I don't care for portscans either, but does'nt almost every serious "attack"
starts with a portscan? If someone
is using nmap for example and scans my systems on 21 22 23 80 (nmap me -O -p
etc.) he/she is not intressed in the
content of my website i would say. And at that point i want to know this. I
want (be able) to block this person
and don't want to wait untill he/she finds a exploits in the services i'm
running. Thats why i post that feature
I do use SNORT as IDS on some of my servers. But a IDS is always usefull
after a "attack" and i want to block them
before they even have a change to try. Thats why....
Thanks for your response!
From: Manuel Kasper [mailto:mk at neon1 dot net]
Sent: Friday, January 23, 2004 12:27 PM
To: Jan Koetze
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] m0n0wall feature request
Jan Koetze wrote:
> option to stop portscans the way portsentry does or at least drop the
> request for a few minutes when a portscan occurs. With the current
> release people can scan forever.
http://www.phildev.net/ipf/IPFques.html#18 <-- my opinion too
And RST and FIN scanning do not work with m0n0wall anyway due to the
> option to send a (hourly/daily) "firewall-report-message" to the
> administrator. With no external logserver available there are only a
> limited number of records in the log. Changes are that the
> administrator will never know the his systems where scanned or that
> someone was trying something on a port that is closed. A VERY bad
> thing i would say.
I for one have better things to do than finding out every day how many
people tried my NetBIOS ports. Better use an IDS (integrating one in
m0n0wall is being considered, but I won't promise anything).
> There could be much more like Dos Attacks, PoD, Anti spoofing but
Ping of Death? ICMP echo is blocked by default anyway, so those trying to
"ping you to death" will at most succeed in saturating your downstream -
something you cannot do anything about at all.
About DoS... there might be the possibility of limiting the number of
connections per source IP address in the future - once more, when ipfilter
Anti spoofing? Another vague term. m0n0wall already makes sure that no
spoofed source IP addresses appear on WAN (i.e. packets with source
addresses that claim to be from your LAN or an optional network) by default.