RE: [fw-wiz] result question
From: Whiteside, Larry [contractor] (BAE14_at_SPHQ.SSP.NAVY.MIL)
Date: 08/28/03
- Previous message: Frederick M Avolio: "Re: [fw-wiz] security of private leased lines"
- Maybe in reply to: rmck: "[fw-wiz] result question"
- Next in thread: franco segna: "Re: [fw-wiz] result question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "rmck" <rmckeever@earthlink.net>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 28 Aug 2003 15:09:26 -0400
You are correct. NMAP is not getting through your firewall. It is assuming that the port is open because there is no response. Doing UDP scans with NMAP, it wants to see a TCP reset or something to tell NMAP that it is closed. I am not sure what response it is looking for doing a FIN scan, but it is probably something similar.
L
-----Original Message-----
From: rmck [mailto:rmckeever@earthlink.net]
Sent: Wednesday, August 27, 2003 5:58 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] result question
Hello,
I was wondering if somone could explain to me why the tool (nmap) gives the
following results. Is it really getting through my firewalls??
I have a mysql (port 3306) machine that is behind two firewalls (both
netscreens).
I run nmap from home (3 scans), outside of all the firewalls, as so:
First A:
nmap -sT -P0 -p 3306 -T 3 111.111.111.111
Result A:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port State Service
3306/tcp filtered mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 38 seconds
I feel I understand these results nmap labels a port as "filtered" if it
does not receive either a
SYN-ACK or a RST in response to a SYN packet.
A ?????????sT scan sends a SYN.
But these last two just get me....
B:
nmap -sF -P0 -p 3306 -T 3 111.111.111.111
Result B:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port State Service
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
Whats happening here?? Nothing shows in my firewall logs?? Is it really
getting through? Or is it assuming its open because it gets no response??
C:
nmap -sU -P0 -p 3306 -T 3 111.111.111.111
Result C:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port State Service
3306/udp open unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
So reading on nmap pages I got this "UDP scanning (-sU) in NMAP has the
same problem as FIN scans in that packet filtered ports will turn up as being
open ports."
So am I correct in thinking nmap is assuming a port is opened if no
response is given.
Or does nmap get through with out being logged??
Thank you for your time, and any input you can give me ...
Ron
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Frederick M Avolio: "Re: [fw-wiz] security of private leased lines"
- Maybe in reply to: rmck: "[fw-wiz] result question"
- Next in thread: franco segna: "Re: [fw-wiz] result question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
