Re: Firewall-1 NG and NMAP

From: nard (nard@nardware.co.uk)
Date: 02/28/03

  • Next message: i got da mulligans: "Re: If you are considering Zone Labs software..."
    From: "nard" <nard@nardware.co.uk>
    Date: Fri, 28 Feb 2003 10:13:45 +0000
    
    

    On Thu, 27 Feb 2003 18:07:41 +0100, Frank Weise wrote:

    when nmap tests to see if a UDP port is open, it sends a UDP packet to the
    port.

    As UDP is connectionless, the target does not reply with any type "SYN/ACK" style
    packet like with a TCP scan.

    If the host replies with an an ICMP port unreachable message, and the port
    number the port is assumed closed. If the scanning host does NOT receive
    this ICMP packet, nmap assumes that there must be something listening.

    As you are silently droping the packets the host must not be sending the
    ICMP? or the scanning host is unable to receive the ICMP ???

    Hope this helps, i did a writeup for the honeynet project challenge a
    while back about nmap, check it out as it may help you out.

    http://www.honeynet.org/scans/scan23/sol/Leon.html

    nard

    > Hello,
    >
    > I've check a firewall-1 NG FP3 with nmap in the following way:
    >
    > nmap -sS -sU -P0 -vvv -n ip-address
    >
    > If I set a stealth rule to protect the firewall-1 with action drop, nmap
    > reports a lot of open udp ports.
    > If I set this rule with action reject, nmap doesn't report all the udp ports
    > as open. That's the way I expect the scan result.
    >
    > Now I ask, why does nmap's scan result is different if the action is drop vs
    > reject and which action (drop/reject) is better in stealth rule.
    >
    > Best Regards,
    > Frank



    Relevant Pages

    • Re: FreeBSD IPFW
      ... I'm wondering why ipfw is returning packets, ... >> result from an nmap scan. ... which causes the port scanner to lag all to hell and wait ... Is there an IPFW option to drop a packet silently with no ...
      (FreeBSD-Security)
    • Re: Hiding Versions
      ... > on the internet interface to port 80 and forwards the request ... > is forwarded via NAT to the internal machine B at port X ... > sends back the proper packet. ... There are programs other than nmap, ...
      (FreeBSD-Security)
    • Re: [fw-wiz] result question
      ... >I was wondering if somone could explain to me why the tool (nmap) gives the ... Is it really getting through my firewalls?? ... >Port State Service ... >SYN-ACK or a RST in response to a SYN packet. ...
      (Firewall-Wizards)
    • Re: Nmap/netwag problem.
      ... so Nmap retransmits after ... so Nmap lists the port as ... If i set iptables to reject input packets with the ack bit set, ... Note specifically here that this packet will not get sent upon receival ...
      (Pen-Test)
    • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
      ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
      (Incidents)