Date: Tue, 11 Feb 2003 13:07:38 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Nigel Houghton <nigel.houghton@sourcefire.com>, freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211190738.GB791@darkpossum> In-Reply-To: <1044990692.294.26.camel@ds9.sourcefire.com> References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <1044990692.294.26.camel@ds9.sourcefire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] yeah the reason i didn't think that portsentry would be causing this type of behavioris that i'm also running it on a couple of standalone workstations that i have firewalled with ipfilter, and when i nmap these machines, it doesn't show a variety of ports being open due to portsentry listening on them. i'm not sure why nmap would show these ports that portsentry's listening on being open when behind a ipf/ipnat configuration... thanks redmond > > Are you running Portsentry by any chance? > > On Tue, 2003-02-11 at 09:18, Redmond Militante wrote: > > hi > > > > thanks for responding > > i made a few changes last night to my config, but i still see open ports when i run nmap , despite my ipf.rules. if you like, i can post my updated config, although it's not that different... > > > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > > here's the results of an nmap run > > > > > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > > Host my.hostname.org (129.x.x.x) appears to be up ... good. > > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > > Adding open port 32774/tcp > > Adding open port 15/tcp > > Adding open port 31337/tcp > > Adding open port 1524/tcp > > Adding open port 111/tcp > > Adding open port 1/tcp > > Adding open port 32771/tcp > > Adding open port 79/tcp > > Adding open port 54320/tcp > > Adding open port 22/tcp > > Adding open port 540/tcp > > Adding open port 587/tcp > > Adding open port 12346/tcp > > Adding open port 1080/tcp > > Adding open port 25/tcp > > Adding open port 119/tcp > > Adding open port 11/tcp > > Adding open port 27665/tcp > > Adding open port 6667/tcp > > Adding open port 80/tcp > > Adding open port 635/tcp > > Adding open port 21/tcp > > Adding open port 32773/tcp > > Adding open port 143/tcp > > Adding open port 32772/tcp > > Adding open port 12345/tcp > > Adding open port 2000/tcp > > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > > Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port > > For OSScan assuming that port 1 is open and port 35689 is closed and neither are firewalled > > For OSScan assuming that port 1 is open and port 44468 is closed and neither are firewalled > > For OSScan assuming that port 1 is open and port 31999 is closed and neither are firewalled > > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > > (The 1574 ports scanned but not shown below are in state: filtered) > > Port State Service > > 1/tcp open tcpmux > > 11/tcp open systat > > 15/tcp open netstat > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 79/tcp open finger > > 80/tcp open http > > 111/tcp open sunrpc > > 119/tcp open nntp > > 143/tcp open imap2 > > 540/tcp open uucp > > 587/tcp open submission > > 635/tcp open unknown > > 1080/tcp open socks > > 1524/tcp open ingreslock > > 2000/tcp open callbook > > 6667/tcp open irc > > 12345/tcp open NetBus > > 12346/tcp open NetBus > > 27665/tcp open Trinoo_Master > > 31337/tcp open Elite > > 32771/tcp open sometimes-rpc5 > > 32772/tcp open sometimes-rpc7 > > 32773/tcp open sometimes-rpc9 > > 32774/tcp open sometimes-rpc11 > > 54320/tcp open bo2k > > No exact OS matches for host (test conditions non-ideal). > > TCP/IP fingerprint: > > SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=2/11%Time=3E490979%O=1%C=-1) > > TSeq(Class=TR%IPID=I%TS=100HZ) > > T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > > T2(Resp=N) > > T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > > T5(Resp=N) > > T6(Resp=N) > > T7(Resp=N) > > PU(Resp=N) > > > > > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > > TCP Sequence Prediction: Class=truly random > > Difficulty=9999999 (Good luck!) > > IPID Sequence Generation: Incremental > > > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > > > > > > any advice you could give would be appreciated. > > > > thanks > > redmond > > > > > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. the public > > > > ip of the webserver is aliased to the external nic on the gateway machine. > > > > httpd and ftp work ok behind the gateway box. i have many questions, > > > > however. the first being why - despite the firewall rules i have in place > > > > on the gateway, when i nmap the public ip of the webserver it shows me all > > > > sorts of ports being open. i can't make out from my gateway configuration > > > > where this is happening. > > > > > > What ports? is it TCP or UDP? UDP scanning is very prone to false positives. > > > It would help if you post the nmap flags line you're using and the results, > > > obsfuscate the IP if you don't want us to know it. > > > > > > Another posibility is some interception/transparent proxy on your ISP. > > > > > > > > > Fer > > > > > > > > > > > any advice would be appreciated > > > > > > > > thanks > > > > redmond > > > > > > > > -- > Nigel Houghton Security Engineer Sourcefire Inc. > > Specifications are for the weak and timid! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SUn4FNjun16SvHYRAgHIAJ41BSnr7dajxVymxhaIamhsRNXK1wCfa8n0 LwymV8e6COhAxd/iPKJTzFE= =NEoH -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211190738.GB791>