# how to block nmap scan ports?



## darty (Jun 29, 2009)

hello. i'm a student and currently doing my internship. i need to configure pf firewall in free BSD server. i need help for my pf. i had configure this in my pf.conf. but i don't know if it's works well. because i thought it might not working. can somebody please help me with this?

i used zenmap with this command (intense scan all tcp ports), 

```
nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all 10.5.13.114
```

but, it still can scan the open ports on my server.

here is my configuration for my pf.conf.

```
ext_if="fxp0"
icmp_types="echoreq"

set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble

block all

set skip on lo0
antispoof for $ext_if inet

block in from no-route to any
block in from urpf-failed to any

block in quick on $ext_if from any to 255.255.255.255

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUP

block in log quick on $ext_if from any os "NMAP" to any label ExtNMAPScan

pass out on $ext_if proto {tcp, udp, icmp} from any to any modulate state

pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <shh_abuse> flush)
```


----------



## anomie (Jun 29, 2009)

You're explicitly _passing in_ tcp syn packets from anyone to ssh (port 22) and www (port 80) in your pf ruleset. 

What part of this is not working as you'd expect?


----------



## darty (Jun 30, 2009)

sorry for my mistake. could you please help me in correcting these rule set so it can block nmap from scanning my open ports?



> pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
> pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state


----------



## anomie (Jun 30, 2009)

You could remove those two rules and reload your pf ruleset. Problem solved. But that would block everyone (including you) from accessing the server via ssh or a web browser. My guess is that is not what you want...

Perhaps try explaining the precise problem you are running into; i.e. "I noticed such and such happening on my server, and need suggestions to fix it." If your only goal is to stop port scans, I can tell you it won't happen.


----------



## darty (Jul 1, 2009)

ouh. now i understand. 

by the way, can somebody suggests a good anti-sniffing program for freeBSD?


----------



## Drunky (Aug 6, 2009)

> good anti-sniffing program for freeBSD


what do mean by "anti-sniffing" ? if you're afraid of someone capture your data, use SSL


----------



## Petz (Aug 7, 2009)

Are you referring to a system that blocks all traffic from a source IP(blacklisting) when it detects a port scan from that source?


----------



## karolb (Aug 11, 2009)

try l0pht antisniff (http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=anti+sniff+&type=archives) old, but works fine.


----------



## Anon (Oct 8, 2011)

karolb said:
			
		

> try l0pht antisniff (http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=anti+sniff+&type=archives) old, but works fine.



*No Results Found*

Got a live link? I'd really appreciate it.


----------



## SirDice (Oct 10, 2011)

darty said:
			
		

> sorry for my mistake. could you please help me in correcting these rule set so it can block nmap from scanning my open ports?



You can't, simple.


----------



## SirDice (Oct 10, 2011)

darty said:
			
		

> by the way, can somebody suggests a good anti-sniffing program for freeBSD?


You can't sniff traffic over the internet. Not unless you work for an internet provider. In any case, use encryption like IPSec, SSL or SSH.


----------



## FryShadow (Nov 2, 2011)

You can put your others server at DMZ zones to protect from sniffer/outsiders but not a concrete solution for your problem 

firewall is just a firewall with a limited services.


----------



## chrcol (Nov 10, 2011)

you guys are cruel, its clear what he wants.  He wants the ports open for normal use but closed to scanners.

The only solution I can see is a port knock system.

Some info here.

http://www.portknocking.org/


----------



## phoenix (Nov 10, 2011)

The only way to do this is to write your PF rules such that traffic is only allowed *from* specific IP(s), and *to* specific IP(s), and block everything else.

If you have any rules that allow traffic from *any* IP, then that rule allows port scanning on that IP/port.


----------

