From owner-freebsd-questions Tue Jan 8 0:47:15 2002 Delivered-To: freebsd-questions@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 3B84737B41A for ; Tue, 8 Jan 2002 00:47:13 -0800 (PST) Received: from user-2ivfoir.dialup.mindspring.com ([165.247.226.91] helo=gohan.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 16NruO-0002tX-00; Tue, 08 Jan 2002 00:47:02 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id g088kei02689; Tue, 8 Jan 2002 00:46:40 -0800 (PST) (envelope-from cjc) Date: Tue, 8 Jan 2002 00:46:38 -0800 From: "Crist J. Clark" To: Thomas Cannon Cc: Joe Parks , freebsd-questions@FreeBSD.ORG Subject: Re: weird problems with ipfw rule not applying itself... Message-ID: <20020108004638.H286@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020107020803.E13438-100000@stereophonic.noops.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020107020803.E13438-100000@stereophonic.noops.org>; from tcannon@noops.org on Mon, Jan 07, 2002 at 02:11:08AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 07, 2002 at 02:11:08AM -0800, Thomas Cannon wrote: > > I believe NMAP will tell you a UDP port is open when you do not recieve a > connection reset from scanning it. When you scan TCP, is sends a SYN, and > gets a SYN/ACK... but UDP is connectionless, so nmap has to guess a whole > lot more, and sometimes gets it wrong. I'd bet that the port is blocked, > but your computer isn't sending back a RST the way it would if UDP traffic > come to a port that wasn't expecting it. You're close. nmap sends a UDP packet to a given port. If it receives an ICMP port unreachable message, the port is closed. If it receives nothing, the port is either "open" (something is listening and accepting the datagrams) or the port is "filtered" (packets are dropped). There is no way to really distinguish the two conditions. However, if nmap finds that most of the UDP ports return no response, it assumes they are all being filtered by a firewall and reports "filtered." If just a few ports give no response, but many do return ICMP unreachables, it assumes there is no filtering going on, so it reports "open." You have the second case. You are letting most UDP through, so nmap gets all of the ICMP port unreachables back on the closed ports of the target machine. When it gets no response back on 514, it assumes it is because the port is listening. However, it is due to the fact you are filtering it. nmap guessed wrong. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message