Nmap Announce mailing list archives
unfiltered
From: Max Vision <vision () whitehats com>
Date: Mon, 5 Apr 1999 13:06:23 -0700 (PDT)
Hello, I was wondering about the "filtered/unfiltered" status returned by nmap. In my limited testing, I see a RST+ACK on unfiltered ports that is not shown on filtered ports (www.example.com here is a Solaris Checkpoint FW-1). This is then an actual "unfiltered" port, ie, there is no daemon listening but if there was the firewall wouldn't have stopped it. However nmap doesn't report it. Since I've seen nmap report on this status before in other situations, are there different types of "unfiltered" or different firewall responses that mean the same thing? Does anyone on the list have a summary or collaborating data? I rather like the idea of being able to determine firewall holes without running Ballista/CAPE or firewalk (let alone having a daemon answer on the other side). note: 29 - not listening, filtered by FW-1 53 - not listening, not filtered 80 - listening, filtered hostnames changed, sorry for the long lines munge... [audit ~]# nmap -P0 -sS -p 29,53,80 www.example.com Starting nmap V. 2.12 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/) 12:36:28.184222 audit.example.com.37819 > www.example.com.http: S 539815172:539815172(0) win 2048 12:36:28.184222 audit.example.com.37819 > www.example.com.domain: S 539815172:539815172(0) win 2048 12:36:28.184222 audit.example.com.37819 > www.example.com.msg-icp: S 539815172:539815172(0) win 2048 12:36:28.204222 www.example.com.http > audit.example.com.37819: S 4224401559:4224401559(0) ack 539815173 win 9112 <mss 536> (DF) 12:36:28.204222 audit.example.com.37819 > www.example.com.http: R 539815173:539815173(0) win 0 12:36:28.204222 www.example.com.domain > audit.example.com.37819: R 0:0(0) ack 539815173 win 0 (DF) 12:36:28.304222 audit.example.com.37820 > www.example.com.msg-icp: S 3896630591:3896630591(0) win 2048 12:36:28.404222 audit.example.com.37821 > www.example.com.msg-icp: S 592811632:592811632(0) win 2048 12:36:28.514222 audit.example.com.37822 > www.example.com.msg-icp: S 539815172:539815172(0) win 2048 12:36:28.604222 audit.example.com.37823 > www.example.com.msg-icp: S 3896630591:3896630591(0) win 2048 12:36:28.704222 audit.example.com.37824 > www.example.com.msg-icp: S 592811632:592811632(0) win 2048 Interesting ports on www.example.com (23.23.23.23): Port State Protocol Service 29 filtered tcp msg-icp 80 open tcp http Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds feedback appreciated :) Max
Current thread:
- Nmap 2.12 Fyodor (Apr 04)
- unfiltered Max Vision (Apr 05)