided by subnetting. 
> > So there is no NAT being done.
> >
> > What am I missing here ? Why do port scans still reach my internal 
> > Firewall ?
> >
> > regards
> > Willem



Visit your host, monkey.org