From owner-freebsd-questions@FreeBSD.ORG  Thu Oct  7 20:07:49 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B88F616A4CE
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Oct 2004 20:07:49 +0000 (GMT)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6AB7C43D4C
	for <freebsd-questions@freebsd.org>;
	Thu,  7 Oct 2004 20:07:49 +0000 (GMT)	(envelope-from cswiger@mac.com)
Received: from [192.168.1.3] (pool-68-160-246-51.ny325.east.verizon.net
	[68.160.246.51])
	by pi.codefab.com (8.12.11/8.12.11) with ESMTP id i97K7VU1029567
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 7 Oct 2004 16:07:33 -0400 (EDT)
Message-ID: <4165A1FF.5080906@mac.com>
Date: Thu, 07 Oct 2004 16:07:27 -0400
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.3) Gecko/20040910
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Norm Vilmer <norm@etherealconsulting.com>
References: <416595F3.1030601@etherealconsulting.com>
In-Reply-To: <416595F3.1030601@etherealconsulting.com>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.5 tests=none autolearn=no version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on pi.codefab.com
cc: freebsd-questions@freebsd.org
Subject: Re: nmap'ing myself
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2004 20:07:49 -0000

Norm Vilmer wrote:
[ ... ]
> My question is: from a "well" configured firewall, "Should" I be able to 
> nmap the public interface using a console session on the firewall
> itself?

Sure.  nmap should return close to zero open ports.

> Will allowing this compromising security of the machine?

nmap doesn't compromise the security of your machine.  Having open ports 
connected to vulnerable services is the primary security risk.

> Basically, should I even attempt to make this work?

What is "this"?

> What's a good way to test your own firewall without driving down
> the road (and hacking into an unsecured linksys wireless router....
> just kidding)?

Put another machine on the subnet of your external interface, and do an nmap 
scan from there.  That represents what your ISP would see, or a bad guy who 
compromised the ISP possibly up through the DSL modem you have.

-- 
-Chuck