Firewall Wizards mailing list archives
Re: nmap fun
From: mjr () nfr com (Marcus J. Ranum)
Date: Wed, 25 Oct 2000 19:51:02 -0400 (EDT)
Bret Watson <lists () ticm com> asks:
Thusly, one can do a TCP Connect scan of an address space covered by Gauntlet and get all the machines with their open ports - scary huh?
I don't think there are any pure proxy firewalls left in the world; most of the modern ones implement some kind of filtering capability "underneath" the proxying layer. This leaves them open to many of the questions a packet screen has to answer: does it track state (really, not just SYN/ACK) etc. I don't know anything about the way in which the newer versions of proxy firewalls implement transparency, but my suspicion is that a number of the implementations are flawed; in retrospect, there may be all kind of ways a packet can get through. Firewall customers once had a vote, and voted in favor of transparency, performance, and convenience instead of security; nobody should be surprised by the results. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)