From owner-freebsd-questions Wed Apr 18 8:47:31 2001 Delivered-To: freebsd-questions@freebsd.org Received: from slackerbsd.org (cn434050-d.wall1.pa.home.com [24.40.72.54]) by hub.freebsd.org (Postfix) with SMTP id 33CEC37B423 for ; Wed, 18 Apr 2001 08:47:23 -0700 (PDT) (envelope-from lists@slackerbsd.org) Received: (qmail 35284 invoked by uid 1029); 18 Apr 2001 15:47:21 -0000 Date: Wed, 18 Apr 2001 11:47:21 -0400 From: Carl Schmidt To: Adam Clark Cc: freebsd-questions@freebsd.org Subject: Re: Ports that show up "filtered" in nmap when there is no service running on that port Message-ID: <20010418114721.A34816@slackerbsd.org> References: <001801c0c813$fac6a4b0$0200a8c0@bootcamp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001801c0c813$fac6a4b0$0200a8c0@bootcamp>; from chumblybum@optushome.com.au on Thu, Apr 19, 2001 at 12:29:25AM +1000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Because you're from @home and @home does some port filtering at a higher le= vel. If you nmap 24.40.72.54 (my machine, you may if you want, use -T Polite tho= ugh =3D)) you'll see what I mean. Carl Schmidt http://slackerbsd.org/ On Thu, Apr 19, 2001 at 12:29:25AM +1000, Adam Clark wrote: >=20 > Hey, > I have a default catchall ipfilter rule and when I nmap my box > it returns: >=20 > Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ ) > Interesting ports on MyHost ( MYIP ): > (The 1515 ports scanned but not shown below are in state: closed) > Port State Service > 25/tcp filtered smtp > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 1080/tcp filtered socks >=20 > Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds >=20 > yet all those services are not running on my machine, why would these app= ear > as filtered? > it obviously drops the packet before IPFILTER can even analyse it >=20 > version: > FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 13 20:48:43 EST > 2001 root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME i386 >=20 > Although this a a very upto date build of freebsd, i have seen this in > versions all the way back to the 4.0 iso release >=20 > I have many services running, like web and ftp. but they dont show up. > I havent got special rules for these services. >=20 > if I telnet into 23 I get this > 16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> my-ip,23 PR tcp len= 20 > 44 -S IN >=20 > if I telnet into 25, it doesnt even show up in the log > which proves my point about there is something BEFORE ipf that is deciding > what to do with these > packets >=20 > These are the rules I am using > block return-rst in log on rl0 proto tcp all > block return-icmp-as-dest(port-unr) in log on rl0 proto udp all >=20 > they are the last in the set apart from the out rules which are > pass out quick on rl0 proto tcp from my-ip/32 to any keep state > pass out quick on rl0 proto udp from my-ip/32 to any keep state > pass out quick on rl0 proto icmp from my-ip/32 to any keep state >=20 > so every packet that comes in the interface gets reset > hence all packets should be the same and should come up CLOSED by nmap not > filtered >=20 > Adam --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: ajPB2BQ/eQyx9ivMcA5qTHI97EZo3FB+ iQA/AwUBOt23CMnZAPSvxuenEQKEAwCdGBMwMfMz8uwWcfJc0LT3dGVInrMAoNpU KnKFghZAnWsBhWgLpxYbY9uy =0MCJ -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message