Re: Port Scans - vs Who do I believe?

From: Capps (
Date: 08/28/03

Date: Thu, 28 Aug 2003 14:51:12 GMT

My two cents,

    I don't believe the results from
    The results change from run to run. The results change
    when the network gets busy. The results are just silly
    when it returns "Closed" for ports that have identically
    the same rules in my firewall. is not anywhere near as good as
    running nmap. Not even close.


"beltorak" <> wrote in message
> Joe Shmoe <> wrote in message
> > Almost typed "Who do I trust?" in the subject; like the man said, "trust
> > yourself."
> >
> > Anyhoo; I have a single machine on the 'net 24/7 and I've used iptables
> > build me a firewall. So, I use to probe some ports and it tells
> > they're all "stealthed". I then go to and they tell me that
> > ports 1080 and 12345 (among others) are closed. Which scanner should I
> > trusting? Thanks,
> >
> > Joe
> Gibson is a little.... entusiastic about his area of expertise.
> (That's a nice way of putting it, right?). there is a bit of
> controversy over how extensive his expertise really is. But that is
> an aside.
> nmap is an excellent tool; however, if you only have a single machine,
> your firewall will need a bit of modification to get nmap to return
> results closer to what an attacker would see. more on that at the end
> of this post.
> There are other sites (my favorite is )
> that do a better job at portscanning (ie: less hype). I am not
> familiar with pcflank -- will check that out. There are a few other
> sites that do nmap requests and email you the results, but alas I seem
> to have forgotten that bookmark.
> As for the firewall; I set up the following main chains in INPUT:
> iptables -A INPUT -i lo -j fi_LOOP
> iptables -A INPUT -i $Ext_Interface -j fi_NET
> iptables -A INPUT -j DROP
> You can do the same with the OUTPUT chain for consistency (replacing
> '-i' with '-o' and 'fi_' with 'fo_', and 'DROP' with 'REJECT' to
> eliminate time-out waits).
> Under fi/fo_LOOP is a simple '-j ACCEPT' (unless you filter traffick
> across the machine's loopback interface for some reason....).
> Under fi/fo_NET goes your current firewall ruleset, but be sure to
> strip the interface test (-i and -o portions). I will call this the
> default state of the firewall.
> To test yourself, point the inbound LOOP chain to the NET chain:
> iptables -R fi_LOOP 1 -j fi_NET
> and run nmap against localhost. That should give you a close
> approximation of what an attacker would see from the outside. Using
> this setup I didn't detect any differences between a local scan and
> one from a website.
> To check for leakages, return the firewall to the default state, and
> replace the outbound LOOP chain with:
> iptables -R fo_LOOP 1 -j fo_NET
> and run nmap agains localhost again.
> hope this helps
> -t.