Block scan port


#1

Hi all,

i’m trying to block scan port with namp for example.
For the moment i block my Port Forward by IP so just specific clients can access.

My firewall below (rule 2) :

name FROM-INTERNET {
default-action drop
description TRAFIC-FROM-INTERNET
enable-default-log
rule 1 {
action accept
description AUTHORIZED-IP
log disable
source {
group {
address-group XXX-ADDRESS
}
}
}
**** rule 2 {**
** action drop**
** description BLOCK-SCAN-PORT**
** log disable**
** protocol tcp**
** recent {**
** time 1**
** }**
** state {**
** invalid disable**
** new enable**
** related enable**
** }**
** tcp {**
** flags ALL**
** }**
** } ****
rule 3 {
action accept
state {
established enable
invalid enable
related enable
}
}
}

This rules is applied on my WAN INT - on IN !

Example scan port by a IP not allowed :

Who can help me ?

Thanks in advance.


#2

I don’t think its possible straight with VyOS commands or built-in features. What you can do is to

  1. Set default firewall action reject on closed ports from WAN.

  2. Log rejected packets, write a bash (or even much better - Python) script which periodically scans log file for IPs with most rejected packets attempts, and add them to IP blacklist.

  3. Set VyOS firewall rule to drop packets from blacklisted IPs.

     set firewall group address-group ADDRGROUP-BLACKLIST description "Blacklisted IP addresses"
     set firewall name FW-WAN-DMZ rule 703 action 'drop'
     set firewall name FW-WAN-DMZ rule 703 description 'Drop traffic from blacklisted addresses'
     set firewall name FW-WAN-DMZ rule 703 source group address-group 'ADDRGROUP-BLACKLIST'
    
     Disable while lists are empty.
     set firewall name FW-WAN-DMZ rule 703 disable

#3

Hello LinuksGuru,

Thanks for you awnser yes my traffic is already block by a rules but it’s about ports, like 8081,8082,…
In fact when i scan with a IP address not authorized i cann’t access to the web service or SSH port for example (if it’s forwarded) however i can scan the ports,…

do you see :slight_smile: ?


#4

Sorry, I don’t understand, please clarify


#5

to simplify :
behind my Vyos i 've a LAN where are available some servers whoses providers web services.
I forwarded this web services to be available by externel client, but i configured a restrictions which authorized just certains IP public.

This point is ok, but when i scan ports the IP public’s router with a IP normally not authorized i can get the open ports tagged with “filtered”


#6

Then you should allow connection from certain IPs on firewall if I understand correctly, and drop connection from all other IPs.


#7

Yes exact.

I already allow connection for certains IPs.

But the ip not authorized can only scan port, not access to the web services !


#8

Then, make a second rule which drops connections from IPs to http/https ports which not match your client


#9

Yes indeed last version of my rules :

rule 2 {
action drop
description BLOCK-SCAN-PORT
destination {
port 8082
}
disable
log enable
protocol tcp
source {
address 0.0.0.0/0
}
state {
}
tcp {
flags FIN,SYN,RST,PSH,ACK,URG
}
}

but i can always scan ports from IP not authorized i don’t uderstand :frowning:


#10

Please post VyOS commands instead of generated config file.


#11

i don’t know how i can do it ?


#12

I meant commands you used to generate YOUR config file.
run show configuration commands
in config mode


#13

set firewall name FROM-INTERNET rule 2 action ‘drop’
set firewall name FROM-INTERNET rule 2 description ‘BLOCK-SCAN-PORT’
set firewall name FROM-INTERNET rule 2 destination port ‘8082’
set firewall name FROM-INTERNET rule 2 ‘disable’
set firewall name FROM-INTERNET rule 2 log ‘enable’
set firewall name FROM-INTERNET rule 2 protocol ‘tcp’
set firewall name FROM-INTERNET rule 2 ‘source’
set firewall name FROM-INTERNET rule 2 ‘state’
set firewall name FROM-INTERNET rule 2 tcp flags ‘FIN,SYN,RST,PSH,ACK,URG’


#14

You have disabled your own rule


#15

Yes because it doesn’t work !


#16
set firewall name FW-WAN-DMZ rule 2 action drop
set firewall name FW-WAN-DMZ rule 2 destination port http,https,your_ports_No
set firewall name FW-WAN-DMZ rule 2 source address !85.85.85.85 # your client IP
set firewall name FW-WAN-DMZ rule 2 protocol tcp

Please test, this should work.


OPEN Just one port
#17

set firewall name FROM-INTERNET rule 2 action ‘drop’
set firewall name FROM-INTERNET rule 2 description ‘BLOCK-SCAN-PORT’
set firewall name FROM-INTERNET rule 2 ‘destination’
set firewall name FROM-INTERNET rule 2 protocol ‘tcp_udp’
set firewall name FROM-INTERNET rule 2 ‘source’
set firewall name FROM-INTERNET rule 2 ‘state’
set firewall name FROM-INTERNET rule 2 ‘tcp’

The new configuration seams to be good


#18

set firewall name ProtectRouterV3 rule 60 action ‘drop’
set firewall name ProtectRouterV3 rule 60 description ‘SYN flood’
set firewall name ProtectRouterV3 rule 60 log ‘enable’
set firewall name ProtectRouterV3 rule 60 protocol ‘tcp’
set firewall name ProtectRouterV3 rule 60 recent count ‘100’
set firewall name ProtectRouterV3 rule 60 recent time ‘1’
set firewall name ProtectRouterV3 rule 60 state new ‘enable’
set firewall name ProtectRouterV3 rule 60 tcp flags ‘SYN’

set firewall name ProtectRouterV3 rule 90 action ‘drop’
set firewall name ProtectRouterV3 rule 90 description ‘Ping flood’
set firewall name ProtectRouterV3 rule 90 log ‘enable’
set firewall name ProtectRouterV3 rule 90 protocol ‘icmp’
set firewall name ProtectRouterV3 rule 90 recent count ‘50’
set firewall name ProtectRouterV3 rule 90 recent time ‘1’


#19

Thanks Barry,

sorry for the delay i will check your configuration !