Results when scanning 127/8 as root

[iroquoi () gmail com]

Hi,

I noticed the following (abbreviated) results, using nmap as root:

fw:~# nmap 127.0.0.1 -p 23
23/tcp closed telnet
Nmap done: 1 IP address (1 host up) scanned in 0.056 seconds

fw:~# nmap 127.50.50.1 -p 23
23/tcp filtered telnet
Nmap done: 1 IP address (1 host up) scanned in 2.330 seconds

Note the delay, and the filtered vs. closed result. Here is the 
abbreviated exchange in wireshark for the second command:

127.0.0.1 -> 127.50.50.1  TCP 56477 > telnet [SYN]
127.50.50.1 -> 127.50.50.1  TCP telnet > 56477 [RST, ACK]
127.0.0.1 -> 127.50.50.1  TCP 56478 > telnet [SYN]
127.50.50.1 -> 127.50.50.1  TCP telnet > 56478 [RST, ACK]

It also shows [TCP CHECKSUM INCORRECT] on each response.

I'm wondering why the response is to 127.50.50.1, rather than 127.0.0.1. 
Presumably this is the cause of the delay, and is the reason why nmap 
shows port 23 as filtered, rather than closed.

Would appreciate any insight.

Cheers.

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org