What type of scan were you doing?
TCP syn scans will send a syn request to the target port, if a syn/ack is received the port is open, then send an rst, tearing the connection down before it can complete. Most operating systems don't log half-open connections
TCP SYN/ACK scans send a syn/ack, listen for an RST, which indicates the port is closed. If the port was open the SYN/ACK will be ignored and the packet dropped.
UDP scans will gegenrall produce a load of false ports being open.
Kind Rgds,
Paul Rochford
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Matusiewicz
Sent: 07 May 2004 14:50
To: Scot Turner; [EMAIL PROTECTED]
Subject: Re: scanning firewall returns all ports as open
At 11:06 PM 5/6/2004, Scot Turner wrote:
>Ok, I'm trying to use NMAP to scan a firewall and it returns all ports as
>being "Interesting Ports" and open. I know it only has port 80 and 25 open
>(because it's my firewall!). Why is it returning this and how can I get
>accurate results?
Dunno why it's doing it. Run nmap in one window and tcpdump in
another. I'm assuming you doing a tcp scan so use tcpdump to see if you
get an ACK packet in response to your SYN packet. If you don't then nmap
is wrong -- if you do -- then your firewall has problems.
Hope this helps....
-- Joe
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please
notify us immediately at [EMAIL PROTECTED] and delete this E-mail
from your system. Thank you.
It is possible for data transmitted by email to be deliberately or
accidentally corrupted or intercepted. For this reason, where the
communication is by email, the Bank of Ireland Group does not accept
any responsibility for any breach of confidence which may arise
through the use of this medium.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
********************************************************************
_______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
