Asfand Yar Qazi wrote:
Hi,
On Steve Gibson's site, I had a few interesting things to read about
the ZoneAlarm firewall:
(quote)
Even after many years, the (free) ZoneAlarm personal firewall from
Zone Labs is the only personal firewall to "adaptively" stealth port
113. Unlike any other firewall or NAT router (any of which could also
do the same) this allows port 113 to be stealthed to any passing
Internet scanners or probes, but "unstealthed" for any valid IDENT
connection attempts originating from remote servers with which the
user's computer is attempting to connect. (Since this could easily be
done by any personal firewall or even NAT routers, I am hopeful that
this feature might yet appear in other products.)
"Adaptive Stealthing" means that when a TCP SYN packet arrives to
request a connection to your machine's port 113, ZoneAlarm checks, on
the fly, to see whether your machine currently has any sort of
"relationship" with the remote machine (such as a pending outgoing
connection attempt). If so, the remote machine is considered to be
"friendly" and its IDENT request packet is allowed to pass through
ZoneAlarm's firewall. But if the IDENT originating machine is not
known to ZoneAlarm as a "friendly" machine, the connection requesting
packet is dropped and discarded, rendering port 113 stealth to all
unknown port scanners. It's very slick.
(end quote)
I wanna do it on my ADSL firewall!
How can I do this? I realise I could just write a custom module in C,
but you guys probably know of a way to do it with the existing tools.
I use the recent module for this.
-A FORWARD -i ppp0 -p tcp -m tcp --dport 113 -j AUTHHACK
-A FORWARD -o ppp0 -p tcp -m tcp ! --dport 113 -j TCPOUT
-A AUTHHACK -j ULOG --ulog-prefix "Checking auth/recent : "
-A AUTHHACK -m recent --rcheck --seconds 100 --name tcpout --rsource -j
RJAUTH
-A RJ -p tcp -j REJECT --reject-with tcp-reset
-A RJ -j REJECT --reject-with icmp-port-unreachable
-A RJAUTH -j ULOG --ulog-prefix "Reject auth: "
-A RJAUTH -j RJ
-A TCPOUT -j ULOG --ulog-prefix "Add to tcpout: "
-A TCPOUT -m recent --set --name tcpout --rdest
Note that many (ftp) servers with multiple ip addresses (common on
webservers that offer ftp for uploading content) send the ident request
from a different ip that the ftp session is going out to, so it does not
work as often as you would like.
(Also note that the RJ chain above is generic, we know in this case it
is tcp so we could have rejected directly with a tcp-reset).
M4
