Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 Feb 2003 08:18:31 -0600
From:      Redmond Militante <r-militante@northwestern.edu>
To:        Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
Cc:        freebsd-security@freebsd.org
Subject:   Re: n00b ipf/ipnat questions
Message-ID:  <20030211141831.GB824@darkpossum>
In-Reply-To: <20030211090154.R30313-100000@cactus.fi.uba.ar>
References:  <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help 

--XF85m9dhOBO43t/C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

hi

thanks for responding
i made a few changes last night to my config, but i still see open ports wh=
en i run nmap , despite my ipf.rules.  if you like, i can post my updated c=
onfig, although it's not that different...

tcp ports seem to be open.  i'm using: nmap -sS -v -O my.hostname.org
here's the results of an nmap run=20


Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host my.hostname.org (129.x.x.x) appears to be up ... good.
Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x)
Adding open port 32774/tcp
Adding open port 15/tcp
Adding open port 31337/tcp
Adding open port 1524/tcp
Adding open port 111/tcp
Adding open port 1/tcp
Adding open port 32771/tcp
Adding open port 79/tcp
Adding open port 54320/tcp
Adding open port 22/tcp
Adding open port 540/tcp
Adding open port 587/tcp
Adding open port 12346/tcp
Adding open port 1080/tcp
Adding open port 25/tcp
Adding open port 119/tcp
Adding open port 11/tcp
Adding open port 27665/tcp
Adding open port 6667/tcp
Adding open port 80/tcp
Adding open port 635/tcp
Adding open port 21/tcp
Adding open port 32773/tcp
Adding open port 143/tcp
Adding open port 32772/tcp
Adding open port 12345/tcp
Adding open port 2000/tcp
The SYN Stealth Scan took 157 seconds to scan 1601 ports.
Warning:  OS detection will be MUCH less reliable because we did not find a=
t least 1 open and 1 closed TCP port
For OSScan assuming that port 1 is open and port 35689 is closed and neithe=
r are firewalled
For OSScan assuming that port 1 is open and port 44468 is closed and neithe=
r are firewalled
For OSScan assuming that port 1 is open and port 31999 is closed and neithe=
r are firewalled
Interesting ports on herald.medill.northwestern.edu (129.105.51.6):
(The 1574 ports scanned but not shown below are in state: filtered)
Port       State       Service
1/tcp      open        tcpmux                 =20
11/tcp     open        systat                 =20
15/tcp     open        netstat                =20
21/tcp     open        ftp                    =20
22/tcp     open        ssh                    =20
25/tcp     open        smtp                   =20
79/tcp     open        finger                 =20
80/tcp     open        http                   =20
111/tcp    open        sunrpc                 =20
119/tcp    open        nntp                   =20
143/tcp    open        imap2                  =20
540/tcp    open        uucp                   =20
587/tcp    open        submission             =20
635/tcp    open        unknown                =20
1080/tcp   open        socks                  =20
1524/tcp   open        ingreslock             =20
2000/tcp   open        callbook               =20
6667/tcp   open        irc                    =20
12345/tcp  open        NetBus                 =20
12346/tcp  open        NetBus                 =20
27665/tcp  open        Trinoo_Master          =20
31337/tcp  open        Elite                  =20
32771/tcp  open        sometimes-rpc5         =20
32772/tcp  open        sometimes-rpc7         =20
32773/tcp  open        sometimes-rpc9         =20
32774/tcp  open        sometimes-rpc11        =20
54320/tcp  open        bo2k                   =20
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O=3D1%C=
=3D-1)
TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ)
T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT)
T2(Resp=3DN)
T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT)
T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D)
T5(Resp=3DN)
T6(Resp=3DN)
T7(Resp=3DN)
PU(Resp=3DN)


Uptime 0.007 days (since Tue Feb 11 08:21:40 2003)
TCP Sequence Prediction: Class=3Dtruly random
                         Difficulty=3D9999999 (Good luck!)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds


any advice you could give would be appreciated.=20

thanks
redmond


> >
> > i've managed to get it nat'ing one machine so far, the webserver. the p=
ublic
> > ip of the webserver is aliased to the external nic on the gateway machi=
ne.
> > httpd and ftp work ok behind the gateway box.  i have many questions,
> > however.  the first being why - despite the firewall rules i have in pl=
ace
> > on the gateway, when i nmap the public ip of the webserver it shows me =
all
> > sorts of ports being open.  i can't make out from my gateway configurat=
ion
> > where this is happening.
>=20
> What ports? is it TCP or UDP? UDP scanning is very prone to false positiv=
es.
> It would help if you post the nmap flags line you're using and the result=
s,
> obsfuscate the IP if you don't want us to know it.
>=20
> Another posibility is some interception/transparent proxy on your ISP.
>=20
>=20
> 			Fer
>=20
> >
> > any advice would be appreciated
> >
> > thanks
> > redmond
> >
>=20

--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+SQY2FNjun16SvHYRAoxuAJwKHyfKEK1AMewDvGASHLOvO3FpEgCgqPSv
yoPwdyHSjTxhs9YjlB7PZ90=
=Hhgg
-----END PGP SIGNATURE-----

--XF85m9dhOBO43t/C--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211141831.GB824>