Site Navigation

Date:      Tue, 11 Feb 2003 13:07:38 -0600
From:      Redmond Militante <r-militante@northwestern.edu>
To:        Nigel Houghton <nigel.houghton@sourcefire.com>, freebsd-security@freebsd.org
Subject:   Re: n00b ipf/ipnat questions
Message-ID:  <20030211190738.GB791@darkpossum>
In-Reply-To: <1044990692.294.26.camel@ds9.sourcefire.com>
References:  <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <1044990692.294.26.camel@ds9.sourcefire.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--9zSXsLTf0vkW971A
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

yeah

the reason i didn't think that portsentry would be causing this type of beh=
avioris that i'm also running it on a couple of standalone workstations tha=
t i have firewalled with ipfilter, and when i nmap these machines, it doesn=
't show a variety of ports being open due to portsentry listening on them. =
=20
i'm not sure why nmap would show these ports that portsentry's listening on=
 being open when behind a ipf/ipnat configuration...

thanks
redmond



>=20
> Are you running Portsentry by any chance?
>=20
> On Tue, 2003-02-11 at 09:18, Redmond Militante wrote:
> > hi
> >=20
> > thanks for responding
> > i made a few changes last night to my config, but i still see open port=
s when i run nmap , despite my ipf.rules.  if you like, i can post my updat=
ed config, although it's not that different...
> >=20
> > tcp ports seem to be open.  i'm using: nmap -sS -v -O my.hostname.org
> > here's the results of an nmap run=20
> >=20
> >=20
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > Host my.hostname.org (129.x.x.x) appears to be up ... good.
> > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x)
> > Adding open port 32774/tcp
> > Adding open port 15/tcp
> > Adding open port 31337/tcp
> > Adding open port 1524/tcp
> > Adding open port 111/tcp
> > Adding open port 1/tcp
> > Adding open port 32771/tcp
> > Adding open port 79/tcp
> > Adding open port 54320/tcp
> > Adding open port 22/tcp
> > Adding open port 540/tcp
> > Adding open port 587/tcp
> > Adding open port 12346/tcp
> > Adding open port 1080/tcp
> > Adding open port 25/tcp
> > Adding open port 119/tcp
> > Adding open port 11/tcp
> > Adding open port 27665/tcp
> > Adding open port 6667/tcp
> > Adding open port 80/tcp
> > Adding open port 635/tcp
> > Adding open port 21/tcp
> > Adding open port 32773/tcp
> > Adding open port 143/tcp
> > Adding open port 32772/tcp
> > Adding open port 12345/tcp
> > Adding open port 2000/tcp
> > The SYN Stealth Scan took 157 seconds to scan 1601 ports.
> > Warning:  OS detection will be MUCH less reliable because we did not fi=
nd at least 1 open and 1 closed TCP port
> > For OSScan assuming that port 1 is open and port 35689 is closed and ne=
ither are firewalled
> > For OSScan assuming that port 1 is open and port 44468 is closed and ne=
ither are firewalled
> > For OSScan assuming that port 1 is open and port 31999 is closed and ne=
ither are firewalled
> > Interesting ports on herald.medill.northwestern.edu (129.105.51.6):
> > (The 1574 ports scanned but not shown below are in state: filtered)
> > Port       State       Service
> > 1/tcp      open        tcpmux                 =20
> > 11/tcp     open        systat                 =20
> > 15/tcp     open        netstat                =20
> > 21/tcp     open        ftp                    =20
> > 22/tcp     open        ssh                    =20
> > 25/tcp     open        smtp                   =20
> > 79/tcp     open        finger                 =20
> > 80/tcp     open        http                   =20
> > 111/tcp    open        sunrpc                 =20
> > 119/tcp    open        nntp                   =20
> > 143/tcp    open        imap2                  =20
> > 540/tcp    open        uucp                   =20
> > 587/tcp    open        submission             =20
> > 635/tcp    open        unknown                =20
> > 1080/tcp   open        socks                  =20
> > 1524/tcp   open        ingreslock             =20
> > 2000/tcp   open        callbook               =20
> > 6667/tcp   open        irc                    =20
> > 12345/tcp  open        NetBus                 =20
> > 12346/tcp  open        NetBus                 =20
> > 27665/tcp  open        Trinoo_Master          =20
> > 31337/tcp  open        Elite                  =20
> > 32771/tcp  open        sometimes-rpc5         =20
> > 32772/tcp  open        sometimes-rpc7         =20
> > 32773/tcp  open        sometimes-rpc9         =20
> > 32774/tcp  open        sometimes-rpc11        =20
> > 54320/tcp  open        bo2k                   =20
> > No exact OS matches for host (test conditions non-ideal).
> > TCP/IP fingerprint:
> > SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O=
=3D1%C=3D-1)
> > TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ)
> > T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT)
> > T2(Resp=3DN)
> > T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT)
> > T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D)
> > T5(Resp=3DN)
> > T6(Resp=3DN)
> > T7(Resp=3DN)
> > PU(Resp=3DN)
> >=20
> >=20
> > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003)
> > TCP Sequence Prediction: Class=3Dtruly random
> >                          Difficulty=3D9999999 (Good luck!)
> > IPID Sequence Generation: Incremental
> >=20
> > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds
> >=20
> >=20
> > any advice you could give would be appreciated.=20
> >=20
> > thanks
> > redmond
> >=20
> >=20
> > > >
> > > > i've managed to get it nat'ing one machine so far, the webserver. t=
he public
> > > > ip of the webserver is aliased to the external nic on the gateway m=
achine.
> > > > httpd and ftp work ok behind the gateway box.  i have many question=
s,
> > > > however.  the first being why - despite the firewall rules i have i=
n place
> > > > on the gateway, when i nmap the public ip of the webserver it shows=
 me all
> > > > sorts of ports being open.  i can't make out from my gateway config=
uration
> > > > where this is happening.
> > >=20
> > > What ports? is it TCP or UDP? UDP scanning is very prone to false pos=
itives.
> > > It would help if you post the nmap flags line you're using and the re=
sults,
> > > obsfuscate the IP if you don't want us to know it.
> > >=20
> > > Another posibility is some interception/transparent proxy on your ISP.
> > >=20
> > >=20
> > > 			Fer
> > >=20
> > > >
> > > > any advice would be appreciated
> > > >
> > > > thanks
> > > > redmond
> > > >
> > >=20
> --=20
> Nigel Houghton       Security Engineer        Sourcefire Inc.
>=20
> Specifications are for the weak and timid!
>=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>=20

--9zSXsLTf0vkW971A
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+SUn4FNjun16SvHYRAgHIAJ41BSnr7dajxVymxhaIamhsRNXK1wCfa8n0
LwymV8e6COhAxd/iPKJTzFE=
=NEoH
-----END PGP SIGNATURE-----

--9zSXsLTf0vkW971A--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211190738.GB791>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact