> On Tue, Aug 29, 2006 at 05:50:56PM +0200, [EMAIL PROTECTED]
> wrote:
>> block drop in log quick on $ext_if os NMAP overload <nmapscanners> flush
>
> This is a bad idea, because nmap scans can be trivially spoofed (nmap
> provides a command line option to do this), resulting in a simple denial
> of service attack.
>
> We have the overload table for tcp connections because the handshake
> makes us reasonably confident that the packets are not spoofed.
If you`re afraid of spoofing you may shouldn`t use overload-Rules at all!
In fact most ISPs in europe do filter spoofed packets.
You simply can`t spoof...
But except this: What else should an "admin" do?
I realy mean it...
A normal overload-Example (I just used some common services):
pass in on $ext_if proto tcp to $web_server \
port 22 flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 3/10, overload <badssh> flush)
pass in on $ext_if proto tcp to $web_server \
port 25 flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 3/10, overload <badsmtp> flush)
pass in on $ext_if proto tcp to $web_server \
port 443 flags S/SA keep state \
(max-src-conn 30, max-src-conn-rate 15/10, overload <badwww> flush)
pass in on $ext_if proto tcp to $web_server \
port 465 flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 3/10, overload <badsmtp> flush)
pass in on $ext_if proto tcp to $web_server \
port 21 flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 1/10, overload <badftp> flush)
Well I guess we all do know what PF does here.
But what if you wanna Block hosts wich do connect to all those services in
a very short time period (like during a "normal" Portscan (yes I know
about -T1 in nmap..)
Should an admin then do this:
pass in on $ext_if proto tcp to $web_server \
port &ALL_SERVICES_HERE flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 10/10, overload <allports> flush)
With that limit a normal user may get catched by this rule even he just
visited the www and maybe fetched/send a mail (some browsers do connect
serval times).
But a nmap-Scan would get catche dby this rule too (as far as nmap isn`t
in use with -T1 or maybe even with -T2).
So what other "solution" will solve the problem I`m trying to fix?!
And in fact why should somebody else scan your servers except of you..
(even it`s not illegal)?!
Btw: It would be very usefull to block hosts wich used nmap!
Think about controled big LANs (like in universities where you can`t watch
EVERY Computer and where students may can boot a Linux-Live CD or whatever
and try to do bad stuff... if nmap is just blocked they`ll propably use
something else after they noticed it).
Kind regards,
Sebastian
