Firewall Wizards mailing list archives
Re: result question
From: franco segna <fsegna () web de>
Date: Thu, 28 Aug 2003 21:27:47 +0200
rmck wrote:
The U scan sends an UDP packet to the port 3306. If the packet is dropped by one (or both) firewall, or if the target does not respond with a ICMP "port unreacheable" message, or if one (or both) firewall doesn't let the ICMP message out, nmap can only assume that port 3306 is open and behaves accordingly to the man page.Hello, I was wondering if somone could explain to me why the tool (nmap) gives the following results. Is it really getting through my firewalls?? I have a mysql (port 3306) machine that is behind two firewalls (bothnetscreens).I run nmap from home (3 scans), outside of all the firewalls, as so:First A: nmap -sT -P0 -p 3306 -T 3 111.111.111.111Result A: Starting nmap V. 3.0 ( www.insecure.org/nmap ) Interesting ports on mach.com.com (111.111.111.111): Port State Service3306/tcp filtered mysqlNmap run completed -- 1 IP address (1 host up) scanned in 38 seconds I feel I understand these results nmap labels a port as "filtered" if it does not receive either aSYN-ACK or a RST in response to a SYN packet. A ?????????sT scan sends a SYN.But these last two just get me....B: nmap -sF -P0 -p 3306 -T 3 111.111.111.111Result B: Starting nmap V. 3.0 ( www.insecure.org/nmap ) Interesting ports on mach.com.com (111.111.111.111): Port State Service3306/tcp open mysqlNmap run completed -- 1 IP address (1 host up) scanned in 13 seconds Whats happening here?? Nothing shows in my firewall logs?? Is it really getting through? Or is it assuming its open because it gets no response??C: nmap -sU -P0 -p 3306 -T 3 111.111.111.111Result C: Starting nmap V. 3.0 ( www.insecure.org/nmap ) Interesting ports on mach.com.com (111.111.111.111): Port State Service3306/udp open unknownNmap run completed -- 1 IP address (1 host up) scanned in 13 seconds So reading on nmap pages I got this "UDP scanning (-sU) in NMAP has thesame problem as FIN scans in that packet filtered ports will turn up as being open ports."So am I correct in thinking nmap is assuming a port is opened if noresponse is given.Or does nmap get through with out being logged?? Thank you for your time, and any input you can give me ... Ron _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
The same reasoning applies to the FIN scan.But if the T scan (TCP connect) gives the answer "filtered" we should assume that the packet is being rejected from one of the firewalls. I don't see anything strange, but I'm only a newbie. UDP and FIN scans should be used for specific purposes.
Franco _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- result question rmck (Aug 28)
- Re: result question franco segna (Aug 28)
- <Possible follow-ups>
- RE: result question Whiteside, Larry [contractor] (Aug 28)
- RE: result question Mike Hoskins (Aug 28)