Bug 19557
| Summary: | Denying more than 10 ports with an 'open' ipfw policy causes numerous 'unfiltered' ports to appear. | ||
|---|---|---|---|
| Product: | Base System | Reporter: | jaid <jaid> |
| Component: | misc | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: gnats-admin->freebsd-bugs Fix up botched PR. State Changed From-To: open->closed I think this is a timing issue for nmap if anything. Did you have "log" set on the rules where you denied ports? If so the extra delay may have fooled nmap. There is certainly no indication of FreeBSD malfunctioning. |
When making use of IPFW and an 'open' policy, denying more than 10 ports manually results in hundreds of ports showing up as 'unfiltered' when doing a scan with nmap. All ports can be telnetted to receiving a 'connection refused' message. Ten or less ports being denied, and there is no such problem, none of the 'unfiltered' ports show up in nmap scans. Fix: Im hoping that you can tell me =) How-To-Repeat: Compile kernel with ipfw options (IPFIREWALL, IPDIVERT, IPFIREWALL_VERBOSE) Set default policy to open via rc.conf (firewall_type="OPEN") ipfw add deny tcp from any to any 1-11