There is NO bug. With correct firewall rules, only TCP and SYN scan works. iptables -A INPUT -m state --state INVALID -m limit --limit 4/s -j LOG --log-prefix "INPUT INVALID " iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 4/s -j LOG --log-prefix "TCP INPUT without SYN " iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j to-me iptables -A INPUT -i eth1 -j to-me iptables -A INPUT -m limit --limit 4/s -j LOG --log-prefix "INPUT bad " iptables -A INPUT -j DROP where to-me is a user defined rule where you allowed connection to certains ports. Extract from nmap documentation: > -sF -sX -sN > Stealth FIN, Xmas Tree, or Null scan modes: > <snip> > The idea is that closed ports are required to reply to your probe packet with an RST, > while open ports must ignore the packets in question (see RFC 793 pp 64). Your stealth packets are dropped by the firewall, check your logs. Christophe -- Global Secure 78, rue de la Condamine 75017 PARIS Tel : 01 44 70 48 03 Fax : 01 44 70 48 49 Email : cgr@global-secure.fr > -----Message d'origine----- > De : Justin Piszcz [mailto:warat_private] > Envoyé : jeudi 28 février 2002 13:27 > À : netfilterat_private > Cc : vuln-devat_private; bugtraqat_private > Objet : Bigger bug than expected? > > > Further NMAP testing shows the following: (IPTables > 1.2.4/Kernel 2.4.18) > > nmap -P0 -sT -p 21,80 IP > 21/tcp filtered ftp > 80/tcp filtered http > > nmap -P0 -sF -p 21,80 IP > 21/tcp open ftp > 80/tcp open http > > nmap -P0 -sX -p 21,80 IP > 21/tcp open ftp > 80/tcp open http > > nmap -P0 -sN -p 21,80 IP > 21/tcp open ftp > 80/tcp open http > >
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 13:10:25 PST