From owner-freebsd-security Tue Feb 11 8: 7:57 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D03637B401 for ; Tue, 11 Feb 2003 08:07:50 -0800 (PST) Received: from darkpossum.medill.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.51.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id E476543FA3 for ; Tue, 11 Feb 2003 08:07:48 -0800 (PST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: from darkpossum.medill.northwestern.edu (1f1386d3cce4b6e4c0b694add8da0feb@localhost.medill.northwestern.edu [127.0.0.1]) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6) with ESMTP id h1BFwf74002757; Tue, 11 Feb 2003 09:58:41 -0600 (CST) (envelope-from possum@darkpossum.medill.northwestern.edu) Received: (from possum@localhost) by darkpossum.medill.northwestern.edu (8.12.6/8.12.6/Submit) id h1BFwe6Z002756; Tue, 11 Feb 2003 09:58:40 -0600 (CST) Date: Tue, 11 Feb 2003 09:58:40 -0600 From: Redmond Militante To: Stephen Hilton , freebsd-security@freebsd.org Subject: Re: n00b ipf/ipnat questions Message-ID: <20030211155840.GA2733@darkpossum> Reply-To: Redmond Militante References: <20030211002256.GA824@darkpossum> <20030211090154.R30313-100000@cactus.fi.uba.ar> <20030211141831.GB824@darkpossum> <20030211090331.2e16f1c0.nospam@hiltonbsd.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <20030211090331.2e16f1c0.nospam@hiltonbsd.com> User-Agent: Mutt/1.4i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/modules.php?name=Content&pa=showpage&pid=1 X-DSS-PGP-Fingerprint: F9E7 AFEA 0209 B164 7F83 E727 5213 FAFA 1511 7836 X-Favorite-Food: Pizza Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi ok. netstat -na | grep LISTEN on the box i'm nmapping from ------- tcp4 0 0 *.10000 *.* LISTEN tcp4 0 0 *.3306 *.* LISTEN tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN netstat -na | grep LISTEN on the gateway box ------- tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN tcp4 0 0 *.54320 *.* LISTEN tcp4 0 0 *.49724 *.* LISTEN tcp4 0 0 *.40421 *.* LISTEN tcp4 0 0 *.32774 *.* LISTEN tcp4 0 0 *.32773 *.* LISTEN tcp4 0 0 *.32772 *.* LISTEN tcp4 0 0 *.32771 *.* LISTEN tcp4 0 0 *.31337 *.* LISTEN tcp4 0 0 *.27665 *.* LISTEN tcp4 0 0 *.20034 *.* LISTEN tcp4 0 0 *.12346 *.* LISTEN tcp4 0 0 *.12345 *.* LISTEN tcp4 0 0 *.6667 *.* LISTEN tcp4 0 0 *.5742 *.* LISTEN tcp4 0 0 *.2000 *.* LISTEN tcp4 0 0 *.1524 *.* LISTEN tcp4 0 0 *.1080 *.* LISTEN tcp4 0 0 *.635 *.* LISTEN tcp4 0 0 *.540 *.* LISTEN tcp4 0 0 *.143 *.* LISTEN tcp4 0 0 *.119 *.* LISTEN tcp4 0 0 *.111 *.* LISTEN tcp4 0 0 *.79 *.* LISTEN tcp4 0 0 *.15 *.* LISTEN tcp4 0 0 *.11 *.* LISTEN tcp4 0 0 *.1 *.* LISTEN netstat -na | grep LISTEN on the webserver behind gateway ------- tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.587 *.* LISTEN tcp4 0 0 *.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp46 0 0 *.22 *.* LISTEN thanks redmond > Redmond Militante wrote: >=20 > > hi > >=20 > > thanks for responding > > i made a few changes last night to my config, but i still see open port= s when i run nmap , despite my ipf.rules. if you like, i can post my updat= ed config, although it's not that different... > >=20 > > tcp ports seem to be open. i'm using: nmap -sS -v -O my.hostname.org > > here's the results of an nmap run=20 > >=20 > >=20 > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) > > Host my.hostname.org (129.x.x.x) appears to be up ... good. > > Initiating SYN Stealth Scan against my.hostname.org (129.x.x.x) > > Adding open port 32774/tcp > > Adding open port 15/tcp > > Adding open port 31337/tcp > > Adding open port 1524/tcp > > Adding open port 111/tcp > > Adding open port 1/tcp > > Adding open port 32771/tcp > > Adding open port 79/tcp > > Adding open port 54320/tcp > > Adding open port 22/tcp > > Adding open port 540/tcp > > Adding open port 587/tcp > > Adding open port 12346/tcp > > Adding open port 1080/tcp > > Adding open port 25/tcp > > Adding open port 119/tcp > > Adding open port 11/tcp > > Adding open port 27665/tcp > > Adding open port 6667/tcp > > Adding open port 80/tcp > > Adding open port 635/tcp > > Adding open port 21/tcp > > Adding open port 32773/tcp > > Adding open port 143/tcp > > Adding open port 32772/tcp > > Adding open port 12345/tcp > > Adding open port 2000/tcp > > The SYN Stealth Scan took 157 seconds to scan 1601 ports. > > Warning: OS detection will be MUCH less reliable because we did not fi= nd at least 1 open and 1 closed TCP port > > For OSScan assuming that port 1 is open and port 35689 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 44468 is closed and ne= ither are firewalled > > For OSScan assuming that port 1 is open and port 31999 is closed and ne= ither are firewalled > > Interesting ports on herald.medill.northwestern.edu (129.105.51.6): > > (The 1574 ports scanned but not shown below are in state: filtered) > > Port State Service > > 1/tcp open tcpmux =20 > > 11/tcp open systat =20 > > 15/tcp open netstat =20 > > 21/tcp open ftp =20 > > 22/tcp open ssh =20 > > 25/tcp open smtp =20 > > 79/tcp open finger =20 > > 80/tcp open http =20 > > 111/tcp open sunrpc =20 > > 119/tcp open nntp =20 > > 143/tcp open imap2 =20 > > 540/tcp open uucp =20 > > 587/tcp open submission =20 > > 635/tcp open unknown =20 > > 1080/tcp open socks =20 > > 1524/tcp open ingreslock =20 > > 2000/tcp open callbook =20 > > 6667/tcp open irc =20 > > 12345/tcp open NetBus =20 > > 12346/tcp open NetBus =20 > > 27665/tcp open Trinoo_Master =20 > > 31337/tcp open Elite =20 > > 32771/tcp open sometimes-rpc5 =20 > > 32772/tcp open sometimes-rpc7 =20 > > 32773/tcp open sometimes-rpc9 =20 > > 32774/tcp open sometimes-rpc11 =20 > > 54320/tcp open bo2k =20 > > No exact OS matches for host (test conditions non-ideal). > > TCP/IP fingerprint: > > SInfo(V=3D3.00%P=3Di386-portbld-freebsd4.7%D=3D2/11%Time=3D3E490979%O= =3D1%C=3D-1) > > TSeq(Class=3DTR%IPID=3DI%TS=3D100HZ) > > T1(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T2(Resp=3DN) > > T3(Resp=3DY%DF=3DY%W=3DE000%ACK=3DS++%Flags=3DAS%Ops=3DMNWNNT) > > T4(Resp=3DY%DF=3DN%W=3D0%ACK=3DO%Flags=3DR%Ops=3D) > > T5(Resp=3DN) > > T6(Resp=3DN) > > T7(Resp=3DN) > > PU(Resp=3DN) > >=20 > >=20 > > Uptime 0.007 days (since Tue Feb 11 08:21:40 2003) > > TCP Sequence Prediction: Class=3Dtruly random > > Difficulty=3D9999999 (Good luck!) > > IPID Sequence Generation: Incremental > >=20 > > Nmap run completed -- 1 IP address (1 host up) scanned in 179 seconds > >=20 > >=20 > > any advice you could give would be appreciated.=20 > >=20 > > thanks > > redmond > >=20 > >=20 > > > > > > > > i've managed to get it nat'ing one machine so far, the webserver. t= he public > > > > ip of the webserver is aliased to the external nic on the gateway m= achine. > > > > httpd and ftp work ok behind the gateway box. i have many question= s, > > > > however. the first being why - despite the firewall rules i have i= n place > > > > on the gateway, when i nmap the public ip of the webserver it shows= me all > > > > sorts of ports being open. i can't make out from my gateway config= uration > > > > where this is happening. > > >=20 > > > What ports? is it TCP or UDP? UDP scanning is very prone to false pos= itives. > > > It would help if you post the nmap flags line you're using and the re= sults, > > > obsfuscate the IP if you don't want us to know it. > > >=20 > > > Another posibility is some interception/transparent proxy on your ISP. >=20 >=20 > How about a 'netstat -na | grep LISTEN' output from each box.=20 > I think this may help the gurus get a better picture.=20 > Again, sanitize IP's if necessary. ;-) >=20 > Regards, >=20 > Stephen Hilton > nospam@hiltonbsd.com >=20 --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+SR2wFNjun16SvHYRAvViAJ94aFOc8466ic8EIJD6Or7usXt31QCgvuaV XtCQNcwEsbusABkk+yBgnGM= =GucJ -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message