In response to the post detailing router response to port scans, one of my readers asked an interesting question:
“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”
Here's how you do it:
- No TCP RST packets should be sent as responses to port scans. Inbound access list dropping all IP packets achieves that.
- Outbound traffic, both from the protected LAN as well as from the router itself (ping, telnet, DNS, NTP ...) should be allowed. Configure ip inspect with router-traffic option.
- Disable generation of ICMP unreachables with the no ip unreachables interface configuration command.
The relevant parts of router configuration are included below:
ip inspect name Internet tcp router-traffic ip inspect name Internet udp router-traffic ip inspect name Internet icmp router-traffic ! interface FastEthernet0/0 ip address a.b.c.d x.y.z.w ip access-group Internet in no ip unreachables ip inspect Internet out ! ip access-list extended Internet deny ip any any
- The sample router configuration is taken from a SOHO router doing PAT on the public interface. You might have to adjust the Internet access-list to your needs.
- ip inspect functionality has been replaced by zone-based firewall feature.