Re: Is there a firewall in place?

["Gabi" <gabi333 () home ro>]

-------Original Message-------

Is it possible to tell if a machine you're port scanning is protected by a
firewall of some sort? That is, to tell if the scan is checking the ports
open and passed through a firewall, or whether the scan is scanning the
actual machine? The machine in question is running W2K, although nmap's OS
detection fails to confirm that.

Are there any tell tale signs that there's a filtering box in the way?

---------------------------------------

Basically nmap figures out if the scanned ports are closed or filtered. If
it finds ports in closed mode it usually means that the box is not protected
by any firewall. If it states the ports as being filtered it means that
somewhere on the way a firewall received the packet and decided not to
respond. 

Knowing where the firewall actually is can be done (also known as 3D mapping), but is a little bit tricky. The 
technique is also known as firewalking (check http://www.packetfactory.net/Projects/firewalk/ ) . You could also test 
this using special crafted packets sent by hping.