Re: ipfw issue with nmap false alarms

From: Peter C. Lai (sirmoo@cowbert.2y.net)
Date: 05/31/02

• Next message: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-02:27.rc"
• Previous message: Peter C. Lai: "Re: Nmap/Snort"
• In reply to: Dave Raven: "Re: ipfw issue with nmap false alarms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 30 May 2002 19:06:29 -0400
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: Dave Raven <dave@raven.za.net>

Allowing all packets from any to any via lo0 will show
open ports when scanning localhost, since with the above rule
any packet sent from localhost to localhost will be accepted
(which is what nmap is using when scanning localhost).

I believe the above rule also allows packets originating
from your external IP destined for that same IP. Better
to use a different interface to scan the original one.

On Thu, May 30, 2002 at 09:11:49AM +0200, Dave Raven wrote:
> That is the problem, your scanning localhost.
> rather scan an external card.
>
>
> --Dave.
>
>
> ----- Original Message -----
> From: "Brett Moore" <brett@softwarecreations.co.nz>
> To: <George.Giles@mcmail.vanderbilt.edu>; <freebsd-security@FreeBSD.ORG>
> Sent: Thursday, May 30, 2002 5:27 AM
> Subject: RE: ipfw issue with nmap false alarms
>
>
> > Others may correct me if I am wrong here.
> >
> > I have had the same 'problem'. I was told/read that nmap may sometimes
> > report the port that it is using as open when run against localhost.
> >
> > Try 2.54BETA34 its for d/l at the site.
> >
> > Brett
> >
> >
> > > -----Original Message-----
> > > From: owner-freebsd-security@FreeBSD.ORG
> > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of
> > > George.Giles@mcmail.vanderbilt.edu
> > > Sent: Thursday, 30 May 2002 15:06
> > > To: freebsd-security@FreeBSD.ORG
> > > Subject: ipfw issue with nmap false alarms
> > >
> > >
> > > nmap reports as expected when scanning the actual ip address, but when
> run
> > > against localhost various open ports show up.
> > >
> > > Any ideas ?
> > >
> > > Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> > > Interesting ports on localhost (127.0.0.1):
> > > (The 1540 ports scanned but not shown below are in state: closed)
> > > Port State Service
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 53/tcp open domain
> > > 80/tcp open http
> > > 443/tcp open https
> > > 1669/tcp open netview-aix-9
> > >
> > > Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
> > > bash-2.05$ nmap localhost
> > >
> > > Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> > > Interesting ports on localhost (127.0.0.1):
> > > (The 1540 ports scanned but not shown below are in state: closed)
> > > Port State Service
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 53/tcp open domain
> > > 80/tcp open http
> > > 443/tcp open https
> > > 2044/tcp open rimsl
> > >
> > >
> > > Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
> > > bash-2.05$ nmap localhost
> > >
> > > Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> > > Interesting ports on localhost (127.0.0.1):
> > > (The 1539 ports scanned but not shown below are in state: closed)
> > > Port State Service
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 53/tcp open domain
> > > 80/tcp open http
> > > 443/tcp open https
> > > 2003/tcp open cfingerd
> > > 3306/tcp open mysql
> > >
> > >
> > >
> > >
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Roger Marquis: "Re: FreeBSD Security Advisory FreeBSD-SA-02:27.rc"
• Previous message: Peter C. Lai: "Re: Nmap/Snort"
• In reply to: Dave Raven: "Re: ipfw issue with nmap false alarms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: MySQL/PHPMyAdmin on FC3 Connection Problem ... You say you opened the port 3306, ... that means that mysql is running and listening. ... If you had connection, then now try to access your mysql server from outside ... If you cannot connect on localhost, then please check that mysql is running ... (Fedora) Re: ssh tunnel problems ... Connecting to localhost port 5000. ... debug1: connect to address 127.0.0.1 port 5000: Connection refused ... password and I connect and see files on my home computer (from being ... (Fedora) How did this happen? ... May 12 06:50:43 localhost sshd: Failed password for illegal user ... cgi from 212.93.149.205 port 2265 ... Starting sshd: ... (comp.os.linux.security) Re: Solaris 8 - Configuring sendmail relay (NoAuth inbound -> SSL outbound) ... I tried to configure for port 25, since the clients that I am interested in do not have a configurable SMTP port. ... internal affair between sendmail and stunnel, it won't be visible to the ... And as mentioned in the thread, sendmail "outsmarts" you if you ... # telnet localhost 2525 ... (comp.mail.sendmail) Re: ssh tunnel problems ... Connecting to localhost port 5000. ... debug1: connect to address 127.0.0.1 port 5000: Connection refused ... password and I connect and see files on my home computer (from being ... (Fedora)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2002-05