From owner-freebsd-security Tue Feb 11 6:28: 5 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E108637B405 for ; Tue, 11 Feb 2003 06:27:58 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EC1943FDD for ; Tue, 11 Feb 2003 06:27:56 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (0fbd3d47b35a023b3695b6d5070af2a7@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BEIV74002579; Tue, 11 Feb 2003 08:18:31 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BEIVPv002578; Tue, 11 Feb 2003 08:18:31 -0600 (CST) Date: Tue, 11 Feb 2003 08:18:31 -0600 From: Redmond Militante To: Fernando Gleiser Cc: freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211141831.GB824@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline In-Reply-To: <20030211090154.R30313-100000@cactus.fi.uba.ar> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XF85m9dhOBO43t/C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi thanks for responding i made a few changes last night to my config, but i still see open ports wh= en i run nmap , despite my ipf.rules. if you like, i can post my updated c= onfig, although it's not that different... tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org here's the results of an nmap run=20 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host my.hostname.org (129.x.x.x) appears to be up ... good. Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) Adding open port 32774/tcp Adding open port 15/tcp Adding open port 31337/tcp Adding open port 1524/tcp Adding open port 111/tcp Adding open port 1/tcp Adding open port 32771/tcp Adding open port 79/tcp Adding open port 54320/tcp Adding open port 22/tcp Adding open port 540/tcp Adding open port 587/tcp Adding open port 12346/tcp Adding open port 1080/tcp Adding open port 25/tcp Adding open port 119/tcp Adding open port 11/tcp Adding open port 27665/tcp Adding open port 6667/tcp Adding open port 80/tcp Adding open port 635/tcp Adding open port 21/tcp Adding open port 32773/tcp Adding open port 143/tcp Adding open port 32772/tcp Adding open port 12345/tcp Adding open port 2000/tcp The SYN Stealth Scan took 157 seconds to scan 1601 ports. Warning: OS detection will be MUCH less reliable because we did not find a= t least 1 open and 1 closed TCP port For OSScan assuming that port 1 is open and port 35689 is closed and neithe= r are firewalled For OSScan assuming that port 1 is open and port 44468 is closed and neithe= r are firewalled For OSScan assuming that port 1 is open and port 31999 is closed and neithe= r are firewalled Interesting ports on herald.medill.northwestern.edu (129.105.51.6): (The 1574 ports scanned but not shown below are in state: filtered) Port State Service 1/tcp open tcpmux =20 11/tcp open systat =20 15/tcp open netstat =20 21/tcp open ftp =20 22/tcp open ssh =20 25/tcp open smtp =20 79/tcp open finger =20 80/tcp open http =20 111/tcp open sunrpc =20 119/tcp open nntp =20 143/tcp open imap2 =20 540/tcp open uucp =20 587/tcp open submission =20 635/tcp open unknown =20 1080/tcp open socks =20 1524/tcp open ingreslock =20 2000/tcp open callbook =20 6667/tcp open irc =20 12345/tcp open NetBus =20 12346/tcp open NetBus =20 27665/tcp open Trinoo_Master =20 31337/tcp open Elite =20 32771/tcp open sometimes-rpc5 =20 32772/tcp open sometimes-rpc7 =20 32773/tcp open sometimes-rpc9 =20 32774/tcp open sometimes-rpc11 =20 54320/tcp open bo2k =20 No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O=3D1%C= =3D-1) TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ) T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) T2(Resp=3DN) T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D) T5(Resp=3DN) T6(Resp=3DN) T7(Resp=3DN) PU(Resp=3DN) Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) TCP Sequence Prediction: Class=3Dtruly random Difficulty=3D9999999 (Good luck!) IPID Sequence Generation: Incremental Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds any advice you could give would be appreciated.=20 thanks redmond > > > > i've managed to get it nat'ing one machine so far, the webserver. the p= ublic > > ip of the webserver is aliased to the external nic on the gateway machi= ne. > > httpd and ftp work ok behind the gateway box. i have many questions, > > however. the first being why - despite the firewall rules i have in pl= ace > > on the gateway, when i nmap the public ip of the webserver it shows me = all > > sorts of ports being open. i can't make out from my gateway configurat= ion > > where this is happening. >=20 > What ports? is it TCP or UDP? UDP scanning is very prone to false positiv= es. > It would help if you post the nmap flags line you're using and the result= s, > obsfuscate the IP if you don't want us to know it. >=20 > Another posibility is some interception/transparent proxy on your ISP. >=20 >=20 > Fer >=20 > > > > any advice would be appreciated > > > > thanks > > redmond > > >=20 --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SQY2FNjun16SvHYRAoxuAJwKHyfKEK1AMewDvGASHLOvO3FpEgCgqPSv yoPwdyHSjTxhs9YjlB7PZ90= =Hhgg -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message