Firewall Wizards mailing list archives

Re: source port specific port scan

From: "Charles Swiger" <chuck () codefab com>
Date: Sun, 14 Oct 2001 13:36:48 -0400

[ ... ]

Does anyone know of a port scanner that allows you to specify the source

port?

nmap (http://www.insecure.org/nmap/), with the -g option:

       -g <portnumber>
              Sets the source port number used  in  scans.   Many
              naive firewall and packet filter installations make
              an exception in their ruleset to allow DNS (53)  or
              FTP-DATA (20) packets to come through and establish
              a connection.  [ ... ]

I'm trying to test a filter that allows outbound only SMTP.  My worry is

that

it is not stateful, and that an attacker using a source port of 25 can

bypass

the filter.


You don't need to perform stateful filtering to accomplish your goal, but you
do need to pay attention to whether incoming packets from the remote port 25
are "established".  Here are some IPFW rules which show the general idea:

    # permit SMTP exchange between pi and bjork/fw
    $fwcmd add pass tcp from ${pi} ${hiports} to ${bjork} 25
    $fwcmd add pass tcp from ${bjork} 25 to ${pi} ${hiports} established

    $fwcmd add pass tcp from ${bjork} ${hiports} to ${pi} 25
    $fwcmd add pass tcp from ${pi} 25 to ${bjork} ${hiports} established

    $fwcmd add pass tcp from ${iip} ${hiports} to ${bjork} 25
    $fwcmd add pass tcp from ${bjork} 25 to ${iip} ${hiports} established

    # track SMTP from inside to outside and block SMTP from outside
    $fwcmd add pass log logamount 20 tcp from ${inet}:${imask} ${hiports} to
any
 25 setup
    $fwcmd add pass tcp from ${inet}:${imask} ${hiports} to any 25 established
    $fwcmd add pass tcp from any 25 to ${inet}:${imask} ${hiports} established

    $fwcmd add unreach filter-prohib log tcp from any to ${inet}:${imask} 25

    =====

Needless to say, the firewall isn't listening on port 25 (or anything else but
port 22 for sshd), but it does send mail.

-Chuck


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

source port specific port scan Rich Wilson (Oct 14)
- Re: source port specific port scan Johan Allard (Oct 15)
- Re: source port specific port scan R. DuFresne (Oct 15)
- Re: source port specific port scan Barney Wolff (Oct 15)
- Re: source port specific port scan m p (Oct 15)
- Re: source port specific port scan Oscar Wahlberg (Oct 15)
- Re: source port specific port scan Charles Swiger (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
  - Re: source port specific port scan Jose Nazario (Oct 15)
- Message not available
  - Re: source port specific port scan Dom Glavach (Oct 15)
- Re: source port specific port scan Ben Eisenbraun (Oct 15)
- RE: source port specific port scan robert_david_graham (Oct 15)
- <Possible follow-ups>
- Re: source port specific port scan Steven M. Bellovin (Oct 15)