[ previous ] [ next ] [ threads ]
 
 From:  "Jan Koetze" <jan at koetze dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0wall feature request
 Date:  Fri, 23 Jan 2004 12:59:22 +0100
Manuel,

I don't care for portscans either, but does'nt almost every serious "attack"
starts with a portscan? If someone
is using nmap for example and scans my systems on 21 22 23 80 (nmap me -O -p
etc.) he/she is not intressed in the
content of my website i would say. And at that point i want to know this. I
want (be able) to block this person 
and don't want to wait untill he/she finds a exploits in the services i'm
running. Thats why i post that feature
request.

I do use SNORT as IDS on some of my servers. But a IDS is always usefull
after a "attack" and i want to block them
before they even have a change to try. Thats why....

Thanks for your response!

Regards,

Jan Koetze


-----Original Message-----
From: Manuel Kasper [mailto:mk at neon1 dot net] 
Sent: Friday, January 23, 2004 12:27 PM
To: Jan Koetze
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] m0n0wall feature request

Jan Koetze wrote:

> option to stop portscans the way portsentry does or at least drop the 
> request for a few minutes when a portscan occurs. With the current 
> release people can scan forever.

So what?

http://www.phildev.net/ipf/IPFques.html#18  <-- my opinion too

And RST and FIN scanning do not work with m0n0wall anyway due to the
stateful filtering.

> option to send a (hourly/daily) "firewall-report-message" to the 
> administrator. With no external logserver available there are only a 
> limited number of records in the log. Changes are that the 
> administrator will never know the his systems where scanned or that 
> someone was trying something on a port that is closed. A VERY bad 
> thing i would say.

I for one have better things to do than finding out every day how many
people tried my NetBIOS ports. Better use an IDS (integrating one in
m0n0wall is being considered, but I won't promise anything).

> There could be much more like Dos Attacks, PoD, Anti spoofing but

Ping of Death? ICMP echo is blocked by default anyway, so those trying to
"ping you to death" will at most succeed in saturating your downstream -
something you cannot do anything about at all.

About DoS... there might be the possibility of limiting the number of
connections per source IP address in the future - once more, when ipfilter
supports it.

Anti spoofing? Another vague term. m0n0wall already makes sure that no
spoofed source IP addresses appear on WAN (i.e. packets with source
addresses that claim to be from your LAN or an optional network) by default.

- Manuel