Re: [fw-wiz] result question

From: franco segna (fsegna_at_web.de)
Date: 08/28/03

  • Next message: Paul Robertson: "Re: [fw-wiz] security of private leased lines"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 28 Aug 2003 21:27:47 +0200
    
    

    rmck wrote:

    >Hello,
    >
    >I was wondering if somone could explain to me why the tool (nmap) gives the
    >following results. Is it really getting through my firewalls??
    >
    >I have a mysql (port 3306) machine that is behind two firewalls (both
    >netscreens).
    >
    >I run nmap from home (3 scans), outside of all the firewalls, as so:
    >
    >First A:
    >nmap -sT -P0 -p 3306 -T 3 111.111.111.111
    >Result A:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/tcp filtered mysql
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 38 seconds
    >
    >I feel I understand these results nmap labels a port as "filtered" if it
    >does not receive either a
    >SYN-ACK or a RST in response to a SYN packet.
    >A ?????????sT scan sends a SYN.
    >
    >But these last two just get me....
    >
    >B:
    >nmap -sF -P0 -p 3306 -T 3 111.111.111.111
    >Result B:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/tcp open mysql
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
    >
    >Whats happening here?? Nothing shows in my firewall logs?? Is it really
    >getting through? Or is it assuming its open because it gets no response??
    >
    >C:
    >nmap -sU -P0 -p 3306 -T 3 111.111.111.111
    >Result C:
    >Starting nmap V. 3.0 ( www.insecure.org/nmap )
    >Interesting ports on mach.com.com (111.111.111.111):
    >Port State Service
    >3306/udp open unknown
    >
    >Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
    >
    >So reading on nmap pages I got this "UDP scanning (-sU) in NMAP has the
    >same problem as FIN scans in that packet filtered ports will turn up as being
    >open ports."
    >
    >So am I correct in thinking nmap is assuming a port is opened if no
    >response is given.
    >
    >Or does nmap get through with out being logged??
    >
    >Thank you for your time, and any input you can give me ...
    >
    >Ron
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    >
    The U scan sends an UDP packet to the port 3306. If the packet is
    dropped by one (or both) firewall, or if the target does not respond
    with a ICMP "port unreacheable" message, or if one (or both) firewall
    doesn't let the ICMP message out, nmap can only assume that port 3306 is
    open and behaves accordingly to the man page.
    The same reasoning applies to the FIN scan.
    But if the T scan (TCP connect) gives the answer "filtered" we should
    assume that the packet is being rejected from one of the firewalls.
    I don't see anything strange, but I'm only a newbie. UDP and FIN scans
    should be used for specific purposes.

    Franco

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul Robertson: "Re: [fw-wiz] security of private leased lines"