Firewall Wizards mailing list archives
FW: nmap fun
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Thu, 26 Oct 2000 08:36:15 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bret, I'm not exactly sure what you are saying here. If you attempted to route a TCP connect request through a Gauntlet firewall and an application proxy was listening on that port, one of several things could happen : if you were permitted to connect to the proxy, but not allowed to connect to the host, it would respond with a "destination denied" message. If you were not permitted to connect to the proxy, then you would be bounced and receive a message stating that you are not allowed to use the proxy. If there was no proxy listening on that port, the Gauntlet would respond with "ICMP Destination Unreachable" and the connection would be dropped immediately, or the connection request would time out eventually if that ICMP were blocked at some point on its way back to your machine. Unless you are doing packet forwarding there is no way to route that connection beyond the firewall, and in that case, its a bad configuration. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note : Opinions expressed herein are most certainly NOT that of my employer :-)-----Original Message----- From: Bret Watson [mailto:lists () ticm com] Sent: Tuesday, October 24, 2000 5:59 AM To: Franklin DeMotto Cc: firewall-wizards () nfr net Subject: [fw-wiz] nmap fun Whilst we are looking at nmap.. Has anyone noticed that scanning an address range "protected" by Gauntlet 5.x , interesting things appear? Such as being able to identify all the ports that are open on the hosts behind the firewall? What makes it really interesting for me is that an Application proxy should never replies for ports that are not permitted, but what seems to happen is that if one makes a TCP connect to an address protected by Gauntlet and this port is available on the machine, then Gauntlet will tell you to go away, but if the port is not open on the machine behind the wall then Gauntlet will not respond at all... Thusly, one can do a TCP Connect scan of an address space covered by Gauntlet and get all the machines with their open ports - scary huh? This works on NT and Solaris under the latest version of Gauntlet. NAI has been asked (a couple of months ago even!) - no answer. Cheers, Bret _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBOfhPb/bW52zw8/NBEQK5WQCg+eT+rGaHPXrrQHyVBzCWXYE7VxUAoJmO xxEImHJBRONugJPg394zqXjW =AoGo -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: nmap fun Chris Calabrese (Oct 27)
- Re: nmap fun Bret Watson (Oct 27)
- Re: nmap fun Magosányi Árpád (Oct 28)
- <Possible follow-ups>
- FW: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Frank Knobbe (Oct 27)
- RE: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Bret Watson (Oct 28)
- RE: FW: nmap fun LeGrow, Matt (Oct 28)
- Re: nmap fun Bret Watson (Oct 27)