Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX responding with SYN+ACK to SYN+ACK probe sent on open port

From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 12 Jan 2005 11:28:02 +0100
On Tue, Jan 11, 2005 at 11:18:09AM -0600, L Cubed wrote:


Please, could you test sending SYN+ACK probe against an open port on
your PIX boxes and drop me a note what happens in your case? Do you
get (a) nothing (b) ICMP unreachable (c) RST or (d) SYN+ACK reply?



% hping2 -S -A -c 1 -p <open_tcp_port> <pix>



Answer is:  A
Cisco PIX Firewall Version 6.1(4)


Did you really run it against open tcp port? (ie. the one you get
(D) when sending just "-S" packet?)

Is it default configuration of PIX or is there something
changed/turned on/off?

On Tue, Jan 11, 2005 at 12:10:05PM -0600, L Cubed wrote:


However, if you send it to an open udp port, you do get a response...

abox# /usr/sbin/hping2 -S -A -c 1 -p 500 a.b.c.d
HPING a.b.c.d (fxp a.b.c.d): SA set, 40 headers + 0 data bytes
len=46 ip=a.b.c.d ttl=44 id=63207 sport=500 flags=RA seq=0 win=512 rtt=75.7 ms


This way, you were not sending the packet to an UDP port but to the
TCP port 500 and you are getting TCP response RST+ACK (=> closed TCP
port).

JFYI, other two responses I received off-list confirms SYN+ACK ->
SYN+ACK behaviour. I'm going to contact Cisco soon...

Thank you

Martin Mačok
ICT Security Consultant
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: