win -:|:- koi -:|:- iso -:|:- dos -:|:- mac

Start -:|:- Проекты -:|:- О нас

Responding To a Blocked Packet

So far, all of our blocked packets have been dumped on the floor, logged or not, we've never sent anything back to the originating host. Sometimes this isn't the most desirable of responses because in doing so, we actually tell the attacker that a packet filter is present. It seems a far better thing to misguide the attacker into believing that, while there's no packet filter running, there's likewise no services to break into. This is where fancier blocking comes into play.

When a service isn't running on a Unix system, it normally lets the remote host know with some sort of return packet. In TCP, this is done with an RST (Reset) packet. When blocking a TCP packet, IPF can actually return an RST to the origin by using the return-rst keyword.
Where once we did:
block in log on tun0 proto tcp from any to port = 23
pass in all
We might now do:
block return-rst in log from any to proto tcp port = 23
block in log quick on tun0
pass in all
We need two block statements since return-rst only works with TCP, and we still want to block protocols such as UDP, ICMP, and others. Now that this is done, the remote side will get "connection refused" instead of "connection timed out".

It's also possible to send an error message when somebody sends a packet to a UDP port on your system. Whereas once you might have used:
block in log quick on tun0 proto udp from any to port = 111
You could instead use the return-icmp keyword to send a reply:
block return-icmp(port-unr) in log quick on tun0 proto udp from any to port = 111
According to TCP/IP Illustrated, port-unreachable is the correct ICMP type to return when no service is listening on the port in question. You can use any ICMP type you like, but port-unreachable is probably your best bet. It's also the default ICMP type for return-icmp.

However, when using return-icmp, you'll notice that it's not very stealthy, and it returns the ICMP packet with the IP address of the firewall, not the original destination of the packet. This was fixed in ipfilter 3.3, and a new keyword; return-icmp-as-dest, has been added. The new format is:
block return-icmp-as-dest(port-unr) in log on tun0 proto udp from any to port = 111