On 18/06/2022 12:15, Cristian Danila wrote:
Good day! Does anyone know if OpenBSD(7.1) has the capability to be hidden
against a pingscan(nmap -sn xxx.xxx.xxx.xxx)?
In PF I have only 2 rules to block everything:
block in quick all
block out quick all
This is a fresh OpenBSD7.1 with no other configuration in place.
The only thing set is the default interface vic0 to allow dhcp
By running a test with nmap -sn 192.168.121.131 I see this:
Starting Nmap 7.92(https://nmap.org)at 2022-06-18 11:52 GTB Daylight Time
Nmap scan report for 192.168.121.131
Host is up (0.00s latency).
MAC Address: 00:0C:29:C3:D9:A7 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
On scanned host I see this by running tcpdump -i vic0
09:51:40.913770 arp who-has 192.168.121.131 tell 192.168.121.1
09:51:40.913795 arp reply 192.168.121.131 is-at 00:0c:29:c3:d9:a7
I am thinking(please correct me if I am wrong) that not all the traffic
passes through pf hence this is why is not blocked.
I would appreciate if someone could provide me a technical answer on this,
even recommend me a book to read or docs regarding it.
Kind regards,
Claudiu
Apparently you are on the same network, that's why the arp(4) reply.
If you're not (and 192.168.121.1 is your gateway)
then maybe want to add block drop or set block-policy drop
your pf rule blocks icmp and rest of ip(4) traffic
ping 192.168.121.131
to verify.
