Date: Thu, 19 Apr 2001 00:29:25 +1000 From: "Adam Clark" <chumblybum@optushome.com.au> To: <freebsd-questions@FreeBSD.ORG> Subject: Ports that show up "filtered" in nmap when there is no service running on that port Message-ID: <001801c0c813$fac6a4b0$0200a8c0@bootcamp>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0013_01C0C867.C98D9620
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hey,
I have a default catchall ipfilter rule and when I nmap my box
it returns:
Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on MyHost ( MYIP ):
(The 1515 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp filtered smtp
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp filtered socks
Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds
yet all those services are not running on my machine, why would these =
appear
as filtered?
it obviously drops the packet before IPFILTER can even analyse it
version:
FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 13 20:48:43 =
EST
2001 root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME i386
Although this a a very upto date build of freebsd, i have seen this in
versions all the way back to the 4.0 iso release
I have many services running, like web and ftp. but they dont show up.
I havent got special rules for these services.
if I telnet into 23 I get this
16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> my-ip,23 PR tcp =
len 20
44 -S IN
if I telnet into 25, it doesnt even show up in the log
which proves my point about there is something BEFORE ipf that is =
deciding
what to do with these
packets
These are the rules I am using
block return-rst in log on rl0 proto tcp all
block return-icmp-as-dest(port-unr) in log on rl0 proto udp all
they are the last in the set apart from the out rules which are
pass out quick on rl0 proto tcp from my-ip/32 to any keep state
pass out quick on rl0 proto udp from my-ip/32 to any keep state
pass out quick on rl0 proto icmp from my-ip/32 to any keep state
so every packet that comes in the interface gets reset
hence all packets should be the same and should come up CLOSED by nmap =
not
filtered
Adam
------=_NextPart_000_0013_01C0C867.C98D9620
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Hey,<BR> I have a default catchall ipfilter rule =
and when=20
I nmap my box<BR>it returns:<BR><BR>Starting nmap V. 2.52 by <A=20
href=3D"mailto:fyodor@insecure.org">fyodor@insecure.org</A> ( <A=20
href=3D"http://www.insecure.org/nmap/">www.insecure.org/nmap/</A>; =
)<BR>Interesting=20
ports on MyHost ( MYIP ):<BR>(The 1515 ports scanned but not shown =
below=20
are in state: closed)<BR>Port =20
State =20
Service<BR>25/tcp filtered =20
smtp<BR>137/tcp filtered =20
netbios-ns<BR>138/tcp filtered =20
netbios-dgm<BR>139/tcp filtered =20
netbios-ssn<BR>1080/tcp filtered =
socks<BR><BR>Nmap=20
run completed -- 1 IP address (1 host up) scanned in 23 =
seconds<BR><BR>yet all=20
those services are not running on my machine, why would these =
appear<BR>as=20
filtered?<BR>it obviously drops the packet before IPFILTER can even =
analyse=20
it<BR><BR>version:<BR>FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: =
Fri Apr=20
13 20:48:43 EST<BR>2001 <A=20
href=3D"mailto:root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME">roo=
t@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME</A> =20
i386<BR><BR>Although this a a very upto date build of freebsd, i have =
seen this=20
in<BR>versions all the way back to the 4.0 iso release<BR></DIV>
<DIV>I have many services running, like web and ftp. but they dont show =
up.<BR>I=20
havent got special rules for these services.<BR><BR>if I telnet into 23 =
I get=20
this<BR>16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> =
my-ip,23 PR tcp=20
len 20<BR>44 -S IN<BR><BR> if I telnet into 25, it doesnt even show =
up in=20
the log<BR>which proves my point about there is something BEFORE ipf =
that is=20
deciding<BR>what to do with these<BR>packets<BR></DIV>
<DIV>These are the rules I am using<BR>block return-rst in log on rl0 =
proto tcp=20
all<BR>block return-icmp-as-dest(port-unr) in log on rl0 proto udp=20
all<BR><BR>they are the last in the set apart from the out rules which=20
are<BR>pass out quick on rl0 proto tcp from my-ip/32 to any keep=20
state<BR>pass out quick on rl0 proto udp from my-ip/32 to any keep =
state<BR>pass out quick on rl0 proto icmp from my-ip/32 to any keep=20
state<BR><BR>so every packet that comes in the interface gets =
reset<BR>hence all=20
packets should be the same and should come up CLOSED by nmap=20
not<BR>filtered<BR><BR>Adam<BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0013_01C0C867.C98D9620--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c0c813$fac6a4b0$0200a8c0>