On Tue, 05 Oct 2004, Michael Cozzi wrote:
> 
>    I have one problem though. I'm one of those folks who came to Unix 
> from Linux and though I'm getting along pretty fine, I'm a bit lost on 
> the capabilities for firewalling through the kernel.

Make sure your kernel config includes:

pseudo-device   ipfilter                # IP filter (firewall) and NAT

I see that it is commented out in the GENERIC kernel. It was commented
out with the cvs message 'Shrink a little again to avoid firmware
limits'. (I don't have a cobalt, so I'm not familliar with the firmware
space issue)

Create /etc/ipf.conf (from examples below) and set ipfilter=YES in
/etc/rc.conf

>    Perhaps just to save me a bit of time, I'm looking for an example 
> script, or equivalent, that I can learn from to implement port stealthing.

/usr/share/examples/ipf/*

"Port Stealthing" isn't a term I would ever use - it strikes me as one
of those "Doesn't this sound K00l!" terms that gets assigned to
something trivial.

Since ipfilter gets the packets before they go to the kernel stack, if
you 'block in on fxp0 from any to any port=80', then port 80 will be
'stealthed', the kernel will never see the incoming packet, and so it
won't send a port unreachable, standard reply.

If you have any server ports open though, what does 'stealthing' buy
you? If someone scans you thoroughly, they'll find the open ports. They
then know that the host exists, and is up. At that point, any
non-responsive port can be treated just like ports that return port
unreachables...

I suppose it hides you from a casual scan that only looks at one service
which you don't happen to use, but that's not a big worry I have.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
All this stuff in twice the space would only look half as bad!
					      - me