Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Bigger bug than expected?

From: "Christophe Grenier" <christophe.grenier () global-secure fr>
Date: Tue, 5 Mar 2002 11:34:16 +0100
There is NO bug.

With correct firewall rules, only TCP and SYN scan works.

  iptables -A INPUT -m state --state INVALID -m limit --limit 4/s -j LOG --log-prefix "INPUT INVALID "
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 4/s -j LOG --log-prefix "TCP INPUT without SYN 
"
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -i eth0 -j to-me
  iptables -A INPUT -i eth1 -j to-me
  iptables -A INPUT -m limit --limit 4/s -j LOG --log-prefix "INPUT bad "
  iptables -A INPUT -j DROP

where to-me is a user defined rule where you allowed connection to certains ports.

Extract from nmap documentation:

-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes:
<snip>
The idea is that closed ports are required to reply to your probe packet with an RST,
while open ports must ignore the packets  in question  (see RFC 793 pp 64).


Your stealth packets are dropped by the firewall, check your logs.

        Christophe

--
Global Secure
78, rue de la Condamine
75017 PARIS
Tel : 01 44 70 48 03
Fax : 01 44 70 48 49
Email : cgr () global-secure fr 


-----Message d'origine-----
De : Justin Piszcz [mailto:war () starband net]
Envoyé : jeudi 28 février 2002 13:27
À : netfilter () lists samba org
Cc : vuln-dev () securityfocus com; bugtraq () securityfocus com
Objet : Bigger bug than expected?


Further NMAP testing shows the following: (IPTables 
1.2.4/Kernel 2.4.18)

nmap -P0 -sT -p 21,80 IP
21/tcp     filtered    ftp
80/tcp     filtered    http

nmap -P0 -sF -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http

nmap -P0 -sX -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http

nmap -P0 -sN -p 21,80 IP
21/tcp     open        ftp
80/tcp     open        http
Previous By Date Next
Previous By Thread Next

Current thread: