Date: Wed, 9 Jan 2002 17:20:19 -0500 (EST) From: cjm2@27in.tv To: <pleaseworky@hotmail.com> Cc: <freebsd-questions@freebsd.org> Subject: Re: weird problems with ipfw rule not applying itself... Message-ID: <3156.216.153.201.190.1010614819.squirrel@www.27in.tv> In-Reply-To: <F190cCoF7D5YnYccyeE00018dfa@hotmail.com> References: <F190cCoF7D5YnYccyeE00018dfa@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Joe, This is simply because TCP packets must be acknowledged in some form, even if it's just to reject the packet. When a port is open and has a listening service, an acknowledging packet is sent back to the client. When a port is open but has nothing listening to it, it is actively rejected. But, when you use ipfw to deny a packet it's simply dropped, nothing is ever sent to the requesting client. This is how nmap can tell the difference between the three different states open/closed/filtered. UDP packets are _not_ acknowledged by the receiving machine. So whether a packet is sent to an open port (with a listening service) or it is dropped by the firewall, it looks exactly the same to the requesting client. I do believe a reject is sent back to the client when the port isn't filtered but also has no listening service. Giving you the distinction between open/closed udp ports. Hope this helps. --Chris > I have a 4.4-RELEASE acting as a gateway. When I start out, my ruleset > looks like this: > > gateway# ipfw show > 00100 43866683 26545107129 allow ip from any to any > 65535 0 0 deny ip from any to any > > Simple. Let everything through, and it works great. So then I decided > to completely block UDP port 514 (syslogd), so I issued this command: > > ipfw add 00050 deny udp from any to any 514 > > So now my ruleset looks like this: > > gateway# ipfw show > 00050 0 0 deny udp from any to any 514 > 00100 43866913 26545121843 allow ip from any to any > 65535 0 0 deny ip from any to any > > > So far, so good. The problem is, then I run `nmap` from an off network > site, and nmap tells me that UDP 514 is _open_ (!) How can this be ? > > So I go back to the firewall and 'ipfw show' again, and I get: > > gateway# ipfw show > 00050 5 140 deny udp from any to any 514 > 00100 43866913 26545121843 allow ip from any to any > 65535 0 0 deny ip from any to any > > > So as you can see, the counters for the UDP 514 rule were incremented > and everything! So how come nmap still shows UDP 514 as "open" ? > > As a test, I closed some tcp ports with the exact same command (but > with tcp, and port 443 this time) and nmap said those ports are > filtered...so that works...and I also tried with udp port 161, but > again, the rule is in, the rule counters even get incremented, but > nmap still says the port is OPEN. > > How can this be ? > > any help appreciated - thanks! > > _________________________________________________________________ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3156.216.153.201.190.1010614819.squirrel>