Security Basics mailing list archives
RE: nmap status question
From: "Thomas Ng" <thomas () singcert org sg>
Date: Tue, 29 Jul 2003 09:10:24 +0800
Correct me if I'm wrong. I believe it goes something like this. If a host is not blocked by any firewall and assuming only port 80 is listening on the host.... 1. You send a syn to host:80, it will try to do a tcp handshake and reply with something like "I'm here, service open, ready for your request". Nmap will see this as "open". 2. You send a syn to host:81 (which is not listening), it will send back a msg saying that there is no service listening to the port. Nmap will see this as "closed". However, if the host is blocked by a firewall on all ports accept 80 .... 1. You send a syn to host:80, the same thing happens, it will reply. 2. You send a syn to host:81, it will be blocked by the firewall. Depending on how you firewall is configured, it may just simply drop this packet. Meaning there is no reply message at all. The firewall sees a packet to port 81 which it is blocking and simply delete this packet off the network. So there you are .. waiting for a syn/ack if the port is listening, or a port not listening error msg ... but you receive none. So nmap times out that connection and assumes that the port is "filtered" by a firewall. Also, I believe nmap is clever enough such that it checks whether the IP is alive first. It does this either by ping, or if there is a reply (either port listening or port closed) message from the same IP. So if you see a reply from the IP from different ports, but not port 81, it assumes port 81 is "filtered" by a firewall or something. Thomas -----Original Message----- From: marc brown [mailto:marc.brown () watsonwyatt com] Sent: Tuesday, July 29, 2003 2:03 AM To: security-basics () securityfocus com Subject: nmap status question i am new to linux but after getting my rh9 box running i have started to use nmap to do some scanning of my networks. can someone tell me exactly what it means when the state of a particular port is 'filtered'? thanks, marc --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- nmap status question marc brown (Jul 28)
- RE: nmap status question Thomas Ng (Jul 29)
- Re: nmap status question Joshua J . Kugler (Jul 29)
- Re: nmap status question David (Jul 29)
- Re: nmap status question gminick (Jul 29)
- Re: nmap status question Pete Hunt (Jul 29)
- Re: nmap status question Birl (Jul 29)
- Re: nmap status question Terry A. Durrant (Jul 29)
- Re: nmap status question Shaun Moore (Jul 29)
- <Possible follow-ups>
- Re: nmap status question john mathew (Jul 29)
- RE: nmap status question Brad Bemis (Jul 29)
- Re: nmap status question David Vertie (Jul 29)