Archived from groups: comp.security.firewalls (
More info?)
Hi Moe;
Thanks for your input. I did use -p 1-49151. BTW, I am using nmap v3.8.1,
I could not find -D as an option. Kindly advise.
Regards,
"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrndgusod.nng.ibuprofin@compton.phx.az.us...
> In the Usenet newsgroup comp.security.firewalls, in article
> <UKWdndXK4MZh-pPeRVn-1Q@rogers.com>, Doug Fox wrote:
>
>>I am trying to use HPING to find out the firewall which nmap and nessus
>>could not find.
>
> What error message did they report?
>
>>The nmap syntax is nmap -v -sT sV -P0 -O.
>
> OK - minor point; you are not scanning "all" ports on the firewall
> though this may or may not be relevant. See the -p option. Also, if
> your firewall is "reacting" to your probes by adding a temporary or
> permanent rule to "protect itself" from "attacks", you may want to read
> about nmap's -D option and think what would happen if one of those
> addresses used were that of an upstream router, or your DNS servers.
>
> A lot depends on the rules set up on the firewall. COMMON SENSE
> suggests that the firewall does not accept _any_ connections from the
> world. Some people configure the firewall to 'REJECT' (reply with ICMP
> Type 3, Code 3, 10 or 12) any connections, while others configure the
> firewall to 'DROP' ("blackhole", "ignore", or "stealth") any connections.
> This is a "religious" decision, and is not part of this reply.
>
> If you must permit connections from the "outside", a firewall rule should
> restrict the number of "permitted" outside addresses. Some advocate moving
> SSH (using any other service to connect to the firewall is totally insane)
> from the default port (22) to some other unconventional port (a form of
> "security by obscurity" - but a good defense against st00pid skript
> kiddiez
> and 'bots), while others suggest using 'port-knocking' (requiring a
> connect
> attempt to an otherwise empty port, followed within time limits by a
> connection to the "desired" port from the same address). Another technique
> is to only accept connections from "inside", and if a connection is needed
> from "outside", then you SSH into the "inside" host, and SSH _from there_
> into the firewall. However, don't get to "clever" with your firewall, as
> you
> may only block everyone _including_ authorized personnel.
>
> Thus, a "properly" configured firewall is going to be difficult to probe.
> It will either reject all attempts (possibly allowing you to fingerprint
> the O/S based on the ICMP errors), or simply _ignore_ all connection
> attempts (though still locatable by the lack of an ICMP Type 3 Code 1
> from the preceding router).
>
> Old guy