On 1/14/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote: > I didn't spend to much time on this one, but I think the above should > give you an idea as to how to go about it. Might work just as is if you > add the ports you want to protect inside your LAN, or may need some > minor changes, but it is sure very close to what you might need I think.
(Sorry, Daniel, my first reply didn't hit the list.) I don't disagree with the approach, though I am not certain it will solve the NMAP issue unless NMAP completes the 3-way handshake. Default nmap behaviour (as observed executed with root privileges) will send a syn packet, which is returned by OpenBSD with an ack.. then either nmap or the host O/S on the far side returns a RST packet. No handshake, no connection. I ran nmap several times against four open ports (nc -k -l 25 (et al) listening) with this rule, here's what my state table shows: nmap.source.ip -> 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip -> 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip -> 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip -> 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) I'm not sure that will ever trigger an overload to a table. Documentation can be found at http://www.openbsd.org/faq/pf/filter.html#stateopts. I'm interested in hearing solutions from others as well.
