Penetration Testing mailing list archives
Re: DENY x REJECT
From: niceshorts () yahoo com
Date: Tue, 9 Oct 2001 15:37:05 -0500
Ofir Arkin hat geschrieben:
The best way to differ between a port which the firewall is configured to "drop" a packet(s) and a port the firewall is configured to "reject" a packet(s) is to look for the ICMP Error Message (Destination Unreachable - Communication with Destination Network is Administratively Prohibited) as you stated.
This is to expand on what Ofir wrote. If a TCP packet is =not= filtered, and there is no listening socket, the response should be a RST. This should also be taken into account. If a UDP packet is =not= filtered, and there is a listening socket, a response is application layer specific and typically a misunderstood datagram will be dropped. So a firewall dropping a UDP packet and a listening UDP socket can be difficult to differentiate. If there is no listening UDP socket, a Destination Port Unreachable message should be returned. But if we are talking about a firewall between source and destination, we don't know anything if the firewall happens to drop those Unreachables. Such is life made more difficult.
Today, I am not familiar with any tool parsing the ICMP Error message coming from a port which the firewall rejects the packets for.
Perhaps, icmpinfo -vvvn
As a thumb rule configuring a firewall to "reject" rather than "drop" is a mistake. The firewall needs to be transparent as possible for traffic going through.
It depends if the firewall returns a RST on reject. One example where this is useful is to RST ident. I think the actual reject response (ICMP or TCP RST) is implementation specific and depends on semantics.
-----Original Message----- From: Rosenau [mailto:rosenau () netsec com br] Sent: ã 03 àå÷èåáø 2001 17:53 To: pen-test () securityfocus com Subject: DENY x REJECT Hi Does anybody know a port scanner that could distinguish a "deny" filtered tcp port (firewall drops packets for the port) from a "reject" filtered tcp port (firewall returns an ICMP - port unreachable)?. Nmap seems to report boths cases simply as "filtered". Actually, both cases are filtered, but when you receive a ICMP, you can be sure that the port is really filtered. If you do not receive nothing, the port could be filtered, or packets could have been lost... Regards, Rosenau. ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- HTTP request sent, awaiting response... 404 Object Not Found ERROR 404: Object Not Found. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- DENY x REJECT Rosenau (Oct 04)
- Re: DENY x REJECT R. DuFresne (Oct 04)
- Re: DENY x REJECT Fyodor (Oct 04)
- RE: DENY x REJECT Ofir Arkin (Oct 09)
- Re: DENY x REJECT niceshorts (Oct 09)
- RE: DENY x REJECT Ofir Arkin (Oct 10)
- Re: DENY x REJECT niceshorts (Oct 10)
- Re: DENY x REJECT niceshorts (Oct 09)
- <Possible follow-ups>
- RE: DENY x REJECT Frank Knobbe (Oct 04)
- Fw: DENY x REJECT Mehmet Murat Gunsay (Oct 05)