Security Basics mailing list archives
RE: an error in the NMAP docs?
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 5 Apr 2005 08:39:36 -0400
The nmap docs are referring to an unusual but possible firewall configuration that would be in use only on the most basic of packet-filtering firewalls (ie. No stateful inspection capabilities at all). There are some operations that come *from* established ports. DNS zone transfers should be request *from* port 53 for example; and normal "non-passive" FTP connections create a connection FROM the server FROM port 20 back to an ephemeral port on the client for data transfers. Since there is no way to predict the necessary client ports, you'd allow (under this type of system) connections FROM port 20 to ALL high ports inbound. Obviously modern firewalls have many more capabilities like scanning FTP control connections to monitor for clients advertising port numbers... -----Original Message----- From: Michael Herz [mailto:mherz () uwaterloo ca] Sent: Friday, April 01, 2005 11:05 AM To: security-basics () securityfocus com Subject: an error in the NMAP docs? Hi all, Is there an error in the NMAP docs? The --source_port section says: "Many naive firewall and packet filter installations make an exception in their rule-set to allow DNS (53) or FTP-DATA (20) packets to come through and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just masquerade as FTP or DNS by modifying their source port." This implies that the hole in a packet filtered machine exists if it has allowed inbound DNS or FTP connections. I don't believe this is true. I think the hole only exists if the machine has allowed outbound (ie client) connections from the machine. For example if the machine allowed outbound DNS client requests to the world, using --source_port 53 would exploit the hole. Any comments would be appreciated. Mike ------------------------------------------------------------------------ --- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ------------------------------------------------------------------------ ---- Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU. --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- an error in the NMAP docs? Michael Herz (Apr 04)
- Re: an error in the NMAP docs? Barrie Dempster (Apr 05)
- RE: an error in the NMAP docs? David Gillett (Apr 06)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- RE: an error in the NMAP docs? David Gillett (Apr 07)
- RE: an error in the NMAP docs? Michael Herz (Apr 07)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? David Gillett (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 08)
- RE: an error in the NMAP docs? Michael Herz (Apr 06)
- <Possible follow-ups>
- RE: an error in the NMAP docs? Fields, James (Apr 05)