From owner-freebsd-questions@FreeBSD.ORG  Sat Mar 29 10:14:43 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 985CC37B401
	for <questions@freebsd.org>; Sat, 29 Mar 2003 10:14:43 -0800 (PST)
Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1517E43FBD
	for <questions@freebsd.org>; Sat, 29 Mar 2003 10:14:43 -0800 (PST)
	(envelope-from dlavigne6@cogeco.ca)
Received: from dhcp-17-14.kico2.on.cogeco.ca (d226-42-146.home.cgocable.net
	[24.226.42.146])	by fep2.cogeco.net (Postfix) with ESMTP
	id 781978783; Sat, 29 Mar 2003 13:14:42 -0500 (EST)
Date: Sat, 29 Mar 2003 13:18:24 -0500 (EST)
From: Dru <dlavigne6@cogeco.ca>
X-X-Sender: dlavigne6@dhcp-17-14.kico2.on.cogeco.ca
To: jason <jason@monsterjam.org>
In-Reply-To: <20030329110554.L33825-100000@monsterjam.org>
Message-ID: <20030329121100.S17599@dhcp-17-14.kico2.on.cogeco.ca>
References: <20030329110554.L33825-100000@monsterjam.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: questions@freebsd.org
Subject: Re: VERY annoying nmap problem. (solved)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Mar 2003 18:14:44 -0000



On Sat, 29 Mar 2003, jason wrote:

> yeah, I know the -sU is for UDP scans. Im using ipfw. Im 99.9% sure
> my firewall rules didnt change from version to version of nmap, but damn,
> youre right! scanning with my firewall disabled worked. Good catch. I
> guess ill have to play with my ipfw rules now. Thanks.
>
<snip>

Just don't play too much with your ruleset. Blocking incoming UDP is a
_good_ thing. If you want to test the behaviour of the machine in
question, it is better to use nmap from another host. That way you can see
what the world sees, and ensure that your firewall ruleset isn't leaking
anything. If you want to use the machine in question as your main scanner,
you can make a rule which allows _outgoing_ UDP to other hosts so you can
run nmap. If you're security stance is more paranoid than that, make it a
temporary rule that you only use when running nmap.

On the other hand, if you only have one machine and just want to know
which UDP ports are open on it, "netstat -an" or "sockstat -46" are much
better options than nmap, which is designed for remote scanning. I'm sure
you're already aware of that, just mentioned it for the benefit of others
who may be following the thread.

Dru