Firewall Wizards mailing list archives
Re: source port specific port scan
From: "Charles Swiger" <chuck () codefab com>
Date: Sun, 14 Oct 2001 13:36:48 -0400
[ ... ]
Does anyone know of a port scanner that allows you to specify the source
port? nmap (http://www.insecure.org/nmap/), with the -g option: -g <portnumber> Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their ruleset to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. [ ... ]
I'm trying to test a filter that allows outbound only SMTP. My worry is
that
it is not stateful, and that an attacker using a source port of 25 can
bypass
the filter.
You don't need to perform stateful filtering to accomplish your goal, but you do need to pay attention to whether incoming packets from the remote port 25 are "established". Here are some IPFW rules which show the general idea: # permit SMTP exchange between pi and bjork/fw $fwcmd add pass tcp from ${pi} ${hiports} to ${bjork} 25 $fwcmd add pass tcp from ${bjork} 25 to ${pi} ${hiports} established $fwcmd add pass tcp from ${bjork} ${hiports} to ${pi} 25 $fwcmd add pass tcp from ${pi} 25 to ${bjork} ${hiports} established $fwcmd add pass tcp from ${iip} ${hiports} to ${bjork} 25 $fwcmd add pass tcp from ${bjork} 25 to ${iip} ${hiports} established # track SMTP from inside to outside and block SMTP from outside $fwcmd add pass log logamount 20 tcp from ${inet}:${imask} ${hiports} to any 25 setup $fwcmd add pass tcp from ${inet}:${imask} ${hiports} to any 25 established $fwcmd add pass tcp from any 25 to ${inet}:${imask} ${hiports} established $fwcmd add unreach filter-prohib log tcp from any to ${inet}:${imask} 25 ===== Needless to say, the firewall isn't listening on port 25 (or anything else but port 22 for sshd), but it does send mail. -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- source port specific port scan Rich Wilson (Oct 14)
- Re: source port specific port scan Johan Allard (Oct 15)
- Re: source port specific port scan R. DuFresne (Oct 15)
- Re: source port specific port scan Barney Wolff (Oct 15)
- Re: source port specific port scan m p (Oct 15)
- Re: source port specific port scan Oscar Wahlberg (Oct 15)
- Re: source port specific port scan Charles Swiger (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
- Message not available
- Re: source port specific port scan Dom Glavach (Oct 15)
- Re: source port specific port scan Ben Eisenbraun (Oct 15)
- RE: source port specific port scan robert_david_graham (Oct 15)
- <Possible follow-ups>
- Re: source port specific port scan Steven M. Bellovin (Oct 15)