From owner-freebsd-security Tue Feb 11 11:11:41 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80C0937B401 for ; Tue, 11 Feb 2003 11:11:35 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [206.103.225.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93E6C43F75 for ; Tue, 11 Feb 2003 11:11:34 -0800 (PST) (envelope-from nigel.houghton@sourcefire.com) Received: from ds9.sourcefire.com ([10.1.1.24]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Tue, 11 Feb 2003 14:11:33 -0500 Subject: Re: n00b ipf/ipnat questions From: Nigel Houghton To: Redmond Militante Cc: freebsd-security@freebsd.org In-Reply-To: <20030211141831.GB824@darkpossum> References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> X-Mailer: Ximian Evolution 1.0.8 Date: 11 Feb 2003 14:11:31 -0500 Message-Id: <1044990692.294.26.camel@ds9.sourcefire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you running Portsentry by any chance? On Tue, 2003-02-11 at 09:18, Redmond Militante wrote: > hi > > thanks for responding > i made a few changes last night to my config, but i still see open ports when i run nmap , despite my ipf.rules. if you like, i can post my updated config, although it's not that different... > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > here's the results of an nmap run > > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > Host my.hostname.org (129.x.x.x) appears to be up ... good. > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > Adding open port 32774/tcp > Adding open port 15/tcp > Adding open port 31337/tcp > Adding open port 1524/tcp > Adding open port 111/tcp > Adding open port 1/tcp > Adding open port 32771/tcp > Adding open port 79/tcp > Adding open port 54320/tcp > Adding open port 22/tcp > Adding open port 540/tcp > Adding open port 587/tcp > Adding open port 12346/tcp > Adding open port 1080/tcp > Adding open port 25/tcp > Adding open port 119/tcp > Adding open port 11/tcp > Adding open port 27665/tcp > Adding open port 6667/tcp > Adding open port 80/tcp > Adding open port 635/tcp > Adding open port 21/tcp > Adding open port 32773/tcp > Adding open port 143/tcp > Adding open port 32772/tcp > Adding open port 12345/tcp > Adding open port 2000/tcp > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port > For OSScan assuming that port 1 is open and port 35689 is closed and neither are firewalled > For OSScan assuming that port 1 is open and port 44468 is closed and neither are firewalled > For OSScan assuming that port 1 is open and port 31999 is closed and neither are firewalled > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > (The 1574 ports scanned but not shown below are in state: filtered) > Port State Service > 1/tcp open tcpmux > 11/tcp open systat > 15/tcp open netstat > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 79/tcp open finger > 80/tcp open http > 111/tcp open sunrpc > 119/tcp open nntp > 143/tcp open imap2 > 540/tcp open uucp > 587/tcp open submission > 635/tcp open unknown > 1080/tcp open socks > 1524/tcp open ingreslock > 2000/tcp open callbook > 6667/tcp open irc > 12345/tcp open NetBus > 12346/tcp open NetBus > 27665/tcp open Trinoo_Master > 31337/tcp open Elite > 32771/tcp open sometimes-rpc5 > 32772/tcp open sometimes-rpc7 > 32773/tcp open sometimes-rpc9 > 32774/tcp open sometimes-rpc11 > 54320/tcp open bo2k > No exact OS matches for host (test conditions non-ideal). > TCP/IP fingerprint: > SInfo(V=3.00%P=i386-portbld-freebsd4.7%D=2/11%Time=3E490979%O=1%C=-1) > TSeq(Class=TR%IPID=I%TS=100HZ) > T1(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T2(Resp=N) > T3(Resp=Y%DF=Y%W=E000%ACK=S++%Flags=AS%Ops=MNWNNT) > T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) > T5(Resp=N) > T6(Resp=N) > T7(Resp=N) > PU(Resp=N) > > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Incremental > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > > > any advice you could give would be appreciated. > > thanks > redmond > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. the public > > > ip of the webserver is aliased to the external nic on the gateway machine. > > > httpd and ftp work ok behind the gateway box. i have many questions, > > > however. the first being why - despite the firewall rules i have in place > > > on the gateway, when i nmap the public ip of the webserver it shows me all > > > sorts of ports being open. i can't make out from my gateway configuration > > > where this is happening. > > > > What ports? is it TCP or UDP? UDP scanning is very prone to false positives. > > It would help if you post the nmap flags line you're using and the results, > > obsfuscate the IP if you don't want us to know it. > > > > Another posibility is some interception/transparent proxy on your ISP. > > > > > > Fer > > > > > > > > any advice would be appreciated > > > > > > thanks > > > redmond > > > > > -- Nigel Houghton Security Engineer Sourcefire Inc. Specifications are for the weak and timid! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message