"Stealth" option doesn't protect host from network scans (3.0.21.329 x32)

Setup:
Firewalled host 1: Windows XP SP2 host with CFP 3.0.21.329 x32
Firewalled host 2: Windows Vista SP1 host with CFP 3.0.21.329 x32
Scanner host Gentoo linux.

CFP config, use stealth ports wizard and select, Alert me to incoming connections.
This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
Firewall is in Custom Policy Mode.

Action:
nmap -sS -O -vvv -n 192.168.2.6 -p1-2


[b]TCPDUMP on the scanner host:[/b] 16:36:19.259160 IP 192.168.2.5 > 192.168.2.6: ICMP echo request, id 44352, seq 295, length 128 0x0000: 4500 0094 675c 4000 2e01 5fb1 c0a8 0205 E...g\[ at ]..._..... 0x0010: c0a8 0206 0809 498f ad40 0127 0000 0000 ......I..[ at ].'.... 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0090: 0000 0000 .... 16:36:19.264858 IP 192.168.2.6 > 192.168.2.5: ICMP echo reply, id 44352, seq 295, length 128 0x0000: 4500 0094 b9c6 4000 8001 bb46 c0a8 0206 E.....[ at ]....F.... 0x0010: c0a8 0205 0000 5198 ad40 0127 0000 0000 ......Q..[ at ].'.... 0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0090: 0000 0000 ....

The -O option on nmap sends a crafed ICMP echo request which gets replied by the firewall despite having a drop rule for ICMP ECHO REQUESTS.

Putting a Drop/Log ANY ANY ICMP ANY rule in global rules reveals it as being detected as a ICMP Type 8 Code 9 packet. This can be rebuild with hing using the following command:

hping -1 -C 8 -K 9 -c 1 192.168.2.6
len=46 ip=192.168.2.6 ttl=128 id=48734 icmp_seq=1 rtt=5.1 ms

I know this is not a clean message but it will reply to the firewall and it won’t prompt me for action.
It’s reproducable on Windows XP SP2 and Vista SP1 also x32.

Regards,
Ronny

Setup:
Firewalled host 1: Windows XP SP2 host with CFP 3.0.21.329 x32
Firewalled host 2: Windows Vista SP1 host with CFP 3.0.21.329 x32
Scanner host Gentoo linux.

CFP config, use stealth ports wizard and select, Alert me to incoming connections.
This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
Firewall is in Custom Policy Mode

Action:
hping -1 --icmp-ts 192.168.2.6 -c 10
HPING 192.168.2.6 (eth0 192.168.2.6): icmp mode set, 28 headers + 0 data bytes

Answer from firewalled host, without prompting for incoming message:
len=46 ip=192.168.2.6 ttl=128 id=48831 icmp_seq=0 rtt=187.9 ms
ICMP timestamp: Originate=53788707 Receive=3289789187 Transmit=3289789187
ICMP timestamp RTT tsrtt=189

As this replies without user intervention the host is not Stealth any more.
It’s reproducable on Windows XP SP2 and Vista SP1 also x32.

Regards,
Ronny

hping -1 --icmp-ts
This is command to send icmp type 13 code 0.
CFP config, use stealth ports wizard and select, Alert me to incoming connections. This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
This rule blocks icmp type 8 code 0 [u]only[/u].

Mentioned incoming icmp packets are routed/applicationless traffic for which CFP will never ask by design, i. e. for this kind of traffic you need to create rules manually.

I guess there is no bug here.

hping -1 -C 8 -K 9 -c 1 192.168.2.6
As this command sends icmp type 8 code 9 packets, they cannot be blocked by CFP as it is configured in current case to block only icmp type 8 code 0 packets.

I guess there is no bug here.

Hello Goodbrazer,

I don’t agree 100% with you, because the Wizard is suggesting to be Stealth and with the rules the wizard creates you are not stealth.

So i think the Stealth rules should be “changed” to block this or prompt for it to allow, what do you think ?

I agree with you, sending a crafted packet shouldn’t cause a reply .

It’s well known that the default rules are not very safe. Allow by default and firewalls are not a good mix.

Hi rhgtyink,

Actually yes, you are right. But my point is that if CFP fails to filter traffic according to its rules, it is a critical bug, but if we talk about this case when default configuration should be improved it is another story. Just my point…

I guess you are right, stealth rules should be improved to block other kinds of network scans (which you mentioned in your examples).

As for prompting for actions please refer to this post, where Egemen explains how this kind of traffic is handled by CFP. Also see this thread for more information (how routed traffic can be handled without global rules, but still without prompting for action).

I agree Goodbrazer,

I was thinking as a user with no firewall experience, i would think that Stealth was Stealth and i woudn’t know the difference between routed/applicationless traffic and application traffic then i had to rely on the Text used in the Wizard :wink:

I’m used to managing clustered firewall’s so i know some can be realy stealth (R)

nmap -O option enable OS detection

The issue lies with windows Tcp/ip stack. nmap uses those issues to do an os fingerprinting.

Please test this again with “Do protocol analysis” in firewall\advanced\attack detection setting and submit a new bugreport if the icmp is not blocked.

Default rules provide only a baseline configuration. There is no way to provide rules to cope with all user needs.
As for the wizards they are meant only as an utility to save time and the descriptions cannot really tell what the resulting ruleset will do.
Only the user can finetune his firewall. defaults and wizards have limited scopes.