On 12 Dec 2001, at 13:18, Boryan Yotov wrote: > Hello, everybody. I'm newbie at the firewall area :) so this question could sound a >litle bit silly. > > I would like to ask you if there is a way to understand whether a > port on a remote machine is firewalled or just not opened. I use > iptables to setup a firewall and I set a ACCEPT target for TCP > port 80 for all "trusted" connections. All other connections to > this port are DROP-ed (the INPUT chain policy is set to DROP).I'm > currious whether someone could detect that the port is existing > but firewalled e.g. available just for a few hosts.
There are scenarios in which a firewall blocking a port gives back a different response (typically an ICMP Unreachable or an RST) than if the traffic was just dropped or if the destination didn't exist. (Note, though, that this tells us nothing about whether there is a listener on this port on a host behind the firewall -- the traffic never got that far.) I cannot, however, imagine a scenario where such a response included the additional hint "but you would have gotten through if you had been coming from some other address". Even if the attacker can tell that their traffic was blocked by a firewall, they'd have to somehow access the firewall configuration in order to discover whether the blockage was total, or only for some source addresses and not others. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
