Nmap Development mailing list archives
RE: Nmap and Watchguard firewalls
From: Mike Crabtree <mike () imjc com>
Date: Wed, 25 May 2005 01:56:16 +0100
I meant an application proxy - not a caching proxy. AFAIK any application level/application proxy *HAS* to alter things if it's going to filter anything without breaking lower level protocols on the client. Besides, the Watchguard page explicitly says that's what the Watchguard does - as per my second quote - packets are reassembled. It's the changes to the incoming packets done by the Watchgaurd that cause nmap to fingerprint it as a watchguard - because all the responses that nmap gets from the internet hosts have been re-assembled by the watchguard. Cisco PIX's call this "Fixup" and you can enable or disable it by protocol. Mike -----Original Message----- From: Kern, Tom [mailto:tkern () CHARMER COM] Sent: 25 May 2005 01:27 To: check; nmap-dev () insecure org Subject: RE: Nmap and Watchguard firewalls When they say "proxy", they just mean application layer firewall. It doesn't do caching proxy like ISA or or other types of firewalls. I think app level firewalls only inspect, they don't alter anything or change seq or port #'s.( i'm not positive) also, my watchguard only runs a dns and ftp proxy. everything else is a stateful packet filter. as to the "packet handling" comment, thats only incoming not outgoing, afaik. thanks a lot -----Original Message----- From: check [mailto:check () imjc com] Sent: Tuesday, May 24, 2005 8:01 PM To: 'nmap-dev () insecure org' Subject: RE: Nmap and Watchguard firewalls http://www.guardsite.com/IntrusionPrevention.asp
From that site:
With our Firebox(r) System and Firebox(r) Vclass firewall/VPN appliances, you get a matured technology that gives you the benefits of true layered security in one appliance: Inspects and filters Application layer 7 traffic << If it does Layer 7 as that says i.e. proxies - then nmap's more than likely to show everything as a watchguard - because the packets come from the watchguard and all the sequences numbers etc. that nmap uses are generated by the watchguard. At least that's how I'd understand it. Anyways - they confirm it later on :-)
In addition, WatchGuard firewalls perform: Packet Handling - prevents packets from entering the network until they are reassembled and examined. << Mike -----Original Message----- From: Kern, Tom [mailto:tkern () CHARMER COM] Sent: 24 May 2005 19:06 To: Jorge Luis Jimenez; 'Nmap-Dev (E-mail) Subject: RE: Nmap and Watchguard firewalls I'm sorry, I don't think I'm being clear here. I want to know WHY nmap seems to fingerprint the firewall when i'm scanning any host outside the firewall? I'm not running any kind of proxy. I'd like to know why this happens. Besides, turning off the firewall for the duration of a scan seems risky to me... Jorge Luis Jimenez wrote:
Proved with -sS why you can't disable the fw you are the administrator right? Jorge Luis Jimenez Tech and Network Support SIASoft Santo Domingo, Republica Dominicana Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603 Email j.jimenez () siasoft net Email jorgel.jimenez () gmail com -----Original Message----- From: Kern, Tom [mailto:tkern () CHARMER COM] Sent: Tuesday, May 24, 2005 1:33 PM To: Jorge Luis Jimenez Subject: RE: Nmap and Watchguard firewalls I want to know the techincal reason why when i do a scan with nmap from behind a Watchguard firewall, I don't get the host i'm scanning but the attrubutes of the firewall instead? Is this Watchguard or namp? Why is it happening? Thanks Jorge Luis Jimenez wrote:What is the really do yo want Jorge Luis Jimenez Tech and Network Support SIASoft Santo Domingo, Republica Dominicana Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603 Email j.jimenez () siasoft net Email jorgel.jimenez () gmail com -----Original Message----- From: Kern, Tom [mailto:tkern () CHARMER COM] Sent: Tuesday, May 24, 2005 11:44 AM To: Jorge Luis Jimenez Subject: RE: Nmap and Watchguard firewalls I can't disable my FW just to port scan a host. Do you or anyone knows why this occurs? thanks Jorge Luis Jimenez wrote:I have more less the same problem but I have isa Server I disable the isa Server and the nmap working show me my open port Jorge Luis Jimenez Tech and Network Support SIASoft Santo Domingo, Republica Dominicana Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603 Email j.jimenez () siasoft net Email jorgel.jimenez () gmail com -----Original Message----- From: Kern, Tom [mailto:tkern () CHARMER COM] Sent: Tuesday, May 24, 2005 11:31 AM To: Jorge Luis Jimenez Subject: RE: Nmap and Watchguard firewalls Sorry, I only speak english. My apologies Jorge Luis Jimenez wrote:Please contac me by j.jimenez () siasot net not by Hotmail.com if you speake spanish better Jorge Luis Jimenez Tech and Network Support SIASoft Santo Domingo, Republica Dominicana Ofic.809-530-7638, Cel.809-304-1660 Fax.809-537-6603 Email j.jimenez () siasoft net Email jorgel.jimenez () gmail com -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Kern, Tom Sent: Tuesday, May 24, 2005 9:16 AM To: nmap-dev () insecure org Subject: Nmap and Watchguard firewalls Hi. I don't know if this is the appropriate place to send this email so i apologize in advance. I have an issue where i'm running an nmap scan against my interent router(cisco). This router sits in front of a Watchguard firebox X firewall. Whenever i run the scan, the fingerprint that I get back is the Watchguard itself. This happens when I run it against my home network(or any host outside the firewall). It always comes back as Watchguard. I run nmap with the -vv sS -O switches against the ip of the host. I've run nmap from a Windows xp sp1 box and a RedHat Enterprise Linux box. Same result. Also, the linux box is not NAT/PATed by the firewall or router. The router does no NAT. The firewall is running an smtp and dns proxy. All the other services are stateful packet inspection. Watchguard has been silent on the issue but it seems the firebox x is doing some rewriting but I can't tell for sure. When i run ethereal from the nmap host, i can see the packets going to the destination ok. However, at the router, when i run a packet filter, i see nothing going to the destination i'm nmaping or the source nmap host. I was wondering if you knew of any isses with nmap and Watchguard. I apologize again if this is the wrong place to email this or for wasting your time. Thank you _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Nmap and Watchguard firewalls Kern, Tom (May 24)
- Re: Nmap and Watchguard firewalls MadHat (May 24)
- <Possible follow-ups>
- RE: Nmap and Watchguard firewalls Kern, Tom (May 24)
- Re: Nmap and Watchguard firewalls Matthew Heine (May 24)
- RE: Nmap and Watchguard firewalls Kern, Tom (May 24)
- RE: Nmap and Watchguard firewalls Alex R (May 24)
- RE: Nmap and Watchguard firewalls check (May 24)
- RE: Nmap and Watchguard firewalls Kern, Tom (May 24)
- RE: Nmap and Watchguard firewalls Mike Crabtree (May 24)
- RE: Nmap and Watchguard firewalls Mike Crabtree (May 24)
- RE: Nmap and Watchguard firewalls Paul Hieb (Jun 02)