Ofir Arkin hat geschrieben:
>The best way to differ between a port which the firewall is configured
>to "drop" a packet(s) and a port the firewall is configured to "reject"
>a packet(s) is to look for the ICMP Error Message (Destination
>Unreachable - Communication with Destination Network is Administratively
>Prohibited) as you stated.
This is to expand on what Ofir wrote.
If a TCP packet is =not= filtered, and there is no listening
socket, the response should be a RST. This should also be taken
into account. If a UDP packet is =not= filtered, and there is
a listening socket, a response is application layer specific
and typically a misunderstood datagram will be dropped. So a
firewall dropping a UDP packet and a listening UDP socket can
be difficult to differentiate. If there is no listening
UDP socket, a Destination Port Unreachable message should be
returned. But if we are talking about a firewall between
source and destination, we don't know anything if the
firewall happens to drop those Unreachables. Such is life
made more difficult.
>Today, I am not familiar with any tool parsing the ICMP Error message
>coming from a port which the firewall rejects the packets for.
Perhaps,
icmpinfo -vvvn
>As a thumb rule configuring a firewall to "reject" rather than "drop" is
>a mistake. The firewall needs to be transparent as possible for traffic
>going through.
It depends if the firewall returns a RST on reject. One
example where this is useful is to RST ident. I think the
actual reject response (ICMP or TCP RST) is implementation
specific and depends on semantics.
>-----Original Message-----
>From: Rosenau [mailto:rosenauat_private]
>Sent: ד 03 אוקטובר 2001 17:53
>To: pen-testat_private
>Subject: DENY x REJECT
>
>Hi
>
>Does anybody know a port scanner that could distinguish a "deny"
>filtered
>tcp port (firewall drops packets for the port) from a "reject" filtered
>tcp
>port (firewall returns an ICMP - port unreachable)?.
>
>Nmap seems to report boths cases simply as "filtered". Actually, both
>cases
>are filtered, but when you receive a ICMP, you can be sure that the port
>is
>really filtered. If you do not receive nothing, the port could be
>filtered,
>or packets could have been lost...
>
>Regards,
>Rosenau.
>
>
>
>------------------------------------------------------------------------
>----
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please
>see:
>https://alerts.securityfocus.com/
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/
--
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 09 2001 - 15:42:05 PDT