From owner-freebsd-questions@FreeBSD.ORG Thu Oct 7 20:56:44 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39EC416A4CE for ; Thu, 7 Oct 2004 20:56:44 +0000 (GMT) Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4D8A43D4C for ; Thu, 7 Oct 2004 20:56:43 +0000 (GMT) (envelope-from norm@etherealconsulting.com) Received: from [127.0.0.1] (24-155-40-125.ip.grandenetworks.net [24.155.40.125]) by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i97Kul0A000946; Thu, 7 Oct 2004 15:56:49 -0500 Message-ID: <4165AD88.6030109@etherealconsulting.com> Date: Thu, 07 Oct 2004 15:56:40 -0500 From: Norm Vilmer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chuck Swiger References: <416595F3.1030601@etherealconsulting.com> <4165A1FF.5080906@mac.com> In-Reply-To: <4165A1FF.5080906@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.28.0.3; VDF 6.28.0.7 cc: freebsd-questions@freebsd.org Subject: Re: nmap'ing myself X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Oct 2004 20:56:44 -0000 Chuck Swiger wrote: > Norm Vilmer wrote: > [ ... ] > >> My question is: from a "well" configured firewall, "Should" I be able >> to nmap the public interface using a console session on the firewall >> itself? > > > Sure. nmap should return close to zero open ports. > >> Will allowing this compromising security of the machine? > > > nmap doesn't compromise the security of your machine. Having open ports > connected to vulnerable services is the primary security risk. > >> Basically, should I even attempt to make this work? > > > What is "this"? > >> What's a good way to test your own firewall without driving down >> the road (and hacking into an unsecured linksys wireless router.... >> just kidding)? > > > Put another machine on the subnet of your external interface, and do an > nmap scan from there. That represents what your ISP would see, or a bad > guy who compromised the ISP possibly up through the DSL modem you have. > Sorry about the ambiguity, i was referring to loosening my firewall rules and other settings to allow nmap to work properly. If it "should" work, then I have things either misconfigured or tightened down too much. Connecting a machine to the public subnet won't work for me. My ISP uses PPPoe, I have one static IP assigned to my firewall's MAC address. I tried it, just to see if it would assign the other machine a dynamic IP if I made a PPPoe connection, but it doesnt. I tried ShieldsUp website, but it did not work from links (gui-less).