This all made me interested, so I did some more scanning on my Pro-VX from my other T1...
I'm not getting reports like Chris, but I do now have some other strange behavior. Kind of reminiscent of my pre-firewall Windows 2000 NAT server. For example, I have a handful of ports opened to my DMZ from the WAN - mostly our internet devices we build that use a dozen or so ports in the 3000 range, along with the standard 80, 21, 23, 443 (all services we use). I also have one internal machine (Exchange) on 1-1 NAT for only ports 80 and 25, as well as a server I use to transfer files occasionally (1-1 nat for port 21 only). Now, when I go outside to a different T1 and use any of the various flavors of port scanners I have, I get things showing as open that are not. My default rule for the WAN to DMZ is to block everything, and it's below those ports I described as opened in the rule set. But I get some random other ports that show open in the public IP range anyway. Now, one thing I had noticed with my Windows 2000 NAT I was using before getting the Sonicwall was that if I had, say, one port open to an internal machine via NAT, another port open to another machine, and so on, that all IP's bound to the external NIC on the Windows 2000 machine would show *all* IP's with *all* those ports open, rather than showing just the particular port opened per IP. Has anyone else seen similar things on the Sonicwall appliances? I'm about ready to throw a test server in my DMZ to test, since I can't play with the real hosted servers out there since they're my production environment. I'm figuring on tossing a machine in the DMZ, setting a rule specifically for it and it's IP to deny all from WAN to DMZ to that particular address, then do some scans, see what I end up showing as open, then testing to see if it's just, as I assume, false readings of some sort, or if there really is access available through what is showing as open. Thanks for any info John -----Original Message----- From: Todd Holt [mailto:[EMAIL PROTECTED]] Sent: Monday, June 17, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: RE: [SonicWALL]- UPD port scans We have a similar thing happenning. I was very concerned when it started because the address was always one of our ISPs servers. After talking with them, they enlightened me about a habit their DNS servers have: On some DNS requests we make of their DNS servers, it can't find a route back for the response. So it starts walking ports, looking for the machine that made the request. This looks like a port scan to the SW. Now that I know whats happening, I can ignore it. You should check the source of the port scan and see if there is an explanation for the scan. Todd -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Buchenauer, Christian Sent: Monday, June 17, 2002 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [SonicWALL]- UPD port scans [EMAIL PROTECTED] wrote: > > Whew, no 3rd degree burns. :) Nope. We do very distinguished conversation here :-) > Yes, that's correct for that rule then... Could those scans be originating > from the LAN? No. These scans originate all from the WAN (different official IP's). The main targets are UDP 1980 and 2326. How can I block this? The rule for the LAN is: Allow Any LAN to WAN Allow Any LAN to DMZ Do Windows Broadcasts to DMZ I was afraid to block some IM / Chat - apps from working correctly so I do allow any - good idea? Thanks Chris --- [This E-mail scanned for viruses by Declude/F-Prot AV] ============================================================================ ======================= To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude/F-Prot AV] ============================================================================ ======================= To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/ --- [This E-mail scanned for viruses by Declude/F-Prot AV] =================================================================================================== To unsubscribe, send email to [EMAIL PROTECTED] In the body of the email put the following: unsubscribe sonicwall your_name The archive of this list is at http://www.mail-archive.com/sonicwall%40peake.com/
