Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: result question

From: franco segna <fsegna () web de>
Date: Thu, 28 Aug 2003 21:27:47 +0200
rmck wrote:


Hello,

I was wondering if somone could explain to me why the tool (nmap) gives the
following results. Is it really getting through my firewalls??

I have a mysql (port 3306) machine that is behind two firewalls (both
netscreens). 
I run nmap from home (3 scans), outside of all the firewalls, as so:
First A: nmap -sT -P0 -p 3306 -T 3 111.111.111.111 
Result A:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port       State       Service
3306/tcp filtered mysql 
Nmap run completed -- 1 IP address (1 host up) scanned in 38 seconds

I feel I understand these results nmap labels a port as "filtered" if it
does not receive either a
SYN-ACK or a RST in response to a SYN packet. A ?????????sT scan sends a SYN. 

But these last two just get me....
B: nmap -sF -P0 -p 3306 -T 3 111.111.111.111 
Result B:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port       State       Service
3306/tcp open mysql 
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds

Whats happening here?? Nothing shows in my firewall logs?? Is it really
getting through? Or is it assuming its open because it gets no response??
C: nmap -sU -P0 -p 3306 -T 3 111.111.111.111 
Result C:
Starting nmap V. 3.0 ( www.insecure.org/nmap )
Interesting ports on mach.com.com (111.111.111.111):
Port       State       Service
3306/udp open unknown 
Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds

So reading on nmap pages I got this "UDP scanning (-sU) in NMAP has the
same problem as FIN scans in that packet filtered ports will turn up as being open ports." 

So am I correct in thinking nmap is assuming a port is opened if no
response is given. 
Or does nmap get through with out being logged??

Thank you for your time, and any input you can give me ...

Ron

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
The U scan sends an UDP packet to the port 3306. If the packet is dropped by one (or both) firewall, or if the target does not respond with a ICMP "port unreacheable" message, or if one (or both) firewall doesn't let the ICMP message out, nmap can only assume that port 3306 is open and behaves accordingly to the man page. 
The same reasoning applies to the FIN scan.
But if the T scan (TCP connect) gives the answer "filtered" we should assume that the packet is being rejected from one of the firewalls. I don't see anything strange, but I'm only a newbie. UDP and FIN scans should be used for specific purposes. 

Franco


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: