Re: how nmap can know my firewalled servers ?

[Gregory Boyce <gboyce () akamai com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With nothing on the port:

nmap 127.0.0.2 -p 23 -sU

PORT   STATE  SERVICE
23/udp closed telnet

09:57:52.335826 IP 127.0.0.1.42869 > 127.0.0.2.23: UDP, length 0
09:57:52.335870 IP 127.0.0.2 > 127.0.0.1: ICMP 127.0.0.2 udp port 23
unreachable, length 36

- -------------

With the port set to DROP:

nmap 127.0.0.2 -p 23 -sU

PORT   STATE         SERVICE
23/udp open|filtered telnet

10:05:14.032653 IP 127.0.0.1.57201 > 127.0.0.2.23: UDP, length 0
10:05:15.034157 IP 127.0.0.1.57202 > 127.0.0.2.23: UDP, length 0

A closed port gets an ICMP response.  No response yields "open|filtered".

Arturas Zalenekas wrote:
> UDP has a timeout. If NMAP doesn't get a response (doesn't metter is it
> UDP or ICMP protocol), it will mark the port as closed. That is a sort
> descrition, how NMAP determins, if the UDP port is open or closed.
> The time windows, how NMAP has to scan a specific protocol, can be set.
> There is an default value for UDP protocol.
> Actually, everything is described in the manuals, so why actually are you
> asking !? The manual is more then self explaining.
> If you don't understand these options or the use for these options, feel
> free to ask, but first read the man pages please.
>
> Kind regards,
> Arturas Zalenekas
> Network Security Engineer and Analyst
>
>
> On Wed, April 12, 2006 20:26, Alice Bryson wrote:
>
> > > Yes, i agree that.
> > > How about UDP, if an udp port firewalled, how does NMAP know it?
> > >
> > > 2006/4/13, Nathaniel Hall <nathaniel.d.hall () gmail com>:
> > >
> > > > I am assuming you are using a DROP rule on your firewall.  NMAP knows
> > > > that if it does not receive a response for a TCP connection then it is
> > > > firewalled.  Dropping traffic at a firewall violates RFC and makes it
> > > > much easier to know when there is a firewall between the scanner and the
> > > > end host.  I recommend using REJECT
> > > >
> > > > -A INPUT -j REJECT --reject-with icmp-host-unreachable
> > > >
> > > > That will conform to RFC (I'm pretty sure) and will make it harder to
> > > > detect a firewall with NMAP.
> > > >
> > > > Alexey Eremenko wrote:
> > > >
> > > >
> > > > > Hi all !
> > > > >
> > > > > I know that "nmap" can show open ports. But nmap also shows my
> > > > > firewalled ports !
> > > > > How?
> > > > >
> > > > > Since some servers (like apache) are firewalled with iptables, how can
> > > > > nmap know wherever
> > > > > my system run the service with open port, filtered port or doesn't run
> > > > > it at all ?
> > > >
> > > > --
> > > > Nathaniel Hall, GSEC GCFW GCIA
> > > >
> > > >
> > > > -------------------------------------------------------------------------
> > > > This List Sponsored by: Webroot
> > > >
> > > > Don't leave your confidential company and customer records un-protected.
> > > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > > eradicate spyware from their networks.
> > > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > > >
> > > > http://www.webroot.com/forms/enterprise_lead.php
> > > > --------------------------------------------------------------------------
> > >
> > >
> > > --
> > > http://www.lwang.org
> > > lwang.org provides online base64 encode and decode, crc32 md5 and sha1
> > > hashing, online ciphers, encryption and decryption. We are engaged in
> > > adding more common use lookup service.
> > > We collect spam for research at abryson () bytefocus com
> > >
> > > -------------------------------------------------------------------------
> > > This List Sponsored by: Webroot
> > >
> > > Don't leave your confidential company and customer records un-protected.
> > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > eradicate spyware from their networks.
> > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > >
> > > http://www.webroot.com/forms/enterprise_lead.php
> > > --------------------------------------------------------------------------

- -------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
- --------------------------------------------------------------------------


- --
 Gregory Boyce | gboyce () akamai com
 Security Operations  -  Team Lead
 Akamai Technologies | 617-444-3041
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEP60/Ry7J/ecQa/MRAhl1AJ4wQSWCMq5JKTdIIehJPxx5b4sw3gCdF319
8s476Ct/86biWPDRBX10C90=
=wE9s
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------