an error in the NMAP docs?

["Michael Herz" <mherz () uwaterloo ca>]

Hi all,

Is there an error in the NMAP docs? The --source_port section says:

"Many naive firewall and packet filter installations make an exception in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to  come  through
and establish a connection. Obviously this completely subverts the security
advantages of the firewall since intruders can just masquerade  as FTP or
DNS by modifying their source port."

This implies that the hole in a packet filtered machine exists if it has
allowed inbound DNS or FTP connections. I don't believe this is true. I
think the hole only exists if the machine has allowed outbound (ie client)
connections from the machine. For example if the machine allowed outbound
DNS client requests to the world, using --source_port 53 would exploit the
hole.

Any comments would be appreciated.
Mike


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------