Re: Firewall-1 NG and NMAP
From: nard (nard@nardware.co.uk)
Date: 02/28/03
- Previous message: Mark Stubbs: "Re: Sonicwall - Draytek VPN 224.0.0.9 problem"
- In reply to: Frank Weise: "Firewall-1 NG and NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "nard" <nard@nardware.co.uk> Date: Fri, 28 Feb 2003 10:13:45 +0000
On Thu, 27 Feb 2003 18:07:41 +0100, Frank Weise wrote:
when nmap tests to see if a UDP port is open, it sends a UDP packet to the
port.
As UDP is connectionless, the target does not reply with any type "SYN/ACK" style
packet like with a TCP scan.
If the host replies with an an ICMP port unreachable message, and the port
number the port is assumed closed. If the scanning host does NOT receive
this ICMP packet, nmap assumes that there must be something listening.
As you are silently droping the packets the host must not be sending the
ICMP? or the scanning host is unable to receive the ICMP ???
Hope this helps, i did a writeup for the honeynet project challenge a
while back about nmap, check it out as it may help you out.
http://www.honeynet.org/scans/scan23/sol/Leon.html
nard
> Hello,
>
> I've check a firewall-1 NG FP3 with nmap in the following way:
>
> nmap -sS -sU -P0 -vvv -n ip-address
>
> If I set a stealth rule to protect the firewall-1 with action drop, nmap
> reports a lot of open udp ports.
> If I set this rule with action reject, nmap doesn't report all the udp ports
> as open. That's the way I expect the scan result.
>
> Now I ask, why does nmap's scan result is different if the action is drop vs
> reject and which action (drop/reject) is better in stealth rule.
>
> Best Regards,
> Frank
- Next message: i got da mulligans: "Re: If you are considering Zone Labs software..."
- Previous message: Mark Stubbs: "Re: Sonicwall - Draytek VPN 224.0.0.9 problem"
- In reply to: Frank Weise: "Firewall-1 NG and NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
