Re: Firewall-1 NG and NMAP

From: nard (nard@nardware.co.uk)
Date: 02/28/03

  • Next message: i got da mulligans: "Re: If you are considering Zone Labs software..."
    From: "nard" <nard@nardware.co.uk>
    Date: Fri, 28 Feb 2003 10:13:45 +0000
    
    

    On Thu, 27 Feb 2003 18:07:41 +0100, Frank Weise wrote:

    when nmap tests to see if a UDP port is open, it sends a UDP packet to the
    port.

    As UDP is connectionless, the target does not reply with any type "SYN/ACK" style
    packet like with a TCP scan.

    If the host replies with an an ICMP port unreachable message, and the port
    number the port is assumed closed. If the scanning host does NOT receive
    this ICMP packet, nmap assumes that there must be something listening.

    As you are silently droping the packets the host must not be sending the
    ICMP? or the scanning host is unable to receive the ICMP ???

    Hope this helps, i did a writeup for the honeynet project challenge a
    while back about nmap, check it out as it may help you out.

    http://www.honeynet.org/scans/scan23/sol/Leon.html

    nard

    > Hello,
    >
    > I've check a firewall-1 NG FP3 with nmap in the following way:
    >
    > nmap -sS -sU -P0 -vvv -n ip-address
    >
    > If I set a stealth rule to protect the firewall-1 with action drop, nmap
    > reports a lot of open udp ports.
    > If I set this rule with action reject, nmap doesn't report all the udp ports
    > as open. That's the way I expect the scan result.
    >
    > Now I ask, why does nmap's scan result is different if the action is drop vs
    > reject and which action (drop/reject) is better in stealth rule.
    >
    > Best Regards,
    > Frank