Date: Tue, 11 Feb 2003 09:58:40 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Stephen Hilton <nospam@hiltonbsd.com>, freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211155840.GA2733@darkpossum> In-Reply-To: <20030211090331.2e16f1c0.nospam@hiltonbsd.com> References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <20030211090331.2e16f1c0.nospam@hiltonbsd.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] hi ok. netstat -na | grep LISTEN on the box i'm nmapping from ------- tcp4 0 0 *.10000 *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN netstat -na | grep LISTEN on the gateway box ------- tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN tcp4 0 0 *.54320 *.* LISTEN tcp4 0 0 *.49724 *.* LISTEN tcp4 0 0 *.40421 *.* LISTEN tcp4 0 0 *.32774 *.* LISTEN tcp4 0 0 *.32773 *.* LISTEN tcp4 0 0 *.32772 *.* LISTEN tcp4 0 0 *.32771 *.* LISTEN tcp4 0 0 *.31337 *.* LISTEN tcp4 0 0 *.27665 *.* LISTEN tcp4 0 0 *.20034 *.* LISTEN tcp4 0 0 *.12346 *.* LISTEN tcp4 0 0 *.12345 *.* LISTEN tcp4 0 0 *.6667 *.* LISTEN tcp4 0 0 *.5742 *.* LISTEN tcp4 0 0 *.2000 *.* LISTEN tcp4 0 0 *.1524 *.* LISTEN tcp4 0 0 *.1080 *.* LISTEN tcp4 0 0 *.635 *.* LISTEN tcp4 0 0 *.540 *.* LISTEN tcp4 0 0 *.143 *.* LISTEN tcp4 0 0 *.119 *.* LISTEN tcp4 0 0 *.111 *.* LISTEN tcp4 0 0 *.79 *.* LISTEN tcp4 0 0 *.15 *.* LISTEN tcp4 0 0 *.11 *.* LISTEN tcp4 0 0 *.1 *.* LISTEN netstat -na | grep LISTEN on the webserver behind gateway ------- tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN thanks redmond > Redmond Militante <r-militante@northwestern.edu> wrote: > > > hi > > > > thanks for responding > > i made a few changes last night to my config, but i still see open ports when i run nmap , despite my ipf.rules. if you like, i can post my updated config, although it's not that different... > > > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > > here's the results of an nmap run > > > > > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > > Host my.hostname.org (129.x.x.x) appears to be up ... good. > > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > > Adding open port 32774/tcp > > Adding open port 15/tcp > > Adding open port 31337/tcp > > Adding open port 1524/tcp > > Adding open port 111/tcp > > Adding open port 1/tcp > > Adding open port 32771/tcp > > Adding open port 79/tcp > > Adding open port 54320/tcp > > Adding open port 22/tcp > > Adding open port 540/tcp > > Adding open port 587/tcp > > Adding open port 12346/tcp > > Adding open port 1080/tcp > > Adding open port 25/tcp > > Adding open port 119/tcp > > Adding open port 11/tcp > > Adding open port 27665/tcp > > Adding open port 6667/tcp > > Adding open port 80/tcp > > Adding open port 635/tcp > > Adding open port 21/tcp > > Adding open port 32773/tcp > > Adding open port 143/tcp > > Adding open port 32772/tcp > > Adding open port 12345/tcp > > Adding open port 2000/tcp > > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > > Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port > > For OSScan assuming that port 1 is open and port 35689 is closed and neither are firewalled > > For OSScan assuming that port 1 is open and port 44468 is closed and neither are firewalled > > For OSScan assuming that port 1 is open and port 31999 is closed and neither are firewalled > > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > > (The 1574 ports scanned but not shown below are in state: filtered) > > Port State Service > > 1/tcp open tcpmux > > 11/tcp open systat > > 15/tcp open netstat > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 79/tcp open finger > > 80/tcp open http > > 111/tcp open sunrpc > > 119/tcp open nntp > > 143/tcp open imap2 > > 540/tcp open uucp > > 587/tcp open submission > > 635/tcp open unknown > > 1080/tcp open socks > > 1524/tcp open ingreslock > > 2000/tcp open callbook > > 6667/tcp open irc > > 12345/tcp open NetBus > > 12346/tcp open NetBus > > 27665/tcp open Trinoo_Master > > 31337/tcp open Elite > > 32771/tcp open sometimes-rpc5 > > 32772/tcp open sometimes-rpc7 > > 32773/tcp open sometimes-rpc9 > > 32774/tcp open sometimes-rpc11 > > 54320/tcp open bo2k > > No exact OS matches for host (test conditions non-ideal). > > TCP/IP fingerprint: > > SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=2/11%Time=3E490979%O=1%C=-1) > > TSeq(Class=TR%IPID=I%TS=100HZ) > > T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > > T2(Resp=N) > > T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > > T5(Resp=N) > > T6(Resp=N) > > T7(Resp=N) > > PU(Resp=N) > > > > > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > > TCP Sequence Prediction: Class=truly random > > Difficulty=9999999 (Good luck!) > > IPID Sequence Generation: Incremental > > > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > > > > > > any advice you could give would be appreciated. > > > > thanks > > redmond > > > > > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. the public > > > > ip of the webserver is aliased to the external nic on the gateway machine. > > > > httpd and ftp work ok behind the gateway box. i have many questions, > > > > however. the first being why - despite the firewall rules i have in place > > > > on the gateway, when i nmap the public ip of the webserver it shows me all > > > > sorts of ports being open. i can't make out from my gateway configuration > > > > where this is happening. > > > > > > What ports? is it TCP or UDP? UDP scanning is very prone to false positives. > > > It would help if you post the nmap flags line you're using and the results, > > > obsfuscate the IP if you don't want us to know it. > > > > > > Another posibility is some interception/transparent proxy on your ISP. > > > How about a 'netstat -na | grep LISTEN' output from each box. > I think this may help the gurus get a better picture. > Again, sanitize IP's if necessary. ;-) > > Regards, > > Stephen Hilton > nospam@hiltonbsd.com > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SR2wFNjun16SvHYRAvViAJ94aFOc8466ic8EIJD6Or7usXt31QCgvuaV XtCQNcwEsbusABkk+yBgnGM= =GucJ -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211155840.GA2733>