Date: Wed, 9 Jan 2002 23:39:11 +0200 (EET) From: Bernie <Bernie_X@myrealbox.com> To: cjm2@27in.tv Cc: pleaseworky@hotmail.com, <freebsd-questions@freebsd.org> Subject: Re: weird problems with ipfw rule not applying itself... Message-ID: <20020109233526.R26608-100000@BLAST> In-Reply-To: <3156.216.153.201.190.1010614819.squirrel@www.27in.tv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Jan 2002 cjm2@27in.tv wrote: > Joe, > > This is simply because TCP packets must be acknowledged in some form, even > if it's just to reject the packet. When a port is open and has a listening > service, an acknowledging packet is sent back to the client. When a port > is open but has nothing listening to it, it is actively rejected. But, > when you use ipfw to deny a packet it's simply dropped, nothing is ever > sent to the requesting client. This is how nmap can tell the difference > between the three different states open/closed/filtered. > > UDP packets are _not_ acknowledged by the receiving machine. So whether a > packet is sent to an open port (with a listening service) or it is dropped > by the firewall, it looks exactly the same to the requesting client. > > I do believe a reject is sent back to the client when the port isn't > filtered but also has no listening service. Giving you the distinction > between open/closed udp ports. > > Hope this helps. > --Chris is this what the 'reject' rule was about? reject (Deprecated). Discard packets that match this rule, and try to send an ICMP host unreachable notice. The search terminates. well, man says deprecated anyway, but that's what you mean isn't it? Regards Bernie > > > > I have a 4.4-RELEASE acting as a gateway. When I start out, my ruleset > > looks like this: > > > > gateway# ipfw show > > 00100 43866683 26545107129 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > Simple. Let everything through, and it works great. So then I decided > > to completely block UDP port 514 (syslogd), so I issued this command: > > > > ipfw add 00050 deny udp from any to any 514 > > > > So now my ruleset looks like this: > > > > gateway# ipfw show > > 00050 0 0 deny udp from any to any 514 > > 00100 43866913 26545121843 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > > > So far, so good. The problem is, then I run `nmap` from an off network > > site, and nmap tells me that UDP 514 is _open_ (!) How can this be ? > > > > So I go back to the firewall and 'ipfw show' again, and I get: > > > > gateway# ipfw show > > 00050 5 140 deny udp from any to any 514 > > 00100 43866913 26545121843 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > > > So as you can see, the counters for the UDP 514 rule were incremented > > and everything! So how come nmap still shows UDP 514 as "open" ? > > > > As a test, I closed some tcp ports with the exact same command (but > > with tcp, and port 443 this time) and nmap said those ports are > > filtered...so that works...and I also tried with udp port 161, but > > again, the rule is in, the rule counters even get incremented, but > > nmap still says the port is OPEN. > > > > How can this be ? > > > > any help appreciated - thanks! > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020109233526.R26608-100000>