RE: an error in the NMAP docs?

["Michael Herz" <mherz () uwaterloo ca>]

Hi all,

Thanks for the reply's but I don't think I'm getting my point across
properly. Please let me try again.

If you create with a machine that is protected both inbound and outbound by
deny all rules and then add a packet filter rule to allow the machine to act
as a DNS server (inbound port 53). If you then scan this machine now by
using the "--source_port 53" option, scans won't get through and no other
services will be exposed.

If you add a client rule so the machine can ftp out (outbound port 20),
using the "--source_port 20" option will now allow scans to pass through and
will expose all the services the machine has to offer. This is due to the
fact that only client service definitions allow access to all ports on the
local machine. Server type definitions do not exhibit this behavior as
described in the preceding paragraph.

If the above paragraphs are correct, I think the NMAP docs are incorrect as
they are describing the exploit of a "server type service" rule with the
line "Many naive firewall and packet filter installations make an exception
in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come
through and establish a connection". To me, saying "allow DNS (53) or
FTP-DATA (20) packets to come  through" implies server services at port 53
and 20 on the machine.

I think the sentence should be written: "Many naive firewall and packet
filter installations make an exception in their rule-set to allow outbound
DNS (53) or FTP-DATA (20) packets to pass"... thus making a hole that
--source_port can exploit.

Mike



> -----Original Message-----
> From: Michael Herz 
> Sent: Friday, April 01, 2005 8:05 AM
> To: security-basics () securityfocus com
> Subject: an error in the NMAP docs?
>
>
> Hi all,
>
> Is there an error in the NMAP docs? The --source_port section says:
>
> "Many naive firewall and packet filter installations make an
> exception in
> their rule-set to allow DNS (53) or FTP-DATA (20) packets to  
> come  through
> and establish a connection. Obviously this completely 
> subverts the security
> advantages of the firewall since intruders can just 
> masquerade  as FTP or
> DNS by modifying their source port."
>
> This implies that the hole in a packet filtered machine
> exists if it has
> allowed inbound DNS or FTP connections. I don't believe this 
> is true. I
> think the hole only exists if the machine has allowed 
> outbound (ie client)
> connections from the machine. For example if the machine 
> allowed outbound
> DNS client requests to the world, using --source_port 53 
> would exploit the
> hole.


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------