Firewall Wizards mailing list archives
RE: FW: nmap fun
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Fri, 27 Oct 2000 07:49:12 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Bret Watson [mailto:lists () ticm com] Sent: Thursday, October 26, 2000 7:07 PM To: LeGrow, Matt Cc: firewall-wizards () nfr com Subject: Re: FW: [fw-wiz] nmap fun
That last comment sounds like we might have hit the nail.... we have noticed that it is surprisingly hard to convince Gauntlet to disable a proxy that we don't want anymore. Sure it stops permitting the traffic through but it still responds and runs..
Yeah, but that doesn't explain SNMP or Sun Help. That sure sounds like you are getting responses from elsewhere....
But in short it appears that gauntlet lets all connections through and then terminates them after the fact - much room for packet hacking here I think.. Bret
I really don't think this is the case in general, but perhaps something specific to this installation. The Gauntlet packet-filtering code, though limited, is pretty solid. It doesn't just "leak" packets, unless you have explicitly told it to do so. The fact that you have enabled NAT is interesting, and makes me want to believe that you are probably configuring the gauntlet to NAT-and-forward outbound/inbound packets through the firewall, in which case your Gauntlet proxies are only going to pick up outbound requests (assuming your forward rule takes precedence over the default absorb rules on the internal interface, which I am not sure about), and are not going to protect you from the outside coming in. If this is the case, you should probably disable all of your filters, as others here have suggested, and try and find an alternate configuration. The packet filtering rules will take precedence over anything that the proxies will pick up. If you are going to use the Gauntlet as a sort of "transparent NAT device" you should probably absorb on both sides of the FW so if a packet is bound for your internal network, it will be absorbed and processed by a proxy, and immediately dropped if there is not a proxy available for that service. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note : Opinions expressed herein are most certainly NOT that of my employer :-) -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBOfmV6fbW52zw8/NBEQJSCgCfUyNMiKPBVrlt2RKucx+XjF4/6pgAoN7n /GS73Zm1trQQhHZi2VtOwyYx =98Yf -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: nmap fun Chris Calabrese (Oct 27)
- Re: nmap fun Bret Watson (Oct 27)
- Re: nmap fun Magosányi Árpád (Oct 28)
- <Possible follow-ups>
- FW: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Frank Knobbe (Oct 27)
- RE: nmap fun LeGrow, Matt (Oct 27)
- RE: nmap fun Bret Watson (Oct 28)
- RE: FW: nmap fun LeGrow, Matt (Oct 28)
- Re: nmap fun Bret Watson (Oct 27)