On Tue, 27 Jul 1999 [EMAIL PROTECTED] wrote:
> >> Internet
> >> / \
> >> / \
> >> Me @ ISP
> >> Home POP
> >> / | \
> >> / | \
> >> ISP ISP Work NAT
> >> User User Firewall
> >> |
> >> |
> >> PC @
> >> Work
> >>
> >> I am at home, attempting to connect to my PC at work. I am the
> >> sysadmin at work and have permission from there. The other machines
> >> that I am scanning to find my work PC are other users on the same POP
> >> (which contains 4 class C networks). Most of these will be individual
> >> machines, but there is at least one other NAT Firewall/Router
> >> connected.
> >
> >I am confused then. Why do you have to scan the other users at your ISP
> >to find then machine behind your firewall? Are you saying that the
> >firewalls address changes? Os is it just so misconfigured in such a
> >fashion as to open up a dynamic address on the ISP's subnets and leave a
> >gaping hole that you are searching for?
>
> The firewall/router is connected to the ISP on a demand basis via a
> dial-up 56K modem line, using an ordinary ISP account.
>
> My "gaping hole" is port 80, which then leads you to the web server on
> my PC. All other inbound traffic is discarded. I suppose that you
> could subvert my webserver, implant something like BO2K to give you a
> launching pad, and then attack the other machines on my network. It
> seems to me less likely than finding my inbound modem lines (mine, not
> my ISPs) and guessing the PPP account & password.
>
>
Aww, now I understand the need to sweep all the addresses in the ISP class
C address space, your firewall functions off a dynamic ip assingment. In
this case, then you might find that others on the C class space you sweep
do take note, if they are running IDS loggers and might well raise the
problem with your admins there. I'd see it as not wrong for them to take
note and contact the ISP and or you in an attempt to determine that this
scanning was not a sweep for weaknesses of their systems to exploit. I'm
assuming here now that this is a linux or perhaps freebsd implementation.
Would it not be easier to have the box send you status as to the address
it is presently assigned and eliminate the need for such a broad sweep?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
