Firewall Wizards mailing list archives

RE: nmap fun

From: Martin Machacek <mm () i cz>
Date: Thu, 26 Oct 2000 10:11:50 +0200 (MET DST)


On 24-Oct-00 Bret Watson wrote:

Whilst we are looking at nmap.. Has anyone noticed that scanning an address 
range "protected" by Gauntlet 5.x , interesting things appear?

Such as being able to identify all the ports that are open on the hosts 
behind the firewall?


Well, it depends on your addressing scheme routing configuration and of course
also on configuration of your firewall. I'm not here to defend Gauntlet but if:

1) your internal (protected) network uses private IP addresses (RFC 1918) or
   uses registered addresses that are not being routed from anywhere outside the
   protected network,
2) and you have source routing disabled on your external router and on your
   firewall,
3) and you have transparency disabled on your external interface of your
   firewall

this can NEVER happen. Definitely not by portscanning (of any kind). So,
please, describe topology of your network and configuration of the firewall you
ran the nmap scan against and maybe somebody on this list (maybe me) can spot
some config problems.

What makes it really interesting for me is that an Application proxy should 
never replies for ports that are not permitted, but what seems to happen is 
that if one makes a TCP connect to an address protected by Gauntlet and 
this port is available on the machine, then Gauntlet will tell you to go 
away, but if the port is not open on the machine behind the wall then 
Gauntlet will not respond at all...


Which of the several application proxies that Gauntlet offers are you talking
about? How it is configured? I know about one little bit annoying but not
critical and quite easily avoidable problem in http-gw (up to version 5.0 I
cannot speak about 5.5 because it is not supported on BSD/OS). If a connection
is being made to the port serviced by http-gw from address that is not allowed
to use the proxy, the connection succeeds and stays open until you send some
data. Than the proxy sends you HTML page telling that you are not allowed
to use it and drops the connection. I suspect there is a potential for denial
of service attacks, however it can be avoided by blocking connections to
http-gw port from unauthorized clients in the packet filter.

Thusly, one can do a TCP Connect scan of an address space covered by 
Gauntlet and get all the machines with their open ports - scary huh?


TCP connect scan will in any case tell you which ports are being open on the
firewall because unless you block unauthorized clients in packet filter. TCP
proxies have no way how to refuse client before accepting the connection.
AFAIK, the TCP socket interface gives you no chance to find out address of the
remote party without accepting the connection. Again it can be solved by packet
filter.

This works on NT and Solaris under the latest version of Gauntlet. NAI has 
been asked (a couple of months ago even!) - no answer.




        Martin 

---
[PGP KeyID F3F409C4]

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
  - RE: nmap fun Martin Machacek (Oct 27)
    - Gauntlet problems - was nmap fun Bret Watson (Oct 28)
    - RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
  - Re: nmap fun Marcus J. Ranum (Oct 27)