I have a PPOE internet connection. I have written several rules to drop packets when aimed at port 21, 22, 80, 443, 8291 TCP etc. They remain unresponsive, yet when I do an nmap from another host the ports are listed as ‘filtered’ and they all get listed. I would rather nothing showed. Any ideas?
I want my device not to be at all visible from the outside, yet, I want to be able to connect to my LAN via PPTP or IPSEC. I have the PPTP server working fine on port 1723.
Also, the internet connection comes in on ether1, should I be using this or pppoe-out1 as the device?
Sorry, I know they are elementary questions. Any advice gratefully received.
This is a default-drop on the WAN (use the pppoe interface, not the physical interface, because the physical interface isn’t doing IP - it’s just transporting pppoe-encapsulated ethernet frames, so any rule referring to the physical interface won’t work). This will not generate any connection refused type of messages for scanners to see.
Personally, though, I’d allow icmp (as my suggested rule chain does). Who cares if they can ping it but nothing else? being “unpingable” is just security through obscurity which doesn’t do anything anyway. Furthermore, there are certain ICMP messages that you want to receive, and just throwing it all into the trash is a dubious “best practice” of yesteryear. Modern scans don’t care if you’re pingable - they just look for the ports they want to exploit.
And I have news for you - because your PPTP port is allowed, your box is now no longer invisible. The scanners WILL find this port.
Thank you very much for the prompt reply!
I realise you can’t hide, but if you don’t make ports obvious, I would imagine you are reducing the interest. I am trying to learn from this.