Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Closing Port 139

From: David Pick <D.M.Pick () QMW AC UK>
Date: Sat, 14 Oct 2000 19:31:23 +0100
Quote from Erik Birkholz
NT 4.0 TCP/IP filtering is not stateful and does not recognize established
connections.  With that said, if you block all inbound TCP ports except 80
(situation originally described by Kasey Speakman in post) and block all UDP
ports you will lose DNS resolution and the ability to establish a full TCP
connection (FTP, Telnet, etc.).
Win 2K TCP/IP filtering however, is stateful and will allow established
connections.  This means you will be able to establish a full TCP
connection, but you will still lose the ability to resolve host names if you
block UDP (stateless protocol)


Ah. So you mean that it will take note of the flag bits in a TCP packet
header which indicate if it's a call setup or subsequent packet (the ACK
bit), and the filters can check this bit; or do you mean that the code
rembers that it has actually *seen* the setup packet before allowing
the subsequent packets to pass?

The first option is what the Cisco routers have done for ages, and what
most host packet filter engines do; the second is what Darren Reeds
"IPFilter" package does (it also remembers and checks TCP sequence
numbers, &c).

--
        David Pick
Previous By Date Next
Previous By Thread Next

Current thread: