> Would not the OS itself crash without the FW kernel module loaded whena UDP > scan was initiated? When the machine is running without the FW active, it > stays up fine. Sounds like you answered your own question. :) All the evidence suggests that the fault is in the firewall code. If a KLM dies, it's perfectly capable of taking the kernel with it. At least when I've done it on Solaris.. I assume Linux is the same. > I've tried the -T Paranoid switch; the system crashes with the VERY FIRST > UDP packet, regardless of which port it's sent to. I subsequently > re-enabled icmp, as a "before last" implied rule... And I see this: > Initiating UDP Scan against (64.80.176.11) > 12:43:34.168842 nmap_source.58153 > fw_under_test.973: udp 0 > 12:43:34.274503 fw_under_test > nmap_source: icmp: 64.80.176.11 udp port 973 > unreachable > > And that's the last packet I get from the machine. Meaning it crashes? Seems strange, you'd think Checkpoint would have tried a UDP packet before they shipped... Can anyone else confirm the results? > If I run nslookup on nmap_source, set my server to fw_under_test, and > attempt to resolve something (even though fw_under_test is not running a > nameserver), the fw_under_test does not crash. It merely replies with udp > port unreachable and stays up. Must be something in particular with the conetns of the packet NMAP sends. BB
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 13:24:26 PST