how to block nmap scan ports?

hello. i'm a student and currently doing my internship. i need to configure pf firewall in free BSD server. i need help for my pf. i had configure this in my pf.conf. but i don't know if it's works well. because i thought it might not working. can somebody please help me with this?

i used zenmap with this command (intense scan all tcp ports),
Code:
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all 10.5.13.114

but, it still can scan the open ports on my server.

here is my configuration for my pf.conf.
Code:
ext_if="fxp0"
icmp_types="echoreq"

set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble

block all

set skip on lo0
antispoof for $ext_if inet

block in from no-route to any
block in from urpf-failed to any

block in quick on $ext_if from any to 255.255.255.255

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUP

block in log quick on $ext_if from any os "NMAP" to any label ExtNMAPScan

pass out on $ext_if proto {tcp, udp, icmp} from any to any modulate state

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <shh_abuse> flush)
 
You're explicitly passing in tcp syn packets from anyone to ssh (port 22) and www (port 80) in your pf ruleset.

What part of this is not working as you'd expect?
 
sorry for my mistake. could you please help me in correcting these rule set so it can block nmap from scanning my open ports?

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
 
You could remove those two rules and reload your pf ruleset. Problem solved. But that would block everyone (including you) from accessing the server via ssh or a web browser. My guess is that is not what you want...

Perhaps try explaining the precise problem you are running into; i.e. "I noticed such and such happening on my server, and need suggestions to fix it." If your only goal is to stop port scans, I can tell you it won't happen. :)
 
ouh. now i understand.

by the way, can somebody suggests a good anti-sniffing program for freeBSD?
 
Are you referring to a system that blocks all traffic from a source IP(blacklisting) when it detects a port scan from that source?
 
darty said:
sorry for my mistake. could you please help me in correcting these rule set so it can block nmap from scanning my open ports?

You can't, simple.
 
darty said:
by the way, can somebody suggests a good anti-sniffing program for freeBSD?
You can't sniff traffic over the internet. Not unless you work for an internet provider. In any case, use encryption like IPSec, SSL or SSH.
 
You can put your others server at DMZ zones to protect from sniffer/outsiders but not a concrete solution for your problem :)

firewall is just a firewall with a limited services.
 
The only way to do this is to write your PF rules such that traffic is only allowed from specific IP(s), and to specific IP(s), and block everything else.

If you have any rules that allow traffic from any IP, then that rule allows port scanning on that IP/port.
 
Back
Top