Re: Is my home computer at risk knowing that nmap says...

"Moe Trin" <ibuprofin@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
On Tue, 30 May 2006, in the Usenet newsgroup, in
<e5i7de$7nn$1@xxxxxxxxxxxxxxx>, Jay C. James wrote:

Has everyone considered yet how some firewall implementations can skew
results a bit, specifically with regards as to
how it determines OPEN/CLOSED/FILTERED port states?

Did you see the articles upthread? This started when the O/P ran nmap
from a site in Thailand against his system in Canada, and was terrified
to find 1659 ports reported as open. He then scanned a number of other
hosts on the same subnet, and got near identical results. He has a
firewall running, and doesn't have all that much stuff waving in the

The suggestion was made that he's actually seeing a proxy run by his
Thai ISP, rather than the real system. The way to test this idea is to
look at the packets on the wire, and note what the TTL value is in the
IP header. He appears to be 25 hops away, so for a Linux box, the
observed TTL should be 64 - 25 or about 40 for TCP and UDP, and 255 - 25
or about 230 for ICMP. If he sees obvious differences (I was expecting
the proxy was within 8 hops maximum), this would be a reasonable answer.

Also, I did make three connection attempts from here (near Phoenix
Arizona) and saw that his firewall was DROPing connections to unused
ports - including two ports that nmap scans by default. The article
you responded to shows a reasonable response based on a minimal test
I made.

nmap is a really good tool, but it can be confused if there is a hidden
proxy intercepting the scan. Things _may_not_always_ be exactly as they
seem. Using nmap to identify the remote operating system (see the man
pages) may provide clues.

Old guy

Thanks for filling in the early details. Great tool when used properly.


Relevant Pages

  • Re: AW: Re: nmap -sS SYN-SCAN does not find all open Ports?
    ... Network Security Engineer and Analyst ... that there is actually no problem with nmap. ... ports that are not listed by nmap are in state closed. ... Could it somehow be related to my backend firewall? ...
  • Re: Nmap questions for the experts
    ... nmap has its own mailing lists, you can find those on ... Do you really use nmap before running nessus? ... Only open ports will be fed to ...
  • Re: nmap udp scan takes too long
    ... I am looking for a tool like nmap that would help me penetrate a filter port. ... But unicornscan beats nmap as it comes to udp scanning. ... Securing Apache Web Server with thawte Digital Certificate ... Open and filtered ports rarely send any kind ...
  • Re: nmap port name question?
    ... does nmap get the name of the port from my /etc/services, ... would report that those ports probably correspond to a mail server ... 49152/tcp open unknown syn-ack ... 49153, msrpc ...
  • Re: UDP Scanning - how nmap really works
    ... > Seen as this method cannot be used, it does not seem feasible for nmap to generate any meaningful information in this ... > situation yet somehow it is differentiating between filtered and open udp ports. ... So how does it match PORT_FIREWALLED in UDP scanning? ... and still is marginally useful in internal networks with no filtering going on. ...