Re: ftp and portscans

> I've got an internal network protected by a Freebsd 5.1 firewall/router.
> I've got ftp running on an internal machine and i'd like to continue to
> allow user's that i know to connect to it. My problem is i keep getting port
> scanned and others try to connect to that particular port, probably trying
> to log in anonymously, which i've disallowed in proftpd. What i'm wondering
> is is it possible to send a return-rst packet on a portscan or in my default
> block in quick all rule but still allow user's to get through? Or failing
> that, is there a way i can prevent these portscans from showing anything?
> When i portscan myself from the outside i see ports open on internal
> machines, for example my router isn't running 20 or 21, or 111 or 514,
> internal machines are, yet they still show up in a self-done scan, this is
> another thing i definitely want to stop. Any suggestions?

(Though it's not clear from your question, I presume that you're doing
NAT.)

If you re-direct the FTP port from your firewall/router to an internal
server, and you don't do any filtering on that port, then it will be
accessible to any system on the Internet and will show up in port scans.
The same holds for any other ports you re-direct without filtering.
If have a priori knowledge of the addresses your users will use when
contacting your FTP service, then you can block (and optionally return
an RST) for all other connections from anywhere else. But if you want
to let your users connect from arbitrary addresses, there's no way you
can block port scans. Ipfilter doesn't "know" anything about users -
who live a few layers above where it functions - just protocols, ports,
and addresses. If you want block/allow users, you have to do that at
the application level.

David S.