Firewall Wizards mailing list archives

Re: nmap on the internal interface of a PIX

From: Chris Cappuccio <chris () empnet com>
Date: Wed, 13 Sep 2000 17:02:45 -0700 (PDT)

That's why NMAP says filtered... To nmap, when it receives a connection-reset
reply, (meaning nothing is listening on a particular TCP port), it ignores
it, but when it gets NO reply (e.g. your packeteer filter), then it assumes
the port is filered....

nmap has other quirks like this, too, you can't totally take everything it
says literally, you have to understand what it's actually doing to make these
determinations.... New packet shaping/filtering stuff plays new tricks and
nmap would have to compensate for everything to be totally accurate!!!

On Tue, 12 Sep 2000, Daniel Monjar wrote:

 | The latest PIX threads got me poking at mine.  When I run nmap
 | against the internal interface I see:
 | 
 | [dmonjar@monjard ~]$ nmap 10.155.1.49
 | 
 | Starting nmap V. 2.53 by fyodor () insecure org ( www.insecure.org/nmap/ )
 | Interesting ports on pix.orgtek.com (10.155.1.49):
 | (The 1515 ports scanned but not shown below are in state: closed)
 | Port       State       Service
 | 23/tcp     open        telnet                  
 | 194/tcp    filtered    irc                     
 | 1467/tcp   open        csdmbase                
 | 5631/tcp   filtered    pcanywheredata          
 | 5632/tcp   filtered    pcanywherestat          
 | 6000/tcp   filtered    X11                     
 | 6667/tcp   filtered    irc                     
 | 65301/tcp  filtered    pcanywhere              
 | 
 | 
 | 
 | I get nervous when I see anything with 'pcanywhere' in the string.
 | Any idea why they're there?  There are no conduits for those ports
 | configured and I have a filtering device (PacketShaper from Packeteer)
 | sitting on the internal interface between the PIX and the network that
 | excplicits discards pcanywhere stuff.
 | 
 | -- 
 | Daniel Monjar (mailto:dmonjar () orgtek com)
 | "Meddle not in the affairs of dragons, 
 |  for you are crunchy and taste good with ketchup."
 | 
 | 
 | _______________________________________________
 | Firewall-wizards mailing list
 | Firewall-wizards () nfr net
 | http://www.nfr.net/mailman/listinfo/firewall-wizards
 | 

--
"Should we now be comfortable with a 'trust us, we're the government'
approach?  I don't think anybody on this committee shares that view."

-John Conyers, House Judiciary Committee on the FBI Carnivore system


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

nmap on the internal interface of a PIX Daniel Monjar (Sep 13)
- Re: nmap on the internal interface of a PIX Robert Collins (Sep 14)
- Re: nmap on the internal interface of a PIX Chris Cappuccio (Sep 14)
  - Message not available
    - Re: nmap on the internal interface of a PIX Daniel Monjar (Sep 16)
  - Re: nmap on the internal interface of a PIX antirez (Sep 16)
- <Possible follow-ups>
- RE: nmap on the internal interface of a PIX Keith Morgan (Sep 14)