[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting port scans while I would think that the system that i s sc anned is not reachable because of my pf rules



" Someone "  is not telling me that it is leaking :-) I control that Fw
myself and i see the entry's getting in the log file. This message is part
of a longer message...

Its about maybe 10 a day, random ip addresses...I myself, scanning from the
outside, are not getting trough...(it does not register my nmaps). 

I dont see anything wrong with my pf.conf and logging traffic trying to
getting (using log) tells me that everything is blocked (my nmap as well)...

   =====================================


Hello, 

I have the following situation, OpenBSD 3.6 is my Front-Firewall, the NIC on
the Internet side is FXP0 On the inside I have a NIC called XL0 which is
connected to a Back-Firewall (cross cable).

I only want traffic going to the internet if it was setup/requested by the
back-firewall first (statefull of course).

Back-Firewall <---> XL0 OpenBSD3.6 FXP0 ----> Internet

So, i have this : 

# pfctl -s rules
scrub in all fragment reassemble
block drop in all
block drop out all
block return-rst in on fxp0 inet proto tcp from any to any port = auth

pass in on xl0 inet from <ip back firewall> to any pass out on xl0 inet from
any to <ip back firewall>

pass out on fxp0 proto tcp all flags S/SA modulate state pass out on fxp0
proto udp all keep state pass out on fxp0 proto icmp all keep state

Now, my back-firewall still tells me that it is getting port scans from the
Internet, but i would think the system would not be reachable at all because
I block everything in that direction unless it was setup first ? 
Both systems do have a internet ip address, devided by subnetting. So there
is no NAT being done.

What am I missing here ? Why do port scans still reach my internal Firewall
?

regards
Willem 


-----Oorspronkelijk bericht-----
Van: knitti [mailto:knitti_(_at_)_gmail_(_dot_)_com]
Verzonden: maandag 7 februari 2005 16:26
Aan: forums
CC: misc_(_at_)_openbsd_(_dot_)_org
Onderwerp: Re: Getting port scans while I would think that the system that i
s sc anned is not reachable because of my pf rules

On Mon, 7 Feb 2005 14:31:18 +0100, forums <forum_(_at_)_vanleeuwen_(_dot_)_nl> wrote:
> It tells me so, in the log of that system (ISA2004). for example :
> 
> ISA Server detected an all port scan attack from Internet Protocol
> (IP) address 12.130.12.31 ISA Server detected an all port scan attack 
> from Internet Protocol (IP) address 64.14.128.201 ISA Server detected 
> an all port scan attack from Internet Protocol (IP) address 
> 213.239.154.35.
> etc...

I don't know how frequent you get these, but a starting point would
definately be looking with tcpdump a the connection between your front fw
and your back fw. find out which traffic caused these, and compare with your
rules.
If you got the traffic, and don't know what to make of it, it will be far
easier for people on the list to tell what could be wrong, as just saying
"someone told me my firewall is leaking"

--knitti