How to block nmap OS fingerprinting using ipfw ?
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
How to block nmap OS fingerprinting using ipfw ?

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls
Author Message
coo.hen@gmail.com
Guest
Posted: Fri Nov 25, 2005 12:26 am    Post subject: How to block nmap OS fingerprinting using ipfw ? Reply with quote
Hi,

I read "Network Security Hacks" book (O'reilly) and found a hack to
block nmap OS fingerprinting scan. Unfortunately the example is for
OpenBSD's PF and there's no explanation to why you need to block those
particular tcp flags.

If anybody has had experience with ipfw, please kindly share the
equivalent rules for ipfw.

Thank you.
Back to top
Eirik Seim
Guest
Posted: Fri Nov 25, 2005 2:44 am    Post subject: Re: How to block nmap OS fingerprinting using ipfw ? Reply with quote
On 24 Nov 2005 10:26:33 -0800, coo.hen@gmail.com wrote:
Quote:
Hi,

I read "Network Security Hacks" book (O'reilly) and found a hack to
block nmap OS fingerprinting scan. Unfortunately the example is for
OpenBSD's PF and there's no explanation to why you need to block those
particular tcp flags.

The reason certain tcp flags and combinations are recommended
to be blocked are probably because said combinations are more
often found in fingerprinting scans than in legitimate
applications.

That beeing said, Nmap is not the only application out there
doing fingerprinting, and if the idea of outsiders gaining any
information with regard to your OS worries you[1], you should
probably configure your firewall to be extremely strict (which
almost certainly breaks a lot of standards), because there may
pop up new ways to fingerprint your system every day. Nmap is
not the only threat.

Quote:
If anybody has had experience with ipfw, please kindly share the
equivalent rules for ipfw.

I know ipfw, but I've never felt the need to prevent against Nmaps
OS fingerprinting (other than on my network firewalls, which runs
pf...).

Google suggests adding the following to /etc/rc.conf:

tcp_drop_synfin="YES"

But apparently it may break connections in some cases where
legitimate applications behave in non-standard ways. Could
be what you need, but YMMV.


1. Hah, I can fingerprint your OS using only NNTP! You're
running FreeBSD! :)
--
New and exciting signature!
Back to top
johnH
Guest
Posted: Fri Nov 25, 2005 9:11 am    Post subject: Re: How to block nmap OS fingerprinting using ipfw ? Reply with quote
Thank you for the elaborate replies. Actually, I'm a newbie on these
firewall topics and just trying to find a quick fix.

Quote:
The reason certain tcp flags and combinations are recommended
to be blocked are probably because said combinations are more
often found in fingerprinting scans than in legitimate
applications.

Can ipfw block the same tcp flags combination as pf ? What are the
differences between ipfw and pf ?

Quote:
1. Hah, I can fingerprint your OS using only NNTP! You're
running FreeBSD! :)

Uh, that's close :-)
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Firewalls All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB