[Techtalk] question around port filtering, etc.
Raven, corporate courtesan
raven at oneeyedcrow.net
Fri Aug 24 12:24:53 EST 2001
Heya --
Quoth coldfire (Fri, Aug 24 2001 at 02:47:54P -0400):
> > DENY/DROP just forgets about the packet entirely...
> > REJECT sends back an ICMP error...
> > Normal behaviour when a port is not open but isn't firewalled either seems to
> > be sending an RSET back.
>
> i believe that if the service isn't offered, a RST ACK tcp packet is sent
> back as you say .. with the REJECT, it sends back an icmp destination
> unreachable.
Yah, that's RFC compliant behaviour, and is what's supposed to happen. Reading the man page for nmap will explain a lot of this stuff, too, though at some length. [grin] I believe that sending a RST to an attempted connection on a port that you're not listening on is mandated, but the ACK is optional. Most PC TCP/IP implementations will send RST ACK, though occasionally you'll find a system that just sends pure RST.
Anyone who knows the RFCs better than I do, please correct me if I'm wrong.
> it does depend on how well the port scanner is though to detect these
> things. for example, if you just do a 'telnet x.x.x.x' you won't be able
> to tell whether that service isn't offered or whether it's firewalled out.
There are also ways of scanning that can try to circumvent IDSs and firewalls. For example, you can source your UDP packets to a commonly accepted port (53 is popular) to see if a firewall that permits DNS will let them through. You can do your TCP scans with ACK packets rather than SYN to try and avoid triggering an IDS. Again, I'd recommend reading the nmap man page for a fuller description.
Cheers,
Raven
"I need vengence the way a tired man needs a bath."
-~ Charles de Baudalaire
More information about the Techtalk
mailing list