Re: Differences between closed and filtered ports

From: Lambott@aol.com
Date: 11/19/01 

From: Lambott@aol.com
Message-ID: <a1.1e738919.2929aa6d@aol.com>
Date: Sun, 18 Nov 2001 19:21:01 EST
Subject: Re: Differences between closed and filtered ports
To: SECURITY-BASICS@securityfocus.com

From past experience, I believe the risk associated with using REJECT instead
of Drop/Deny on the Gateway (Firewall or Router), especially to block ICMP,
is that this may well give away the identity of the firewall and leaves it
vulnerable to known exploits (published or unpublished).

Just a thought, so please correct me if I am wrong.

Cheers!

T.Lambo, CISSP

In a message dated 18/11/01 20:38:36 GMT Standard Time, bhodi_jabir@yahoo.com
writes:

<< Subj: RE: Differences between closed and filtered ports
 Date: 18/11/01 20:38:36 GMT Standard Time
 From: bhodi_jabir@yahoo.com (Golden_Eternity)
 To: 05.08@web.de (Bandi), SECURITY-BASICS@SECURITYFOCUS.COM
 
> I recently thought about the following. If a port is closed the host
> refuses the connection. What does the host exactly response?
 
 It sends a reset.
 
> Is it necessary that the host responses on a closed port (couldn't that be
> managed in some way with timeouts)?
 
 If the host is alive it sends back a reset so that you don't have to wait
 for the timeout, otherwise the application would be stalled waiting for the
 timeout.
 
> Could you suggest a way to make ipchains act like a port was closed when
> filtering it, so that a portscanner from certain machines wouldn't notice
> the firewall?
 
 Use '-j REJECT' instead of '-j DROP'.
 
 For more info on this subject you can see my paper "Firewall rule exposure
 on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) but
 your best bet is one of Fyodor's papers on how nmap
 (http://www.insecure.org/nmap/) works.
 
 -G_E
 
 
 
 
 ----------------------- Headers --------------------------------
 Return-Path: <security-basics-return-5791-lambott=aol.com@securityfocus.com>
 Received: from rly-yc05.mx.aol.com (rly-yc05.mail.aol.com [172.18.149.37])
by air-yc05.mail.aol.com (v82.22) with ESMTP id MAILINYC53-1118153836; Sun,
18 Nov 2001 15:38:36 -0500
 Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
[66.38.151.27]) by rly-yc05.mx.aol.com (v82.22) with ESMTP id
MAILRELAYINYC57-1118153824; Sun, 18 Nov 2001 15:38:24 -0500
 Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
    by outgoing.securityfocus.com (Postfix) with QMQP
    id 81E96A3114; Sun, 18 Nov 2001 12:19:32 -0700 (MST)
 Mailing-List: contact security-basics-help@securityfocus.com; run by ezmlm
 Precedence: bulk
 List-Id: <security-basics.list-id.securityfocus.com>
 List-Post: <mailto:security-basics@securityfocus.com>
 List-Help: <mailto:security-basics-help@securityfocus.com>
 List-Unsubscribe: <mailto:security-basics-unsubscribe@securityfocus.com>
 List-Subscribe: <mailto:security-basics-subscribe@securityfocus.com>
 Delivered-To: mailing list security-basics@securityfocus.com
 Delivered-To: moderator for security-basics@securityfocus.com
 Received: (qmail 11231 invoked from network); 15 Nov 2001 16:53:20 -0000
 From: "Golden_Eternity" <bhodi_jabir@yahoo.com>
 To: "Bandi" <05.08@web.de>, <SECURITY-BASICS@SECURITYFOCUS.COM>
 Subject: RE: Differences between closed and filtered ports
 Date: Thu, 15 Nov 2001 08:53:06 -0800
 Message-ID: <BAECKHLFBCDACOFIIOLBMEHGCAAA.bhodi_jabir@yahoo.com>
 MIME-Version: 1.0
 Content-Type: text/plain;
    charset="US-ASCII"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
 In-reply-to: <Pine.LNX.4.21.0111131722340.615-100000@tor.not.mil>
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
 Importance: Normal
 
>>

Relevant Pages

  • RE: Strange replies on closed port
    ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    (Pen-Test)
  • Re: port scan--"filtered" ports
    ... either gets an ICMP port unreachable or no response. ... be because either a firewall or the scanning host is generating ICMP ... Firewall can be the reason. ...
    (Security-Basics)
  • Re: DLINK DI 707P firewall-question
    ... > I am not quite sure if I am using firewall or filter settings, ... you set up a firewall rule. ... If two computers "talking" to each other they connect from one port ... of host A to another port of host B. ...
    (comp.security.firewalls)
  • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
    ... The host is a vista machine and it is located at my house. ... the port in the registry and also the firewall exception as well. ... centrally managed GPO which disables Remote Desktop connections. ...
    (microsoft.public.windows.terminal_services)
  • Re: Strange MTU Problem
    ... there is a firewall that is dropping ICMP Type 3 Code 4 ... unless I've added a rule telling the firewall to forward port $FOO ... application tried to connect to host $FOO on the Internet - is this OK?" ... Does the router know how to forward the ICMP ...
    (comp.os.linux.networking)