[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: funny nmap results
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: funny nmap results
- From: "Clint M. Sand" <schwack_(_at_)_neotrance_(_dot_)_dyndns_(_dot_)_org>
- Date: Tue, 15 Apr 2003 14:21:10 -0500
On Tue, Apr 15, 2003 at 11:21:40AM +0000, Francois Briere wrote:
> your ISP ?
> i have the same result here, my isp block ports 21/80/443.
> Or look your modem/router.
>
You can easily test this by running tcpdump -i $ext_int port 1434 on
your box, then nmaping it from a remote box. If you get no traffic, i'd
say its your isp, as mentioned.
Clint
> On Tue, 15 Apr 2003 10:56:22 -0400 (EDT)
> Steven Sluter <loverman_(_at_)_sidehack_(_dot_)_gweep_(_dot_)_net> wrote:
>
> > So I am somewhat concerned about being rooted. This is the result of a
> > scan on my OpenBSD 3.1 firewall:
> >
> > Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
> > Warning: You are not root -- using TCP pingscan rather than ICMP
> > RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
> > Interesting ports on x:
> > (xxx.xxx.xxx.xxx):
> > (The 1551 ports scanned but not shown below are in state: closed)
> > Port State Service
> > 80/tcp filtered http
> > 1434/tcp filtered ms-sql-m
> > 5631/tcp filtered pcanywheredata
> >
> >
> >
> >
> > I don't have http or ms-sql in my ruleset for pf. So what should I be
> > looking for?
> >
> > -Steve
> >
> >
> >
> > #--------------------------------------------------------------------------
> > # PF ruleset, 11 dec. 2001 # # Liberally adapted from the pf man page, the
> > OpenBSD "Network How-To", # and my own rulesets.
> > #--------------------------------------------------------------------------
> > #--------------------------------------------------------------------------
> > # Definition
> > Ext = "tun0" # External interface
> > Int = "xl0" # Internal interface
> > Int2 = "dc0" # DMZ
> > Loop = "lo0" # Loopback interface
> >
> > IntNet="192.168.0.1/24" # Internal network
> >
> > NoRoute = "{ 127.0.0.1/8,192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
> > 255.255.255.255/32 }"
> >
> > FTPPORTS="{ 55000 >< 57000 }"
> >
> > InServicesTCP = "{ }"
> >
> > #InServicesUDP = "{ domain }"
> >
> > OutServicesTCP = "{ http, https, smtp, pop3, whois, domain, ssh, ftp,
> > telnet, ntp }"
> >
> > OutServices2TCP = "{ smtp, ssh, ftp, ntp, http, domain, https }"
> >
> > OutServicesUDP = "{ ntp, domain }"
> >
> > #--------------------------------------------------------------------------
> > #--------------------------------------------------------------------------
> > # Clean up fragmented and abnormal packets
> > # By default in pf, packets which contain IP options are blocked. Good.
> >
> > scrub in on { $Ext, $Int,$Int2 } all
> >
> > #--------------------------------------------------------------------------
> > #-------------------------------------------------------------------------
> > # Defaults
> > # block and log everything
> >
> > block out log on $Ext all block in log on $Ext all
> > block return-rst out log on $Ext proto tcp all
> > block return-rst in log on $Ext proto tcp all
> > block return-icmp out log on $Ext proto udp all
> > block return-icmp in log on $Ext proto udp all
> > block in quick inet6 all block out quick inet6 all
> >
> > #-------------------------------------------------------------------------
> > #--------------------------------------------------------------------------
> > # loopback packets left unmolested
> >
> > pass in quick on $Loop all
> > pass out quick on $Loop all
> >
> > #--------------------------------------------------------------------------
> > #-------------------------------------------------------------------------
> > # Immediate blocks # fuzz any 'nmap' attempt
> >
> > block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
> > block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
> > block in log quick on $Ext inet proto tcp from any to any flags /SFRA
> >
> > # don't allow anyone to spoof non-routeable addresses
> >
> > block in log quick on $Ext from $NoRoute to any
> > block out log quick on $Ext from any to $NoRoute
> >
> > # silently drop broadcasts (cable modem noise)
> >
> > block in quick on $Ext from any to 255.255.255.255
> >
> > #-------------------------------------------------------------------------
> > #-------------------------------------------------------------------------
> > # PASS rules
> > #pass in data mode connections for ftp-proxy running on this host.
> >
> > pass in log quick on tun0 inet proto tcp from any to any port $FTPPORTS
> > flags S/SA keep state
> >
> > pass out log quick on tun0 inet proto tcp from any to any port > 1024
> > flags S/SA keep state
> >
> > #active ftp
> >
> > pass in log quick on tun0 proto tcp from any port 20 to tun0 port
> > $FTPPORTS flags S/SA keep state
> >
> > # ICMP
> > pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> > pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
> >
> > # Services we provide to the outside world
> >
> > # pc anywhere
> >
> > pass in log quick on tun0 inet proto tcp from any to any port 5631 keep
> > state
> >
> > pass in log quick on tun0 inet proto udp from any to any port 5632 keep
> > state
> >
> > #postgreSQL
> > pass in log quick on $Int inet proto udp from any to $Int port 5432
> >
> > # Standard services we want to access in the world
> >
> > pass in log quick on $Ext inet proto tcp from any to any port
> > $InServicesTCP flags S/SA keep state
> >
> > pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP
> > keep state
> >
> > pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP
> > flags S/SA modulate state
> >
>
>
> --
> / Francois Briere francois_(_at_)_blackside_(_dot_)_bsd_(_dot_)_st /
> / OpenPG Public key: http://blackside.ca.tc/pub.asc /
> / Key fingerprint = A917 6EE8 AE73 ECCE 6CE0 EA8E 1980 2CE5 2154 4E7B /
Visit your host, monkey.org