Firewall Wizards mailing list archives
RE: nmap fun
From: Martin Machacek <mm () i cz>
Date: Thu, 26 Oct 2000 10:11:50 +0200 (MET DST)
On 24-Oct-00 Bret Watson wrote:
Whilst we are looking at nmap.. Has anyone noticed that scanning an address range "protected" by Gauntlet 5.x , interesting things appear? Such as being able to identify all the ports that are open on the hosts behind the firewall?
Well, it depends on your addressing scheme routing configuration and of course also on configuration of your firewall. I'm not here to defend Gauntlet but if: 1) your internal (protected) network uses private IP addresses (RFC 1918) or uses registered addresses that are not being routed from anywhere outside the protected network, 2) and you have source routing disabled on your external router and on your firewall, 3) and you have transparency disabled on your external interface of your firewall this can NEVER happen. Definitely not by portscanning (of any kind). So, please, describe topology of your network and configuration of the firewall you ran the nmap scan against and maybe somebody on this list (maybe me) can spot some config problems.
What makes it really interesting for me is that an Application proxy should never replies for ports that are not permitted, but what seems to happen is that if one makes a TCP connect to an address protected by Gauntlet and this port is available on the machine, then Gauntlet will tell you to go away, but if the port is not open on the machine behind the wall then Gauntlet will not respond at all...
Which of the several application proxies that Gauntlet offers are you talking about? How it is configured? I know about one little bit annoying but not critical and quite easily avoidable problem in http-gw (up to version 5.0 I cannot speak about 5.5 because it is not supported on BSD/OS). If a connection is being made to the port serviced by http-gw from address that is not allowed to use the proxy, the connection succeeds and stays open until you send some data. Than the proxy sends you HTML page telling that you are not allowed to use it and drops the connection. I suspect there is a potential for denial of service attacks, however it can be avoided by blocking connections to http-gw port from unauthorized clients in the packet filter.
Thusly, one can do a TCP Connect scan of an address space covered by Gauntlet and get all the machines with their open ports - scary huh?
TCP connect scan will in any case tell you which ports are being open on the firewall because unless you block unauthorized clients in packet filter. TCP proxies have no way how to refuse client before accepting the connection. AFAIK, the TCP socket interface gives you no chance to find out address of the remote party without accepting the connection. Again it can be solved by packet filter.
This works on NT and Solaris under the latest version of Gauntlet. NAI has been asked (a couple of months ago even!) - no answer.
Martin --- [PGP KeyID F3F409C4] _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Nmap -sO protocol scan apparently disables a certain firewall, allowing all sockets to pass Franklin DeMotto (Oct 24)
- nmap fun Bret Watson (Oct 26)
- RE: nmap fun Martin Machacek (Oct 27)
- Gauntlet problems - was nmap fun Bret Watson (Oct 28)
- RE: Gauntlet problems - was nmap fun Martin Machacek (Oct 28)
- RE: nmap fun Martin Machacek (Oct 27)
- Re: nmap fun Marcus J. Ranum (Oct 27)
- nmap fun Bret Watson (Oct 26)