Site Navigation

Date:      Thu, 19 Apr 2001 00:29:25 +1000
From:      "Adam Clark" <chumblybum@optushome.com.au>
To:        <freebsd-questions@FreeBSD.ORG>
Subject:   Ports that show up "filtered" in nmap when there is no service running on that port
Message-ID:  <001801c0c813$fac6a4b0$0200a8c0@bootcamp>

---

next in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Hey,
    I have a default catchall ipfilter rule and when I nmap my box
it returns:

Starting nmap V. 2.52 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on MyHost  ( MYIP ):
(The 1515 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     filtered    smtp
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
1080/tcp   filtered    socks

Nmap run completed -- 1 IP address (1 host up) scanned in 23 seconds

yet all those services are not running on my machine, why would these appear
as filtered?
it obviously drops the packet before IPFILTER can even analyse it

version:
FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 13 20:48:43 EST
2001     root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME  i386

Although this a a very upto date build of freebsd, i have seen this in
versions all the way back to the 4.0 iso release

I have many services running, like web and ftp. but they dont show up.
I havent got special rules for these services.

if I telnet into 23 I get this
16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -> my-ip,23 PR tcp len 20
44 -S IN

 if I telnet into 25, it doesnt even show up in the log
which proves my point about there is something BEFORE ipf that is deciding
what to do with these
packets

These are the rules I am using
block return-rst in log on rl0 proto tcp all
block return-icmp-as-dest(port-unr) in log on rl0 proto udp all

they are the last in the set apart from the out rules which are
pass out quick on rl0 proto tcp  from my-ip/32 to any keep state
pass out quick on rl0 proto udp  from my-ip/32 to any keep state
pass out quick on rl0 proto icmp from my-ip/32 to any keep state

so every packet that comes in the interface gets reset
hence all packets should be the same and should come up CLOSED by nmap not
filtered

Adam




[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4522.1800" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>Hey,<BR>&nbsp;&nbsp;&nbsp; I have a default catchall ipfilter rule and when 
I nmap my box<BR>it returns:<BR><BR>Starting nmap V. 2.52 by <A 
href="mailto:fyodor@insecure.org">fyodor@insecure.org</A> ( <A 
href="http://www.insecure.org/nmap/">www.insecure.org/nmap/</A>; )<BR>Interesting 
ports on MyHost&nbsp; ( MYIP ):<BR>(The 1515 ports scanned but not shown below 
are in state: closed)<BR>Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
State&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 
Service<BR>25/tcp&nbsp;&nbsp;&nbsp;&nbsp; filtered&nbsp;&nbsp;&nbsp; 
smtp<BR>137/tcp&nbsp;&nbsp;&nbsp; filtered&nbsp;&nbsp;&nbsp; 
netbios-ns<BR>138/tcp&nbsp;&nbsp;&nbsp; filtered&nbsp;&nbsp;&nbsp; 
netbios-dgm<BR>139/tcp&nbsp;&nbsp;&nbsp; filtered&nbsp;&nbsp;&nbsp; 
netbios-ssn<BR>1080/tcp&nbsp;&nbsp; filtered&nbsp;&nbsp;&nbsp; socks<BR><BR>Nmap 
run completed -- 1 IP address (1 host up) scanned in 23 seconds<BR><BR>yet all 
those services are not running on my machine, why would these appear<BR>as 
filtered?<BR>it obviously drops the packet before IPFILTER can even analyse 
it<BR><BR>version:<BR>FreeBSD milkrun.wiggedy 4.3-RC FreeBSD 4.3-RC #6: Fri Apr 
13 20:48:43 EST<BR>2001&nbsp;&nbsp;&nbsp;&nbsp; <A 
href="mailto:root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME">root@milkrun.wiggedy:/usr/src/sys/compile/CYZZAATHOME</A>&nbsp; 
i386<BR><BR>Although this a a very upto date build of freebsd, i have seen this 
in<BR>versions all the way back to the 4.0 iso release<BR></DIV>
<DIV>I have many services running, like web and ftp. but they dont show up.<BR>I 
havent got special rules for these services.<BR><BR>if I telnet into 23 I get 
this<BR>16/04/2001 14:52:14.372837 rl0 @5:10 b src-ip,3734 -&gt; my-ip,23 PR tcp 
len 20<BR>44 -S IN<BR><BR>&nbsp;if I telnet into 25, it doesnt even show up in 
the log<BR>which proves my point about there is something BEFORE ipf that is 
deciding<BR>what to do with these<BR>packets<BR></DIV>
<DIV>These are the rules I am using<BR>block return-rst in log on rl0 proto tcp 
all<BR>block return-icmp-as-dest(port-unr) in log on rl0 proto udp 
all<BR><BR>they are the last in the set apart from the out rules which 
are<BR>pass out quick on rl0 proto tcp&nbsp; from my-ip/32 to any keep 
state<BR>pass out quick on rl0 proto udp&nbsp; from my-ip/32 to any keep 
state<BR>pass out quick on rl0 proto icmp from my-ip/32 to any keep 
state<BR><BR>so every packet that comes in the interface gets reset<BR>hence all 
packets should be the same and should come up CLOSED by nmap 
not<BR>filtered<BR><BR>Adam<BR></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV></BODY></HTML>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c0c813$fac6a4b0$0200a8c0>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact