Date: Tue, 13 Jul 1999 19:06:40 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Stephen Hocking-Senior Programmer PGS Tensor Perth <shocking@prth.pgs.com> Cc: hackers@FreeBSD.ORG, shocking@bandicoot.prth.tensor.pgs.com Subject: Re: Setting up a firewall with dynamic IPs Message-ID: <199907140206.TAA85713@apollo.backplane.com> References: <199907140116.JAA15266@ariadne.tensor.pgs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:Thanks for every one's help - I now have it working nicely. It's amazing what
:you discover when RTFMing. Oddly enough, running nmap with the Christmas tree
:scan (after I've allowed only smtp & ssh to be connected to) gives the
:following -
:
:# ./nmap -v -v -sX foo
:
:Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
:Host foo.bar.com (123.45.67.89) appears to be up ... good.
:Initiating FIN,NULL, UDP, or Xmas stealth scan against foo.bar.com
:(123.45.67.89)
:The UDP or stealth FIN/NULL/XMAS scan took 64 seconds to scan 1483 ports.
:Interesting ports on foo.bar.com (123.45.67.89):
:Port State Protocol Service
:13 open tcp daytime
:21 open tcp ftp
:22 open tcp ssh
:23 open tcp telnet
:25 open tcp smtp
:37 open tcp time
:53 open tcp domain
:80 open tcp http
:111 open tcp sunrpc
:119 open tcp nntp
:513 open tcp login
:514 open tcp shell
:1017 open tcp unknown
:1018 open tcp unknown
:1019 open tcp unknown
:1020 open tcp unknown
:1021 open tcp unknown
:1022 open tcp unknown
:1023 open tcp unknown
:2049 open tcp nfs
:
:Nmap run completed -- 1 IP address (1 host up) scanned in 64 seconds
:
:Any attempt to connect to the ports listed above (apart from ssh & smtp) just
:hangs. I take it that this is expected behaiviour of the firewall accepting
:the connection and then ahnging onto it in order to slow attackers down?
:
: Stephen
Usually if a connection succeeds the firewall isn't stopping it
at all. How is nmap figuring out the service type? I assume by
making a connection and probing it.
Here is what I get when I run nmap from inside my firewall
# ./nmap -v -v -sX apollo.backplane.com
Port State Protocol Service
13 open tcp daytime
22 open tcp ssh
25 open tcp smtp
37 open tcp time
53 open tcp domain
79 open tcp finger
80 open tcp http
110 open tcp pop3
111 open tcp sunrpc
113 open tcp auth
480 open tcp loadsrv
515 open tcp printer
1022 open tcp unknown
1023 open tcp unknown
2049 open tcp shilp <--- huh? that's nfs
And from outside my firewall
Port State Protocol Service
22 open tcp ssh
25 open tcp smtp
53 open tcp domain
79 open tcp finger
80 open tcp http
110 open tcp pop3
113 open tcp auth
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907140206.TAA85713>