Firewalls: Re: FW-1 and FIN scanning (was: nmap tool)

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: FW-1 and FIN scanning (was: nmap tool)
From:	Steve Birnbaum <sbirn @ security . org . il>
Date:	Tue, 03 Feb 1998 17:31:16 +0200
To:	firewalls @ GreatCircle . COM
Cc:	Marek Kubita <marek @ corpus . cz>
In-reply-to:	Your message of "Tue, 03 Feb 1998 12:51:08 +0100." <19980203125108 . 30692 @ corpus . cz>


marek @
 corpus .
 cz said:
> However, if the packets are caught by "Drop" rule, the packets are
> also logged, but they pass through FW-1 to the destination (verified
> by sniffer) and the replies do pass back, so nmap detects the
> listening ports. The packets are logged as dropped.

I believe this is considered a "feature".  Check if the data of the
original packet was passed through or if it is just the header.
I believe the reason for this is to allow sessions interrupted by an
installation of the policy to not be terminated when the state table is 
cleared.  However, I believe that only packets that would possibly be
allowed by a reverse rule will see such behaviour.  

There was a message a couple of months ago to this list that made
the same discovery.

  Steve


-- 
sbirn @
 security .
 org .
 il Phone: +972-2-6795860   --Standard Disclaimer--
Fight Internet Spam!  http://www.vix.com/spam/   (PGP key available)

Attachment: pgp3k9tUgA1x7.pgp
Description: PGP signature

References:

FW-1 and FIN scanning (was: nmap tool)
From: Marek Kubita <marek @ corpus . cz>

Indexed By Date	Previous:	Re: Raptor - Limiting Access to Telnet by range of IP's From: Dominic J Hulewicz <dom @ inta . net>
Indexed By Date	Next:	Re: anti-sniffer warfare From: "Icore, Joshua" <jicore @ dsava . com>
Indexed By Thread	Previous:	FW-1 and FIN scanning (was: nmap tool) From: Marek Kubita <marek @ corpus . cz>
Indexed By Thread	Next:	Re: FW-1 and FIN scanning (was: nmap tool) From: Vijay Valayatham <vijay @ telekom . com . my>