Re: FIN Scanning through all kind of packet-filtering firewalls?

[Darren Reed <avalon () coombs anu edu au>]

In some mail from gary flynn, sie said:
> > From: <robert.stahlbrand () nmac ericsson se>
> >
> > The FIN scanning method (presented in Phrack Magazine 49, article 15)
> > where you can scan for open ports on a host behind a packet-filtering
> > firewall even though your rules denys it is certainly working on
> > Checkpoint ver. 2.1(a) 
[...]
> I'm not familiar with Checkpoint but any packet filter that is
> filtering on a destination port is going to toss the packet
> regardless of the SYN or any other flag unless there is some
> special programming.

I wouldn't be so sure about that.  Checkpoint's FW-1 will pass all
packets through with the ACK flag set (except, I think SYN-ACK)
but will strip the body of any data.  They do this so that they can
rebuild state for a connection which has remained open over (say)
the firewall rebooting or connection information expiring.  If the
reply packet was returned, anyway, there's your scan!

Darren