Security Basics mailing list archives
Re: Is there a firewall in place?
From: "Gabi" <gabi333 () home ro>
Date: Tue, 16 Nov 2004 22:16:33 +0200 (E. Europe Standard Time)
-------Original Message------- Is it possible to tell if a machine you're port scanning is protected by a firewall of some sort? That is, to tell if the scan is checking the ports open and passed through a firewall, or whether the scan is scanning the actual machine? The machine in question is running W2K, although nmap's OS detection fails to confirm that. Are there any tell tale signs that there's a filtering box in the way? --------------------------------------- Basically nmap figures out if the scanned ports are closed or filtered. If it finds ports in closed mode it usually means that the box is not protected by any firewall. If it states the ports as being filtered it means that somewhere on the way a firewall received the packet and decided not to respond. Knowing where the firewall actually is can be done (also known as 3D mapping), but is a little bit tricky. The technique is also known as firewalking (check http://www.packetfactory.net/Projects/firewalk/ ) . You could also test this using special crafted packets sent by hping.
Current thread:
- Is there a firewall in place? Derek Fountain (Nov 15)
- Re: Is there a firewall in place? xyberpix (Nov 16)
- <Possible follow-ups>
- Re: Is there a firewall in place? Ivan Coric (Nov 16)
- Re: Is there a firewall in place? Gabi (Nov 16)