Setup:
Firewalled host 1: Windows XP SP2 host with CFP 3.0.21.329 x32
Firewalled host 2: Windows Vista SP1 host with CFP 3.0.21.329 x32
Scanner host Gentoo linux.
CFP config, use stealth ports wizard and select, Alert me to incoming connections.
This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
Firewall is in Custom Policy Mode.
The -O option on nmap sends a crafed ICMP echo request which gets replied by the firewall despite having a drop rule for ICMP ECHO REQUESTS.
Putting a Drop/Log ANY ANY ICMP ANY rule in global rules reveals it as being detected as a ICMP Type 8 Code 9 packet. This can be rebuild with hing using the following command:
I know this is not a clean message but it will reply to the firewall and it won’t prompt me for action.
It’s reproducable on Windows XP SP2 and Vista SP1 also x32.
Setup:
Firewalled host 1: Windows XP SP2 host with CFP 3.0.21.329 x32
Firewalled host 2: Windows Vista SP1 host with CFP 3.0.21.329 x32
Scanner host Gentoo linux.
CFP config, use stealth ports wizard and select, Alert me to incoming connections.
This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
Firewall is in Custom Policy Mode
CFP config, use stealth ports wizard and select, Alert me to incoming connections.
This leaves me with a global rule [Block ICMP In From IP Any to IP Any Where ICMP Message Is ECHO REQUEST]
This rule blocks icmp type 8 code 0 [u]only[/u].
Mentioned incoming icmp packets are routed/applicationless traffic for which CFP will never ask by design, i. e. for this kind of traffic you need to create rules manually.
As this command sends icmp type 8 code 9 packets, they cannot be blocked by CFP as it is configured in current case to block only icmp type 8 code 0 packets.
Actually yes, you are right. But my point is that if CFP fails to filter traffic according to its rules, it is a critical bug, but if we talk about this case when default configuration should be improved it is another story. Just my point…
I guess you are right, stealth rules should be improved to block other kinds of network scans (which you mentioned in your examples).
As for prompting for actions please refer to this post, where Egemen explains how this kind of traffic is handled by CFP. Also see this thread for more information (how routed traffic can be handled without global rules, but still without prompting for action).
I was thinking as a user with no firewall experience, i would think that Stealth was Stealth and i woudn’t know the difference between routed/applicationless traffic and application traffic then i had to rely on the Text used in the Wizard
I’m used to managing clustered firewall’s so i know some can be realy stealth (R)
The issue lies with windows Tcp/ip stack. nmap uses those issues to do an os fingerprinting.
Please test this again with “Do protocol analysis” in firewall\advanced\attack detection setting and submit a new bugreport if the icmp is not blocked.
Default rules provide only a baseline configuration. There is no way to provide rules to cope with all user needs.
As for the wizards they are meant only as an utility to save time and the descriptions cannot really tell what the resulting ruleset will do.
Only the user can finetune his firewall. defaults and wizards have limited scopes.