Firewalling

From: Rob 'Feztaa' Park (fezziker@home.com)
Date: 08/17/01 

Date: Fri, 17 Aug 2001 15:55:24 -0600 (MDT)
From: Rob 'Feztaa' Park <fezziker@home.com>
To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Firewalling
Message-ID: <Pine.LNX.4.33L2.0108171446260.2242-100000@feztron.mine.nu>

Ok, I've been fooling around with stateful firewalls, and when I portscan
myself, really strange things happen. I'm not sure if I'm generating false
positives by scanning myself, or if I seriously configured something
wrong... anyway, here's what happens: (this is with iptables, btw)

1. regular port scan (with nmap) yields 3 open ports (ftp, http, smtp),
all other ports below 1024 are filtered, and everything else is closed
(this is normal, although I wouldn't mind having all the closed ones be
"filtered"...). Also, while portscanning myself, if I watch what's
happening with "netstat -can", I see all the incoming scans.

2. FIN packet scan tells me that ALL my ports are open. (False positives?)
I have iptables set up to drop all packets that a) aren't part of an
established connection and b) aren't on authorized ports. While watching
with "netstat -can" going, I see nothing of it. nmap is shown doing the scan,
but no "incoming" scan is recorded (I'm assuming this is because the
firewall is working and the packets are being dropped). But if this is the
case, why does nmap report the ports as open?

3. "Null" packet scan -- same as FIN.

4. "Xmas Tree" packet scan -- same as FIN.

5. "Stealth" SYN scan shows 21, 25, and 80 to be open (which they are), 20
to be closed, and 5510 (which I have reserved for licq) to be closed.
Everything else is filtered. In fact, I'd rather like the results of this
scan to be what the regular port scan (point #1) sees.

I guess that was a bit long winded. What I really want to know is how to
make FIN, Null, and Xmas scans against my machine show everything as
"filtered" instead of "open". Anybody have any ideas?

Another thing I've been thinking. Maybe all these "open" ports are good?
It'd confuse anybody looking at my system, and telnetting to any of the
"open" ports claims that there's no route to host...

Thanks your help!

Relevant Pages

  • Re: How to block traffic in and out to all ports....
    ... firewalling howtos except you. ... > computer won't be using the ports. ... If you want to blockade outgoing ... packets, do so, but your machine will be generally inoperative. ...
    (linux.redhat.misc)
  • RE: Firewalling
    ... Subject: Firewalling ... traffic coming to your external interface and ip from the external ip (i.e. ... reports that all ports are open is because you have the DROP rule in place. ... respond with the correct RST packet. ...
    (Focus-Linux)
  • RE: SQL injection
    ... Yep IDS can nowadays detect SQL injection attempts, famous Snort can do this for instance. ... >> Terminal Services ... >> determine what UDP ports are open. ... >> facilitating the firewalling that is hiding juicy MS specific ports ...
    (Pen-Test)
  • Re: Deny local socket/port binding on server.
    ... >> ports, except when they should be using ports"? ... it should be possible on unix. ... I have a perfectly good installation of linux here with exactly the ... >> firewalling. ...
    (comp.os.linux.security)
  • Re: Deny local socket/port binding on server.
    ... >> ports, except when they should be using ports"? ... it should be possible on unix. ... I have a perfectly good installation of linux here with exactly the ... >> firewalling. ...
    (comp.security.unix)