Firewall Wizards mailing list archives
RE: Gauntlet problems - was nmap fun
From: Martin Machacek <mm () i cz>
Date: Fri, 27 Oct 2000 11:19:59 +0200 (MET DST)
On 26-Oct-00 Bret Watson wrote:
Well I'm not talking about internal networks, but machines in the DMZ.
Aha. Do you have transparency configured on your external interface? How do your packet filter rules look like? How does your routing table look like? Do you have any NAT configured? What proxy do you use for port 80? http-gw, http-pdk, plug-gw? How does your configuration for those proxies look like? Without answers to those questions it is hard to tell whether there really is some problem in Gauntlet (I'm quite sure it is not the case) or whether your configuration is flawed. Even if your configuration is the problem it need not be entirely your fault. It would be just another example that current Gauntlet configuration tools can very easily lead admins to creating insecure configurations and that the default setup and accompanying documentation do not either.
Simply put - nmap _should_ be able to see port 80 or 21 on those machines, it should _not_ be able to see port 6000 or 8888 - where there is no proxy
If addresses of your hosts in the DMZ are routable from outside and you have not explictly created packet filter rules denying access from outside any service on machines in the DMZ can be "seen" (and also attacked). In such case your firewall would be just a somewhat over complicated (and not very powerful) router :-).
(yes any machine with X or Sun's help system running on it in a DMZ is certainly mis-configured!) It is irritating, if the only ports I got responses from matched the proxies that were installed, then at least I could feel that the probem was managable. But since I can get TCP connect hits against any port at the far end - it means that the firewall itself may be vulnerable to attacks.
Could you show us the output from nmap? Did you run the nmap scan against the external address of the firewall or againts the addresses of hosts in the DMZ? I really suspect there is a severe configuration problem on your firewall (so if you decide to send those scans be sure to change the addresses :-)). Martin --- [PGP KeyID F3F409C4] _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)