----- Original Message ----- From: "Jorge Almeida" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, November 22, 2003 4:33 PM Subject: [gentoo-user] nmap/iptables
> I have in my home box a iptables firewall configured via shorewall with > the "standalone machine" standard configuration (no services whatsoever to the outside > world). Just for good measure, I tryed portscanning from a computer at > work: (my dynamic IP number edited) > $ nmap -vv <IP number> > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect( > ) scan. Use -sP if you really don't want to portscan (and just want t > o see what hosts are up). > Machine <IP number> MIGHT actually be listening on probe port 80 > Host <IP number> appears to be up ... good. > Initiating Connect() Scan against <IP number> > Adding open port 80/tcp > Bumping up senddelay by 10000 (to 10000), due to excessive drops > Bumping up senddelay by 20000 (to 30000), due to excessive drops > Bumping up senddelay by 30000 (to 60000), due to excessive drops > Bumping up senddelay by 40000 (to 100000), due to excessive drops > Bumping up senddelay by 50000 (to 150000), due to excessive drops > Bumping up senddelay by 60000 (to 210000), due to excessive drops > Bumping up senddelay by 75000 (to 285000), due to excessive drops > Bumping up senddelay by 75000 (to 360000), due to excessive drops > Bumping up senddelay by 75000 (to 435000), due to excessive drops > The Connect() Scan took 1038 seconds to scan 1601 ports. > Interesting ports on (<IP number>): > (The 1597 ports scanned but not shown below are in state: closed) > Port State Service > 6/tcp filtered unknown > 25/tcp filtered smtp > 80/tcp open http > 135/tcp filtered loc-srv Okay the output here means, the firewall is blocking 6, 25,135, since they show up here you didn't completely drop all packages, but only block them, this is usually safe. 80 is completely open, if you run apache, then apache will be available from outside > > Nmap run completed -- 1 IP address (1 host up) scanned in 1038 second > s > > > The scanning from the home box itself gives a more reassuring outcome: > > $ nmap -vv localhost > No tcp, udp, or ICMP scantype specified, assuming vanilla tcp connect() > scan. Use -sP if you really don't want to portscan (and just want to see > what hosts are up). > > Starting nmap 3.27 ( www.insecure.org/nmap/ ) at 2003-11-22 14:54 WET > Host localhost (127.0.0.1) appears to be up ... good. > Initiating Connect() Scan against localhost (127.0.0.1) at 14:54 > Adding open port 10000/tcp > Adding open port 6000/tcp > The Connect() Scan took 0 seconds to scan 1623 ports. > Interesting ports on localhost (127.0.0.1): > (The 1621 ports scanned but not shown below are in state: closed) > Port State Service > 6000/tcp open X11 > 10000/tcp open snet-sensor-mgmt > The reason why you get a completely different out put is, first of all, if you scan localhost, then you scan only services that are bound to localhost. Depends on your setup, just run nmap on your localbox but instead of nmap --vv localhost specify your real IP of the interface that connects to the internet. Also because shorewall is usually setup to block only traffic coming in from the device that connects to the internet the output will look different. Therefore the scan from outside is much more important. > Nmap run completed -- 1 IP address (1 host up) scanned in 0.633 seconds > > > Now, why should nmap at the remote machine report that port 80 is open? I assume > that this happens because nmap is not supposed to be used when the > target has a firewall. Can I be right? And, if so, how can I check > whether the firewall is really working as expected? > > Thanks for any help, > Jorge Almeida > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
