Re: failed shields up test

On Sat, 22 Dec 2007, in the Usenet newsgroup alt.os.linux.suse, in article
<20071222141727.5553f33a@xxxxxxxxxxxxxxxxxxxxxxx>, Malcolm wrote:

You could also use an external shell account to do your testing from.

A lot depends on what you have access to. For testing a firewall, I
disconnect the network cable that leads to the world, and connect to
a laptop that is configured to mimic the upstream connection (ISP's
gateway device). This includes setting MAC address if applicable (it
is in most cases), and the IP address of that device. I then run a
probing application like nmap on this laptop, and probe my firewall.
This allows me to use ANY protocols, any ports, or IP addresses without
worrying about what the ISP may think. Thus, I can be as subtle, or as
crude as I want because the packets are remaining on my hardware.

If this is not practical for you, but you have access to another
system _on_the_Internet_ where you can install (or access) a probing
tool like nmap, you can probe from there. While this will show you
what your system looks like from the "outside", it has several
significant disadvantages. First and foremost is that you might be
making the ISPs involved VERY UNHAPPY, and there might be punitive
results (you could loose your accounts). Second, your probing may
encounter other filters - possibly run by your ISP - that may mask
what is actually happening with _your_ system. Because of these two
disadvantages, you can't be as aggressive (or crude) in your testing.

Of course, before you start abusing the network with probes like this,
you should first see what your system thinks is open. You can do this
without risk of the wrath of your ISP. All it takes is

[compton ~]$ netstat -antu
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[compton ~]$

and we discover that the ONLY port that is open on this system is port
22/tcp (SSH). You can't tell it from here, but the service is actually
restricted to a handful of addresses (I can't see any reason to allow
connections from you or anyone else that I haven't approved in advance,
and I really don't expect authorized users to be connecting from Korea,
Kenya, Kuwait or Kazakhstan or a lot of other places either). And
unlike many probe tools (such as nmap [1]), this is looking at ALL TCP
and UDP ports all at once.

Old guy

[1] Most probes default to a limited number of tested ports - if you
read the nmap man page and look at the -p option, you find that it
defaults to scanning about 1670 out of 65536 ports, or about 2,5%.
'nmap' can be very useful, but you really _do_ have to read the
instructions or you'll get a false indication. BAD security.
.

Relevant Pages

  • Re: fast track p2p (kazaa network)
    ... fast track p2p (kazaa network) ... is filtered) will tell you what ports are open, ... P. S. You may need to wait a couple of minutes for nmap to querry all ports ... Depending on what the ISP and network admin do, I would want those settings dynamic, presumably. ...
    (Fedora)
  • Re: default iptables rules
    ... how do I find out what ports are open? ... >> sudo apt-get install nmap ... That will probe for ports from your ...
    (Ubuntu)
  • Re: strange nmap scan
    ... when the firewall is down ... filtered by the ISP ... >> nmap shows absolutely nothing. ... > nmap is using the return from a set of ports to do analysis. ...
    (comp.os.linux.security)
  • Re: AW: Re: nmap -sS SYN-SCAN does not find all open Ports?
    ... Network Security Engineer and Analyst ... that there is actually no problem with nmap. ... ports that are not listed by nmap are in state closed. ... Could it somehow be related to my backend firewall? ...
    (Security-Basics)
  • Re: Nmap questions for the experts
    ... nmap has its own mailing lists, you can find those on insecure.org. ... Do you really use nmap before running nessus? ... Only open ports will be fed to ...
    (Security-Basics)