Re: What is this?

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 10/02/05

Next message: Howard Harris: "Re: Kerio newbie website access"
Previous message: Paul.A.Bowden_at_btinternet.com: "ANYONE HELP WITH SHIELDS UP PROBLEM?"
In reply to: Anders: "Re: What is this?"
Next in thread: Anders: "Re: What is this?"
Reply: Anders: "Re: What is this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 02 Oct 2005 15:08:50 -0500

In the Usenet newsgroup comp.security.firewalls, in article
<LZx%e.35034$d5.190941@newsb.telia.net>, Anders wrote:

>I dit apt-get my own hping, and after that I had played a litle with it,
>I had to look in my snort log, becuse I dident get any respond from my
>firewall.
>I did find over 700 hits.
>One of the explanation for what had hapend on snort.org was this:
>
>""BAD-TRAFFIC tcp port 0 traffic
>This event is generated when TCP traffic to port 0 is detected.
>This should not be seen in normal TCP communications.

There are 12 bytes of "stuff" other than the IP addresses in an IP header
and 16 bytes of "stuff" other than port numbers in a TCP header that can be
"played" with. Only a few combinations are normally used. Fyodor of nmap
fame makes use of other combinations to explore networks. hping2 is the
manual version that lets you do even more.

>Have to be careful with this tool.

Yes

>First, I have to apologize for the "traceroute -S udp p53", the udp part
>should not be in there at all, it is an blunder made by me, I can only
>blame my self for that, did not dubbel check it,I am sorry.

OK - there are several different implementations of traceroute out there,
and they differ in which option does what. The LBL (original) version does
not have a -S option, and the version from Olaf Kirch (then Caldera, now
SuSE) uses that as the LBL -s option for [Ss]ource address, which should
have an IP address appended. The udp was also not a normal option.

> Michael Schiffman patch stops increment enabling user to use 1 fixed
>UDP port number (i.e. port 53)

OK - there are other tools that can do that ;-)

>The probe immediately after the successful one will be denied by the ACL
>on the firewall. To possibly get further, a simple modification to
>traceroute can be done to add a command line switch to stop port
>incrementation (Figure 5). This allows us to force every probe we send to
>be acceptable to the firewall?s ACL (a side effect being that we might not
>get the normal ICMP unreachable message from the ultimate destination due
>to the fact that there might actually be something listening on the other
>end).

This fails on a properly set up firewall. If there are no name servers
meant to be publicly accessible behind the firewall, there is no reason
to all traffic to port 53 inbound. Where I work, we have three publicly
accessible DNS servers - one in the DMZ, and two located at our upstream.
All internal DNS requests go to servers behind the firewall, but as there
is no reason for external hosts to know internal names, the external DNS
servers are set to return "generic" answers to requests - so that when a
request comes in for the name of 192.0.2.2, the answer returned is
"192.0.2.2.example.com" rather than "file_server.example.com". That
answer satisfies those who "must" have a "valid" hostname to put into
their logs - (and if someone does the reverse lookup, and follows it with
a forward lookup of 192.0.2.2.example.com, they get the 192.0.2.2
answer), but those answers don't provide useful information about the
layout of our internal LAN. Creating those zonefiles is trivial - just
a couple of dumb shell scripts. An external request for a public
system (such as www.example.com) does return the valid IP address of
the web server in the DMZ (and a reverse lookup of that IP does
return the 'www.example.com'), so the public can go there, but no further.

Old guy

Next message: Howard Harris: "Re: Kerio newbie website access"
Previous message: Paul.A.Bowden_at_btinternet.com: "ANYONE HELP WITH SHIELDS UP PROBLEM?"
In reply to: Anders: "Re: What is this?"
Next in thread: Anders: "Re: What is this?"
Reply: Anders: "Re: What is this?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Help In network configuration.
... port of a router. ... 2] I will run a cable from Internal Port of router to the ... external port of firewall. ... Servers Switch. ...
(microsoft.public.win2000.networking)
Trying to forward port 80 to an internal server
... I have been trying to forward port 80 requests to a second machine, ... I have confirmed that the firewall is accepting port ... Only load the IP MASQ modules you need. ...
(comp.security.firewalls)
Re: terminal services quirkyness question
... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
(microsoft.public.windows.server.sbs)
Re: Please Help
... > protection with a single firewall so you need to be real thorough. ... > addresses on the external ethernet adapter to publish both webservers on ... > run on a different port. ... This way you can put your lan and servers on separate subnets ...
(comp.security.firewalls)
Re: DNS best pratice???
... That system is then forwarding requests to my company's ISP's ... > have my internal servers forward requests directly to the ISP's DNS ... If it is a good firewall and currently properly secured you ...
(microsoft.public.windows.server.dns)