Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    stealth mode

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 814 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrjoli021
      last edited by

      I have a DMZ with some public IP's. The first IP is assigned to the DMZ interface on the firewall. This ip is just there as a GW to the other IP's. I would like for the interface IP to not show up on the internet. I did a port scan and although there are not ports open on it, the scan was able to detect that it was up and the OS. How can I make it so that this ip is in stealth mode?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @mrjoli021
        last edited by

        @mrjoli021 said in stealth mode:

        the scan was able to detect that it was up and the OS. How can I make it so that this ip is in stealth mode?

        An IP addresses by itself is always 'stealth'.
        If a process is bound to a port on the IP, and listens, and reacts on incoming connections on that port, then you might say that that IP address has live services behind it : like some one answers when you knock on a door.

        So, what about checking what process or service is reacting, and stop that process from using that IP address.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Gertjan
          last edited by

          I am curious what exactly your scanning, and from where?

          Out of the box pfsense doesn't answer any unsolicited traffic from the wan side. You would not get back anything, your packets are just dropped. So sure it would be considered "stealth" - not a fan of that term to be honest.

          Sure if you were on the wan L2, you could get back an arp.. But some public IP out on the internet scanning your wan IP, or any VIPs even you had on the wan would not get back anything.

          But once you port forward, or open a firewall rule..

          So what exactly are you firewall rules on the wan? And from where exactly are you scanning..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @johnpoz
            last edited by Gertjan

            Well, he has created a LAN segment called DMZ, and made some ports accessible from WAN.

            The question is somewhat strange : "Exposing ports on the Internet - without exposing ports on the Internet".

            I'll answer this one :

            @mrjoli021 said in stealth mode:

            How can I make it so that this ip is in stealth mode?

            Solution : remove all firewall rules from your WAN interface(s)
            Nice advantage : DMZ will be really DMZ.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Gertjan
              last edited by

              He says this dmz segment is public IP - so he has a routed netblock?

              Even if he forwarded traffic, or allowed traffic - this wouldn't expose the pfsense IP of this dmz segment.

              So yeah need to see these wan rules, and also need to know where he is scanning from.. You see it all the time users saying the wan is open - but they are scanning their wan IP from the lan side, etc.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.