Hi,
I read "Network Security Hacks" book (O'reilly) and found a hack to block nmap OS fingerprinting scan. Unfortunately the example is for OpenBSD's PF and there's no explanation to why you need to block those particular tcp flags.
If anybody has had experience with ipfw, please kindly share the equivalent rules for ipfw.
Thank you.
The reason certain tcp flags and combinations are recommended to be blocked are probably because said combinations are more often found in fingerprinting scans than in legitimate applications.
That beeing said, Nmap is not the only application out there doing fingerprinting, and if the idea of outsiders gaining any information with regard to your OS worries you[1], you should probably configure your firewall to be extremely strict (which almost certainly breaks a lot of standards), because there may pop up new ways to fingerprint your system every day. Nmap is not the only threat.
I know ipfw, but I've never felt the need to prevent against Nmaps OS fingerprinting (other than on my network firewalls, which runs pf...).
Google suggests adding the following to /etc/rc.conf:
tcp_drop_synfin="YES"
But apparently it may break connections in some cases where legitimate applications behave in non-standard ways. Could be what you need, but YMMV.
Thank you for the elaborate replies. Actually, I'm a newbie on these firewall topics and just trying to find a quick fix.
Can ipfw block the same tcp flags combination as pf ? What are the differences between ipfw and pf ?
Uh, that's close :-)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.