Date: Wed, 18 Apr 2001 11:47:21 -0400 From: Carl Schmidt <lists@slackerbsd.org> To: Adam Clark <chumblybum@optushome.com.au> Cc: freebsd-questions@freebsd.org Subject: Re: Ports that show up "filtered" in nmap when there is no service running on that port Message-ID: <20010418114721.A34816@slackerbsd.org> In-Reply-To: <001801c0c813$fac6a4b0$0200a8c0@bootcamp>; from chumblybum@optushome.com.au on Thu, Apr 19, 2001 at 12:29:25AM %2B1000 References: <001801c0c813$fac6a4b0$0200a8c0@bootcamp>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Because you're from @home and @home does some port filtering at a higher level. If you nmap 24.40.72.54 (my machine, you may if you want, use -T Polite though =)) you'll see what I mean. Carl Schmidt http://slackerbsd.org/ On Thu, Apr 19, 2001 at 12:29:25AM +1000, Adam Clark wrote: > > Hey, > I have a default catchall ipfilter rule and when I nmap my box > it returns: > > Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ ) > Interesting ports on MyHost ( MYIP ): > (The 1515 ports scanned but not shown below are in state: closed) > Port State Service > 25/tcp filtered smtp > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 1080/tcp filtered socks > > Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds > > yet all those services are not running on my machine, why would these appear > as filtered? > it obviously drops the packet before IPFILTER can even analyse it > > version: > FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 13 20:48:43 EST > 2001 root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME i386 > > Although this a a very upto date build of freebsd, i have seen this in > versions all the way back to the 4.0 iso release > > I have many services running, like web and ftp. but they dont show up. > I havent got special rules for these services. > > if I telnet into 23 I get this > 16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> my-ip,23 PR tcp len 20 > 44 -S IN > > if I telnet into 25, it doesnt even show up in the log > which proves my point about there is something BEFORE ipf that is deciding > what to do with these > packets > > These are the rules I am using > block return-rst in log on rl0 proto tcp all > block return-icmp-as-dest(port-unr) in log on rl0 proto udp all > > they are the last in the set apart from the out rules which are > pass out quick on rl0 proto tcp from my-ip/32 to any keep state > pass out quick on rl0 proto udp from my-ip/32 to any keep state > pass out quick on rl0 proto icmp from my-ip/32 to any keep state > > so every packet that comes in the interface gets reset > hence all packets should be the same and should come up CLOSED by nmap not > filtered > > Adam [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: ajPB2BQ/eQyx9ivMcA5qTHI97EZo3FB+ iQA/AwUBOt23CMnZAPSvxuenEQKEAwCdGBMwMfMz8uwWcfJc0LT3dGVInrMAoNpU KnKFghZAnWsBhWgLpxYbY9uy =0MCJ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010418114721.A34816>