Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jan 2002 00:46:38 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        Thomas Cannon <tcannon@noops.org>
Cc:        Joe Parks <pleaseworky@hotmail.com>, freebsd-questions@FreeBSD.ORG
Subject:   Re: weird problems with ipfw rule not applying itself...
Message-ID:  <20020108004638.H286@gohan.cjclark.org>
In-Reply-To: <20020107020803.E13438-100000@stereophonic.noops.org>; from tcannon@noops.org on Mon, Jan 07, 2002 at 02:11:08AM -0800
References:  <F190cCoF7D5YnYccyeE00018dfa@hotmail.com> <20020107020803.E13438-100000@stereophonic.noops.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jan 07, 2002 at 02:11:08AM -0800, Thomas Cannon wrote:
> 
> I believe NMAP will tell you a UDP port is open when you do not recieve a
> connection reset from scanning it. When you scan TCP, is sends a SYN, and
> gets a SYN/ACK... but UDP is connectionless, so nmap has to guess a whole
> lot more, and sometimes gets it wrong. I'd bet that the port is blocked,
> but your computer isn't sending back a RST the way it would if UDP traffic
> come to a port that wasn't expecting it.

You're close. nmap sends a UDP packet to a given port. If it receives
an ICMP port unreachable message, the port is closed. If it receives
nothing, the port is either "open" (something is listening and
accepting the datagrams) or the port is "filtered" (packets are
dropped). There is no way to really distinguish the two
conditions. However, if nmap finds that most of the UDP ports return
no response, it assumes they are all being filtered by a firewall and
reports "filtered." If just a few ports give no response, but many do
return ICMP unreachables, it assumes there is no filtering going on,
so it reports "open."

You have the second case. You are letting most UDP through, so nmap
gets all of the ICMP port unreachables back on the closed ports of the
target machine. When it gets no response back on 514, it assumes it is
because the port is listening. However, it is due to the fact you are
filtering it. nmap guessed wrong.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020108004638.H286>