> now, i read that using nmap and other vulnerability assessment tools from the > int_lan to > the iNet will result in unreliable returns, i have noticed that if using nmap for os > fingerprinting always results to my obsd os fingerprint, can anyone enlighten me as > to > why? (and since i cant trust the return, pretty sure its returning my open ports) > btw, how > do i filter port 113?
i'm assuming openbsd 3.3, correct me if i'm wrong. Well if you have but one open port without blocking all ports then there is tcp/ip information. One of the things you can do to trip up nmap is disable window scaling, this is mostly useful on laggy connections or gigabit and above connections. sysctl -w net.inet.tcp.rfc1323=0 for that and then edit /etc/sysctl.conf to make this stick upon reboots Also you will need to reject tcp flags that you arn'et expecting as nmap can use the behavior of odd flag combinations for fingerprintting. By default when you accept and keep state on an inbound syn packet you should only have the syn flag set so for example: pass in on $ExtIF proto tcp from any to port 22 flags S/SAFRPU keep state Also, you should block in on $ExtIF except for the few instances you want to allow in. To conceal the fingerprint you need to allow as little data as possible. If you really want to confuse nmap, redirect say your webserver from the firewall to an internal box. Nmap, even the 3.46 pre-release thinks i'm running aix now. > i also wanted to know if i could post my current ruleset, could i get some help on > fine > tuning it, and setting up better logging (like what i should/should'nt be > logging...) and a > better understanding of what is happing with my ruleset? > I'd be happy to audit your ruleset and offer advice. -James
