Penetration Testing mailing list archives
Re: [PEN-TEST] Closing Port 139
From: David Pick <D.M.Pick () QMW AC UK>
Date: Sat, 14 Oct 2000 19:31:23 +0100
Quote from Erik Birkholz NT 4.0 TCP/IP filtering is not stateful and does not recognize established connections. With that said, if you block all inbound TCP ports except 80 (situation originally described by Kasey Speakman in post) and block all UDP ports you will lose DNS resolution and the ability to establish a full TCP connection (FTP, Telnet, etc.). Win 2K TCP/IP filtering however, is stateful and will allow established connections. This means you will be able to establish a full TCP connection, but you will still lose the ability to resolve host names if you block UDP (stateless protocol)
Ah. So you mean that it will take note of the flag bits in a TCP packet header which indicate if it's a call setup or subsequent packet (the ACK bit), and the filters can check this bit; or do you mean that the code rembers that it has actually *seen* the setup packet before allowing the subsequent packets to pass? The first option is what the Cisco routers have done for ages, and what most host packet filter engines do; the second is what Darren Reeds "IPFilter" package does (it also remembers and checks TCP sequence numbers, &c). -- David Pick
Current thread:
- Re: [PEN-TEST] Closing Port 139, (continued)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 12)
- Re: [PEN-TEST] Closing Port 139 SMILER (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Marc Maiffret (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Tim Crothers (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Walling, Ken (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Frank Dimina (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 12)
- Re: [PEN-TEST] Closing Port 139 Frank Dimina (Oct 13)
- Re: [PEN-TEST] Closing Port 139 Deus, Attonbitus (Oct 13)
- Re: [PEN-TEST] Closing Port 139 Erik Birkholz (Oct 14)
- Re: [PEN-TEST] Closing Port 139 David Pick (Oct 14)