Re: NAT is present?

From: Volker Tanger (
Date: 09/12/05

  • Next message: Aditya Deshmukh: "RE: [Full-disclosure] Exploiting a Worm"
    Date: Mon, 12 Sep 2005 23:59:03 +0200


    On Mon, 12 Sep 2005 08:21:58 +0200
    "xxradar" <> wrote:

    > Hey,
    > .1 seems to be a checkpoint firewall (264 is a checkpoint port)
    > I'm pretty sure that NAT rules in checkpoint can be configured to
    > behave like this on purpose (or by mistake)
    > -----Original Message-----
    > From: []
    > *.*.*.1
    > 264/tcp open bgmp
    > 500/tcp open isakmp
    > All the host of the subnet seems to have http and https open but when

    Sounds a lot like a CKP FW1 with the HTTP "security server" enabled,
    which generally is allowing HTTP/HTTPS from the network you scanned
    from. This "ports-open-to-all-servers-but-does-not-work" behaviour is
    common among all proxy-based firewalls (e.g. Raptor, Symantec) or
    firewall content servers (e.g. CheckPoint, Astaro, Innominate mGuard) as
    the proxy generally has to accept all traffic and is deciding AFTER
    initial connect wether the connection is allowed.

    Technically this could be changed e.g. by packet filters that restrict
    access *before* the traffic is redirected to the proxy, but this usually
    is regarded as superfluous. Maybe the double management (PF *and* proxy
    rules) is regarded as too complicated? I am not sure about the
    performance impact of such double-filtering, but in high illegal load
    scenarios the additional PF probably is preventing the system to get
    into high(er) load compared to a "blank" proxy approach that is so
    common. I know of one technical reason for this, though: traffic
    redirection to the local proxy usually is done in the pre-routing PF
    table, while "normal" PF rules follow later in the "forward" PF rules.
    Adding PF rules in thw forward chain will never be reached of course,
    and thus it is sensible to leave such PF rules out.

    Back to CheckPoint:

    264/tcp is another hint, while nominally reserved for BGMP
    (, here everything looks like Checkpoint.
    They are using this port for the "Check Point VPN-1 SecuRemote Topology
    Requests", which is used by the CheckPoint SecuRemote/SecureClient VPN
    client program. Which usually is using IPSec internally nowadays - and
    with it IKE/ISAKMP at port 500.

    Have you run a UDP scan too? Then you should probably find ports 500
    (IKE) and 4500 (IPSec NAT traversal for CKP) open on *.*.*.1, too if
    this is a CKP firewall/VPN.



    Volker Tanger
    --------------------------------------------------                    PGP Fingerprint
    378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
    futile against web application hacking. Check your website for vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers do! 
    Download Trial at:

  • Next message: Aditya Deshmukh: "RE: [Full-disclosure] Exploiting a Worm"

    Relevant Pages

    • RE: firewall question
      ... Checkpoint can filter based on protocols through CheckPoints security ... I have a question regarding stateful inspection firewalls ... connection to me via netcat with a destination port of 80, ...
    • Tunnel from internal to external net (overcome own firewall)
      ... my local network. ... The firewalls of my network only allow ... port 80 for accessing the internet, but I need access to MySQL (port ... on the internet used the Proxy as a relay. ...
    • Re: file transfer over outbound port 80?
      ... I simply set my ssh daemon on port 80, ... > scp to covertly bypass most standard firewalls. ... > proxy, and you might only be getting through by that proxy. ...
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... So thousands of ACL logs per second can ratchet your processor ... CheckPoint AI and NG have far superior higher level packet inspection ... am I using these firewalls to protect against ...
    • Re: Penetration Testing a CheckPoint NG FW on Nokia
      ... there is no knonw attack on FW1 - 18264/tcp. ... Maybe an ASN.1 or Rose attack could lead to a denial of service of the port. ... Penetration Testing a CheckPoint NG FW on Nokia ... Security Consulting / Pentest ...