Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire.

Please join in and help us improving it!


This add-on is not stable yet and should thereof not be used in a production environment. Furthermode,
the add-on is not well-tested yet. Please report any issues to the portspoof forum branch.

What does Portspoof do?

Portspoof (see Homepage here) is intended to make portscans more difficult in order to
increase the security of a system. Portspoof "spoofs" all ports on a certain network interface. While
a portscan torwards a normal system only takes a few minutes, it might take hours to scan a system with
spoofed ports completelysince all TCP ports are open.

Portspoof also sends fake service signatures to confuse the attacker and to inflate the scan results.
That way, an attacker has to send more SYN/ACK requests. Thereof, a scan takes longer and requires more
network traffic; in addition, the results of a portscan cannot be processed by a machine because it is
impossible to filter the spoofed service signatures.

Furthermore, if an attacking system tries to send exploits to all open ports, this will take ages in
case of a system with portspoof since exploiting 65535 ports needs a lot of memory, CPU time and
bandwith. It is more likely that the system will abort the attack and switch over to the next target.

Please have a look at this for more details about Portspoof.

To spoof or not to spoof?

Before installing Portspoof on your IPFire system, we might discuss wether it makes sense to set up
a Portspoof installation on your system or not.

Portspoof is suitable in case your IPFire machine is connected directly to the internet (for example,
via a broadband modem, but IPFire handles the dial-in procesdure) so portscans will target the IPFire

In case you set up IPFire in a local network (i.e. to protect a department in your company or its
production network), setting up Portspoof might not be a very good idea. But if you do so, please
tell your local IT security staff that you run Portspoof -- in case they run a complete scan of the
internal network to detect new and/or unwanted ports, you might have to explain why 65535 ports on
your firewall machine are open...

Portspoof does not protect the services you have forwarded to the external network via port forwarding or DMZ pinholes in any way. Further, it can't prevent them
from being indexed by device search engines, such as Shodan.

There are some computers in the internet which are scanning for whatever reason (some of them are
security projects to enumerate how many vulnerable computers are online...). Mostly, these scan only
frequently used ports -- e.g. 23 (telnet) or 80 (HTTP) -- and collect the results to set up databases.
If they come across a portspoofed system and perform a scan there, the faked results will show up
in their databases. The more people use Portspoof, the more their data becomes blurred.

How to install portspoof

First, copy the contents of the installer file (which can be found in the forum branch) to a file on your IPFire system. Mark it as
executable by typing

chmod +x [filename of the installer]

Second, run the installer by typing

./[filename of the installer]

Then, select the installation option and wait until portspoof is installed. This should only take
a few secons, if not (or in case errors are occuring), please report this to the forum.

FIXME The section "FW rules in /tmp.." is missing here.

Set up portspoof

By default, portspoof is listening on port 4444 on the red interface (either red0 or - if present - ppp0)
and all other ports are redirected to this one. In case
you have forwarded any ports or set up an VPN connection, this behaviour is unwanted since it
disturbs the functionality of the redirected ports or the VPN connections.

To avoid this, please define the ports you do not want to be spoofed by portspoof.

FIXME How to do this if FW rules/port ranges are not in initscript?

In case you set up the firewall rules in the initscript, log onto your IPFire system and open the file
/etc/init.d/portspoof, for example, with nano.

Then, set up a list of ports you need. For example, if this list looks like:

Needed ports
Port # Reason
--- ---
22 Shell access
80 Web server in DMZ
1194 OpenVPN

then the portrange you have to feed portspoof with is:

1:21 23:79 81:1193 1195:65535

Please make sure that you have included all ports you need here. For example, if you activated a VPN
service (OpenVPN or IPsec),
you need to include the VPN ports to this list -- otherwise, the established VPN connections will
break down.

In case of OpenVPN, you need to fill in the port you specified
in the settings menue (default: 1194). IPsec, however, is more difficult here since the used ports
don't show up in the web interface. The used port numbers are 500, 4500 and sometimes 10000.

The same problem occurs in case of some add-ons, for example, the Tor add-on.

Tell Portspoof which ports should be "unspoofed" by putting in the portrange in the variable
SPORTS (see the screenshot below for an example).

After saving your changes in the init script, Portspoof is ready to start. To let it do that, either run

/etc/init.d/portspoof start

at the console or by heading over to the services status page. Scroll down to the "addon - services" table and click on the green arrow in the "portspoof" line. To start Portspoof during boot, click at the checkbox left to the arrow.

Edit Page ‐ Yes, you can edit!

Older Revisions • September 19, 2018 at 2:19 am