Ofir Arkin hat geschrieben: >The best way to differ between a port which the firewall is configured >to "drop" a packet(s) and a port the firewall is configured to "reject" >a packet(s) is to look for the ICMP Error Message (Destination >Unreachable - Communication with Destination Network is Administratively >Prohibited) as you stated. This is to expand on what Ofir wrote. If a TCP packet is =not= filtered, and there is no listening socket, the response should be a RST. This should also be taken into account. If a UDP packet is =not= filtered, and there is a listening socket, a response is application layer specific and typically a misunderstood datagram will be dropped. So a firewall dropping a UDP packet and a listening UDP socket can be difficult to differentiate. If there is no listening UDP socket, a Destination Port Unreachable message should be returned. But if we are talking about a firewall between source and destination, we don't know anything if the firewall happens to drop those Unreachables. Such is life made more difficult. >Today, I am not familiar with any tool parsing the ICMP Error message >coming from a port which the firewall rejects the packets for. Perhaps, icmpinfo -vvvn >As a thumb rule configuring a firewall to "reject" rather than "drop" is >a mistake. The firewall needs to be transparent as possible for traffic >going through. It depends if the firewall returns a RST on reject. One example where this is useful is to RST ident. I think the actual reject response (ICMP or TCP RST) is implementation specific and depends on semantics. >-----Original Message----- >From: Rosenau [mailto:rosenauat_private] >Sent: ד 03 אוקטובר 2001 17:53 >To: pen-testat_private >Subject: DENY x REJECT > >Hi > >Does anybody know a port scanner that could distinguish a "deny" >filtered >tcp port (firewall drops packets for the port) from a "reject" filtered >tcp >port (firewall returns an ICMP - port unreachable)?. > >Nmap seems to report boths cases simply as "filtered". Actually, both >cases >are filtered, but when you receive a ICMP, you can be sure that the port >is >really filtered. If you do not receive nothing, the port could be >filtered, >or packets could have been lost... > >Regards, >Rosenau. > > > >------------------------------------------------------------------------ >---- >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please >see: >https://alerts.securityfocus.com/ > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ -- HTTP request sent, awaiting response... 404 Object Not Found ERROR 404: Object Not Found. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:42:05 PDT