On Thu, 13 Dec 2001 [EMAIL PROTECTED] wrote: > I agree nmap will show filtered if there is an access-list or firewall in > front of the machine. However, I interpreted the email to mean you are > firewalling a single machine on that machine itself?? If so, I believe nmap > will only know that that machine is listening on port 80. Nmap simply does a > three way handshake, then nmap itself sends a reset. Therefore, if an nmap
Nmap does a handshake only during a connect() scan. Nmap has lots of scan options, and a trip through the documentation will give you an idea of when they're useful. > scan is run against a machine where the firewall is on that same machine, I > believe nmap will say port 80 is open. I know that with a proxying firewall > this is how it works. An nmap scan will only show that the port is > listening. It does not get beyond the three way handshake into the ruleset. > > Unless someone else knows a way to extend the conversation nmap has with the > box. nmap's results are based on what comes back- that could be an RST, an ICMP port unreachable or a SYN/ACK. You can pick what gets sent back with some filtering products such as IPFilter, and therefore the conclusions anyone doing reconnissance will draw. I used to take great delight in using return-rst with IPFilter to give anyone scanning a /16's worth of address space *lots* of data to look at. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
