From owner-freebsd-questions Wed Apr 18 7:29:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mss.rdc2.nsw.optushome.com.au (ha1.rdc2.nsw.optushome.com.au [203.164.2.50]) by hub.freebsd.org (Postfix) with ESMTP id 80E6037B423 for ; Wed, 18 Apr 2001 07:29:36 -0700 (PDT) (envelope-from chumblybum@optushome.com.au) Received: from bootcamp ([203.164.125.236]) by mss.rdc2.nsw.optushome.com.au (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010418142935.BLPJ28870.mss.rdc2.nsw.optushome.com.au@bootcamp> for ; Thu, 19 Apr 2001 00:29:35 +1000 Message-ID: <001801c0c813$fac6a4b0$0200a8c0@bootcamp> From: "Adam Clark" To: Subject: Ports that show up "filtered" in nmap when there is no service running on that port Date: Thu, 19 Apr 2001 00:29:25 +1000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01C0C867.C98D9620" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C0C867.C98D9620 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hey, I have a default catchall ipfilter rule and when I nmap my box it returns: Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on MyHost ( MYIP ): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 25/tcp filtered smtp 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 1080/tcp filtered socks Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds yet all those services are not running on my machine, why would these = appear as filtered? it obviously drops the packet before IPFILTER can even analyse it version: FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 13 20:48:43 = EST 2001 root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME i386 Although this a a very upto date build of freebsd, i have seen this in versions all the way back to the 4.0 iso release I have many services running, like web and ftp. but they dont show up. I havent got special rules for these services. if I telnet into 23 I get this 16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> my-ip,23 PR tcp = len 20 44 -S IN if I telnet into 25, it doesnt even show up in the log which proves my point about there is something BEFORE ipf that is = deciding what to do with these packets These are the rules I am using block return-rst in log on rl0 proto tcp all block return-icmp-as-dest(port-unr) in log on rl0 proto udp all they are the last in the set apart from the out rules which are pass out quick on rl0 proto tcp from my-ip/32 to any keep state pass out quick on rl0 proto udp from my-ip/32 to any keep state pass out quick on rl0 proto icmp from my-ip/32 to any keep state so every packet that comes in the interface gets reset hence all packets should be the same and should come up CLOSED by nmap = not filtered Adam ------=_NextPart_000_0013_01C0C867.C98D9620 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hey,
    I have a default catchall ipfilter rule = and when=20 I nmap my box
it returns:

Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ = )
Interesting=20 ports on MyHost ( MYIP ):
(The 1515 ports scanned but not shown = below=20 are in state: closed)
Port      =20 State      =20 Service
25/tcp     filtered   =20 smtp
137/tcp    filtered   =20 netbios-ns
138/tcp    filtered   =20 netbios-dgm
139/tcp    filtered   =20 netbios-ssn
1080/tcp   filtered    = socks

Nmap=20 run completed -- 1 IP address (1 host up) scanned in 23 = seconds

yet all=20 those services are not running on my machine, why would these = appear
as=20 filtered?
it obviously drops the packet before IPFILTER can even = analyse=20 it

version:
FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: = Fri Apr=20 13 20:48:43 EST
2001     roo= t@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME =20 i386

Although this a a very upto date build of freebsd, i have = seen this=20 in
versions all the way back to the 4.0 iso release

I have many services running, like web and ftp. but they dont show = up.
I=20 havent got special rules for these services.

if I telnet into 23 = I get=20 this
16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> = my-ip,23 PR tcp=20 len 20
44 -S IN

if I telnet into 25, it doesnt even show = up in=20 the log
which proves my point about there is something BEFORE ipf = that is=20 deciding
what to do with these
packets

These are the rules I am using
block return-rst in log on rl0 = proto tcp=20 all
block return-icmp-as-dest(port-unr) in log on rl0 proto udp=20 all

they are the last in the set apart from the out rules which=20 are
pass out quick on rl0 proto tcp from my-ip/32 to any keep=20 state
pass out quick on rl0 proto udp from my-ip/32 to any keep = state
pass out quick on rl0 proto icmp from my-ip/32 to any keep=20 state

so every packet that comes in the interface gets = reset
hence all=20 packets should be the same and should come up CLOSED by nmap=20 not
filtered

Adam

------=_NextPart_000_0013_01C0C867.C98D9620-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message