Re: All UDP Ports open

Mon, 11 Oct 2004 19:49:37 -0700 

On Mon, Oct 11, 2004 at 11:48:39AM -0400, Michael Aldrich wrote:
> Hi,
> I am running 0.9 version of firewall on RedHat 7.3 (2.4.24). When I run a
> scan from another machine (nmap -sU XXX.XXX.XXX.XXX where X is my external
> IP), just about every port from 1/udp to 54321/udp is listed as open. 

The reason you see them reported as OPEN is that the firewall script
uses a DENY target to silently discard authorized packets.  Since nmap
sees no response to it's port queries it assumes that they are open.

       -sU    UDP scans: This method is used to  determine  which
              UDP  (User  Datagram  Protocol,  RFC 768) ports are
              open on a host.  The technique is to  send  0  byte
              udp packets to each port on the target machine.  If
              we receive an ICMP port unreachable  message,  then
              the  port  is  closed.   Otherwise  we assume it is
              open.

I believe newer versions of nmap may do a better job of correctly
reporting the state of UDP ports but takes considerably longer to run.

       -sU    UDP scans: This method is used  to  determine  which  UDP  (User
              Datagram Protocol, RFC 768) ports are open on a host.  The tech-
              nique is to send 0 byte UDP packets to each port on  the  target
              machine.   If  we receive an ICMP port unreachable message, then
              the port is closed.  If a UDP response is received to the  probe
              (unusual),  the port is open.  If we get no response at all, the
              state is "open|filtered", meaning that the port is  either  open
              or packet filters are blocking the communication.  Versions scan
              (-sV) can be used to help differentiate  the  truly  open  ports
              from the filtered ones.

(The 1467 ports scanned but not shown below are in state: closed)
PORT      STATE         SERVICE
9/udp     open|filtered discard
53/udp    open|filtered domain
67/udp    open|filtered dhcpserver
123/udp   open|filtered ntp
161/udp   open|filtered snmp
162/udp   open|filtered snmptrap
500/udp   open|filtered isakmp
3130/udp  open|filtered squid-ipc
3401/udp  open|filtered squid-snmp
5000/udp  open|filtered UPnP
10080/udp open|filtered amanda

Nmap run completed -- 1 IP address (1 host up) scanned in 1471.445 seconds


-- 
Jamin W. Collins

This is the typical unix way of doing things: you string together lots
of very specific tools to accomplish larger tasks. -- Vineet Kumar

Reply via email to