From owner-freebsd-questions Mon Jan 7 2:11:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from stereophonic.noops.org (adsl-63-195-97-84.dsl.snfc21.pacbell.net [63.195.97.84]) by hub.freebsd.org (Postfix) with SMTP id 4275237B41A for ; Mon, 7 Jan 2002 02:11:08 -0800 (PST) Received: (qmail 13995 invoked by uid 1000); 7 Jan 2002 10:11:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Jan 2002 10:11:08 -0000 Date: Mon, 7 Jan 2002 02:11:08 -0800 (PST) From: Thomas Cannon To: Joe Parks Cc: Subject: Re: weird problems with ipfw rule not applying itself... In-Reply-To: Message-ID: <20020107020803.E13438-100000@stereophonic.noops.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I believe NMAP will tell you a UDP port is open when you do not recieve a connection reset from scanning it. When you scan TCP, is sends a SYN, and gets a SYN/ACK... but UDP is connectionless, so nmap has to guess a whole lot more, and sometimes gets it wrong. I'd bet that the port is blocked, but your computer isn't sending back a RST the way it would if UDP traffic come to a port that wasn't expecting it. Thomas On Mon, 7 Jan 2002, Joe Parks wrote: > I have a 4.4-RELEASE acting as a gateway. When I start out, my ruleset > looks like this: > > gateway# ipfw show > 00100 43866683 26545107129 allow ip from any to any > 65535 0 0 deny ip from any to any > > Simple. Let everything through, and it works great. So then I decided to > completely block UDP port 514 (syslogd), so I issued this command: > > ipfw add 00050 deny udp from any to any 514 > > So now my ruleset looks like this: > > gateway# ipfw show > 00050 0 0 deny udp from any to any 514 > 00100 43866913 26545121843 allow ip from any to any > 65535 0 0 deny ip from any to any > > > So far, so good. The problem is, then I run `nmap` from an off network > site, and nmap tells me that UDP 514 is _open_ (!) How can this be ? > > So I go back to the firewall and 'ipfw show' again, and I get: > > gateway# ipfw show > 00050 5 140 deny udp from any to any 514 > 00100 43866913 26545121843 allow ip from any to any > 65535 0 0 deny ip from any to any > > > So as you can see, the counters for the UDP 514 rule were incremented and > everything! So how come nmap still shows UDP 514 as "open" ? > > As a test, I closed some tcp ports with the exact same command (but with > tcp, and port 443 this time) and nmap said those ports are filtered...so > that works...and I also tried with udp port 161, but again, the rule is in, > the rule counters even get incremented, but nmap still says the port is > OPEN. > > How can this be ? > > any help appreciated - thanks! > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message