

Filtered: NMAP Port Scanner Sees Through IPtables Firewall (2006) - AJAlabs
http://diaryproducts.net/about/operating_systems/unix/nmap_port_scanner_iptables_firewall

======
ckuehl
It seems that it might be more appropriate to simply have your default
firewall rule be to drop incoming traffic, and to then open only those ports
you need.

If you're using a port whitelist (rather than blacklist), the problem the
author identifies shouldn't really exist.

~~~
zrm
The trouble with everyone using whitelists is that the ecosystem responds to
it. Widespread use of default deny causes new applications to be tunneled over
HTTP[S] or ssh instead of using their own ports, which is in effect just
default allow minus the ability to differentiate applications based on their
ports.

~~~
zokier
In what sort of world default DROP is not a widespread practice? Quickly
googling, eg both Ubuntu and CentOS wikis advice for default drop, as do lot
of other guides.

[https://help.ubuntu.com/community/IptablesHowTo#Blocking_Tra...](https://help.ubuntu.com/community/IptablesHowTo#Blocking_Traffic)

[http://wiki.centos.org/HowTos/Network/IPTables#head-724ed81d...](http://wiki.centos.org/HowTos/Network/IPTables#head-724ed81dbcd2b82b5fd3f648142796f3ce60c730)

~~~
zrm
> In what sort of world default DROP is not a widespread practice?

That's the problem. Instead of asking why you're running services you don't
really want to be running, just kill anything you don't understand. It's like
over-prescribing antibiotics. You grow a new crop of firewall-resistant
services and then the firewall doesn't work when you really need it to.

------
gnoway
I've always wondered what the actual best practice is with rejection rules. I
tend to prefer issuing reset/unreachable since as the article points out it
does make the port look like it's truly unused. On the other hand, eliminating
the response packets has benefits of its own: the scan takes longer, the
system doesn't incur the response overhead and it won't participate in any
attack scenario depending on sending responses to a spoofed address.

~~~
UnoriginalGuy
Given the options couldn't you effectively stealth services by having the
firewall drop everything unused from 1-5000 (instead of letting the OS send a
reset packet).

~~~
zokier
Why stop at 5000? Why not default drop for all ports (except whitelisted
ones)?

------
cthalupa
It depends on what you're worried about as to why you would choose drop vs.
reject

If you scan only that specific port, a DROP will make the IP address appear
unused - so if you're worried about someone scanning purely for port 22 and
not anything else, a drop is the better choice.

(See: nmap an unused IP address with -P0 to ignore the fact there's no icmp
response to show the host is alive, and you get a 'filtered')

If you're worried about people that are specifically trying to find see if a
service is running on your specific server, a reject + reset might be the
better choice.

------
Khaine
How do you achieve the same outcome with pf or ipfw?

