Nmap Announce mailing list archives

nmap stealth FIN scan not detected by FW-1 V4.0?

From: "Olaf Selke" <Olaf.Selke () mediaWays net>
Date: Thu, 27 May 1999 12:39:27 +0200 (MET DST)

platform:
FireWall-1 V4.0 Build 4037 VPN+DES, Solaris 2.6
nmap V2.12, Linux kernel 2.0.34


Today I did some nmap Stealth FIN scans (nmap -sF) against FireWall-1 
V4.0 protected systems. The FIN scan uses a bare surprise FIN packet 
as the probe.
foo@bar:/tmp > nmap -sF -P0 -p1-100 193.189.XXX.YYY

I was not able to get any logging from the firewall software
when sending these probes to protected systems. Neither directly 
with 'fw log' nor in the exported logfile generated with 'fw
logexport' I found any clue.
The FIN packets are handled by the FW software correctly according the
rule set, so the systems behind the firewall should be secure.
Nevertheless, an intruder could scan protected networks without the
risk to become detected.

What went wrong? Am I missing something or does FW-1 V4.0 really not
log surprise FIN packets?
I would rather prefer the idea that I'm wrong ;-)

Olaf
-- 
Olaf Selke, olaf.selke () mediaways net, voice +49 5241 80-7069

Current thread:

nmap stealth FIN scan not detected by FW-1 V4.0? Olaf Selke (May 27)
- <Possible follow-ups>
- nmap stealth FIN scan not detected by FW-1 V4.0? Frank W. Keeney (May 27)
- RE: nmap stealth FIN scan not detected by FW-1 V4.0? BIDOU Renaud (May 27)