Re: an error in the NMAP docs?

[Barrie Dempster <barrie () reboot-robot net>]

Michael Herz wrote:
> Hi all,
>
> Is there an error in the NMAP docs? The --source_port section says:
>
> "Many naive firewall and packet filter installations make an exception in
> their rule-set to allow DNS (53) or FTP-DATA (20) packets to  come  through
> and establish a connection. Obviously this completely subverts the security
> advantages of the firewall since intruders can just masquerade  as FTP or
> DNS by modifying their source port."
>
> This implies that the hole in a packet filtered machine exists if it has
> allowed inbound DNS or FTP connections. I don't believe this is true. I
> think the hole only exists if the machine has allowed outbound (ie client)
> connections from the machine. For example if the machine allowed outbound
> DNS client requests to the world, using --source_port 53 would exploit the
> hole.

The manual is quite correct, if you allow incoming requests from port 53 
to any random port internally to *establish a connection*. This 
represents a hole. The attacker can target any port he wishes as long as 
his source is 53. This is a common firewall misconfiguration.


--
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk
CA: www.cacert.org

"He who hingeth aboot, getteth hee-haw" - Victor (Still Game)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature