Firewall Wizards mailing list archives

RE: Gauntlet problems - was nmap fun

From: Martin Machacek <mm () i cz>
Date: Fri, 27 Oct 2000 11:19:59 +0200 (MET DST)


On 26-Oct-00 Bret Watson wrote:

Well I'm not talking about internal networks, but machines in the DMZ.


Aha. Do you have transparency configured on your external interface? How do your
packet filter rules look like? How does your routing table look like? Do you
have any NAT configured? What proxy do you use for port 80? http-gw, http-pdk,
plug-gw? How does your configuration for those proxies look like? Without
answers to those questions it is hard to tell whether there really is some
problem in Gauntlet (I'm quite sure it is not the case) or whether your
configuration is flawed. Even if your configuration is the problem it need
not be entirely your fault. It would be just another example that current
Gauntlet configuration tools can very easily lead admins to creating insecure
configurations and that the default setup and accompanying documentation do not
either.

Simply put - nmap _should_ be able to see port 80 or 21 on those machines, 
it should _not_ be able to see port 6000 or 8888 - where there is no proxy


If addresses of your hosts in the DMZ are routable from outside and you have
not explictly created packet filter rules denying access from outside any
service on machines in the DMZ can be "seen" (and also attacked). In such case
your firewall would be just a somewhat over complicated (and not very
powerful) router :-).

(yes any machine with X or Sun's help system running on it in a DMZ is 
certainly mis-configured!)

It is irritating, if the only ports I got responses from matched the 
proxies that were installed, then at least I could feel that the probem was 
managable. But since I can get TCP connect hits against any port at the far 
end - it means that the firewall itself may be vulnerable to attacks.


Could you show us the output from nmap? Did you run the nmap scan against the
external address of the firewall or againts the addresses of hosts in the DMZ?
I really suspect there is a severe configuration problem on your firewall (so
if you decide to send those scans be sure to change the addresses :-)).



        Martin 

---
[PGP KeyID F3F409C4]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
  - RE: nmap fun Martin Machacek (Oct 27)
    - Gauntlet problems - was nmap fun Bret Watson (Oct 28)
    - RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
  - Re: nmap fun Marcus J. Ranum (Oct 27)