Date: Thu, 07 Oct 2004 15:56:40 -0500 From: Norm Vilmer <norm@etherealconsulting.com> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: nmap'ing myself Message-ID: <4165AD88.6030109@etherealconsulting.com> In-Reply-To: <4165A1FF.5080906@mac.com> References: <416595F3.1030601@etherealconsulting.com> <4165A1FF.5080906@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger wrote: > Norm Vilmer wrote: > [ ... ] > >> My question is: from a "well" configured firewall, "Should" I be able >> to nmap the public interface using a console session on the firewall >> itself? > > > Sure. nmap should return close to zero open ports. > >> Will allowing this compromising security of the machine? > > > nmap doesn't compromise the security of your machine. Having open ports > connected to vulnerable services is the primary security risk. > >> Basically, should I even attempt to make this work? > > > What is "this"? > >> What's a good way to test your own firewall without driving down >> the road (and hacking into an unsecured linksys wireless router.... >> just kidding)? > > > Put another machine on the subnet of your external interface, and do an > nmap scan from there. That represents what your ISP would see, or a bad > guy who compromised the ISP possibly up through the DSL modem you have. > Sorry about the ambiguity, i was referring to loosening my firewall rules and other settings to allow nmap to work properly. If it "should" work, then I have things either misconfigured or tightened down too much. Connecting a machine to the public subnet won't work for me. My ISP uses PPPoe, I have one static IP assigned to my firewall's MAC address. I tried it, just to see if it would assign the other machine a dynamic IP if I made a PPPoe connection, but it doesnt. I tried ShieldsUp website, but it did not work from links (gui-less).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4165AD88.6030109>