On Thu, Feb 12, 2004 at 10:58:34AM -0700, Phil wrote: > > I am purely scanning the external card of one server from another > external card on a different server. I ran 'nmap -sT -sU 199.185.x.x' > which does both UDP and TCP. > > The interesting part is that nmap returns an open while the firewall > log shows otherwise: > > Eg. > > Nmap output: > > 1432/tcp filtered blueberry-lm > 1432/udp open blueberry-lm > > Firewall log: > > Feb 11 22:15:13 mail kernel: FW: Mangle-PREROUTING IN=eth0 OUT= > MAC=00:0c:6e:25:c8:44:00:0c:6e:00:bf:0c:08:00 SRC=199.185.2.x > DST=199.185.1.x LEN=28 TOS=0x00 PREC=0x00 TTL=40 ID=53560 PROTO=TCP > SPT=47982 DPT=1432 LEN=8 > Feb 11 22:15:18 mail kernel: FW: Mangle-PREROUTING IN=eth0 OUT= > MAC=00:0c:6e:25:c8:44:00:0c:6e:00:bf:0c:08:00 SRC=199.185.2.x > DST=199.185.1.x LEN=28 TOS=0x00 PREC=0x00 TTL=40 ID=36364 PROTO=UDP > SPT=47983 DPT=1432 LEN=8 > > So one says its open while the other says mangled....odd. Which is > correct?
Mangle is an iptables table. The entries above are from the Mangle table's PREOUTING chain. Unless you have the firewall running in debug mode (called with the debug option rather than start). Then the log entries should be at the end of the chain just before the drop policy. Which means the port is actually closed. Not sure why nmap is reporting them as open except that since they are udp ports, and thus an unreliable transport, nmap may be assuming they are open since it got no response. > What is this section for? Probably an important part > # IP address for everything outside > ANYWHERE="0/0" A means of allowing people to redifine the unknown. The default of 0/0 matches any address and is correct for most people. -- Jamin W. Collins To be nobody but yourself when the whole world is trying it's best night and day to make you everybody else is to fight the hardest battle any human being will fight. -- E.E. Cummings
