Re: Nmap

[Mark Fagan <r00t () online ie>]

Hi Matt,

I dont actually work with many of the firewalls you mentioned except for the 
PIX, I also work with Checkpoint and Netscreen.

For Checkpoint and Netscreen you would need to really do things arse-ways in 
order to make such a mistake.

I would like to hear any other views on this.

Do people really do filtering based on source port ?????

Also I have been an MCSE since 3.5 and feel MCSE's tend not to know very much 
about IP anyway.

Cheers

Mark

Quoting Matt Kettler <mkettler () evi-inc com>:

> At 06:13 AM 11/15/2003, Mark Fagan wrote:
> > I dont fully agree here.
> >
> > Unless your using an antique firewall its not possible to allow traffic
> based
> > on source port.
>
> To my knowledge every version of IPChains, IPTables, openbsd PF, BSD IPF, 
> Cisco PIX, and Cisco IOS has some form of rule which you can add to force 
> allow traffic to pass the firewall based only on source port.
>
> Not that it's a good idea.. but I challenge your assertion that it's not 
> possible on a modern firewall... In fact, I'd be surprised if _any_ major 
> firewalls would flat out refuse such a rule if manually configured to do 
> so.. Maybe some of the more paranoid ones such as the Secure Computing 
> Sidewinder G2 might refuse such things, but certainly there are a large 
> number of major firewalls that will accept such things.
>
>
> > Also anyone who (where possible) allows traffic based on source port needs
> > their heads examined.
>
> I agree.. that's why I referred to said admins as incompetent. Yes, they do
>
> need their heads examined, but there really are admins out there that know 
> absolutely nothing about TCP/IP that are administering firewalls. It's very
>
> common for a small company to have a single MCSE guy on staff to run their 
> Windows NT/2k/2003 file servers who is also responsible (by default) for 
> running the firewall..
>
> Not all MCSE's know TCP/IP, and the ones that don't are just going to make 
> up some arbitrary bypass rules to "make it work" without understanding 
> what's going on. This really does happen, and hackers do know it, and do 
> try to take advantage of it.
>
>
> > The source port seems spoofed in this example, however B2B applications I 
> > have
> > seen previously can use same source as dest port for communication, so
> dont
> > panic until you actually investigate the source.
>
> In this case it's not the same src/dest port pairing.. it's TCP traffic 
> from a HTTP port to a DNS port.. That traffic pattern is VERY suspect.
>
> Sure it's possible that some crack smoking Windows programmer decided that 
> DNS queries should be done using port 80 as a source, and be done using TCP
>
> instead of UDP.. but that's not very likely.





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users