[Leaf-user] Firewall testing

2001-06-26 Thread Sean E. Covel 

To all,

This is an interesting new test site.  Uses IP Spoofing, so it does not
set off portsentry (first test that DIDN'T)  It was also the first test
ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
on it awhile.  I'm no expert, so could some of you experts take a look
at the tests (there are 2) and tell me what you see?

Here are my logs...

Try it yourself... http://www.pcflank.com./

Let me know what you see...

Sean

 logs.zip

[Leaf-user] Firewall testing

2001-06-27 Thread Sean E. Covel 

I've been conversing with the "Expert Team" at PC Flank
(http://www.pcflank.com./) about their scanner.  So far they have asked
for additional information about my firewall, but have not defended the
results.

So  How can I verify that a certain port is/is not open?  The report
I got noted port 3128 (which Firewall Forensics says is "squid") was
"open".  Later in the report it said all the trojan ports were open
(27374, 12345, 1243, 31337, 12348) (I doubt it!)  How can I be sure?

As far as the "spoofing" and why they would want to do it... Anyone
running portsentry?  Ever gone up against "Shields Up" or "DSL Reports"
tests?  What happens?  After a few scans from the same IP, they end up
in hosts.deny and a firewall rule is added, both automatically.  Once
that is done, further scanning is moot.  My first run against PcFlank
noted more ports open than what I listed above, so I checked out my
network.conf.  The variables EXTERN_UDP_PORTS and EXTERN_TCP_PORT had
some ports listed (_domain _ntp _bootpc)(_smtp).  I cleaned those up
(had to leave _bootpc(?) for dnsclient) and the next scan listed fewer
ports.  Neither "Shields Up" or "DSL Reports" got far enough along in
their scans before portsentry kicked in to see those other ports!

So, once again, how do I tell for sure if the above listed ports are
open/visible/stealth?

Thanks,

Sean

P.S.  Did you run the "advanced" test.  Take a look at your logs.  What
a mess!  What does it all mean.  Did LRP really pass the test?


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

[leaf-user] Firewall testing?

2005-11-30 Thread Jim Ford 
Now I'm all snug and cosy behind my Leaf Bering firewall (thanks to the helpful 
folk
on this forum), I'd like to see just how secure it appears from the outside. 
There are 
various sites, some of them commercial, that give a free firewall security test.
I've tried some of them and they give varying results. I'm also aware that it's 
in the
interest of the commercial sites to say that my firewall is insecure - so they 
can
sell me their solution!

Any recommendations (or is it good enough for me to nmap from outside)?

Jim Ford



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Michael Leone 

On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> To all,
> 
> This is an interesting new test site.  Uses IP Spoofing, so it does not
> set off portsentry (first test that DIDN'T)  It was also the first test
> ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> on it awhile.  I'm no expert, so could some of you experts take a look
> at the tests (there are 2) and tell me what you see?

This is the only scan I've ever taken (with EigerSteinBeta2) that told
me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
these ports. 

Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
which I am also running, and therefore should both show as open.

Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
SubSeven, Back Oriface, and others use) - are visible, but not open.

Makes me wonder about this scan. It missed some blatent ones, and
reported on other ports that other scan sites did not.


-- 
 
--
Michael J. Leone  Registered Linux user #201348 
ICQ: 50453890
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF

Pysche closed for renovations.



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Jonathan Rawson 

I checked this site, questionable results.  It successfully determined
I have port 80 open.  Didn't report any ports as being open that
really aren't, but it missed ssh, whois, and smtp.  So, out of four
ports I know are open, it missed three, and only hit the obvious one.

I'd stick with shieldsup and dslreports.

Jonathan Rawson

-Original Message-
From: Michael Leone <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, June 26, 2001 10:54 PM
Subject: Re: [Leaf-user] Firewall testing


>On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
>> To all,
>>
>> This is an interesting new test site.  Uses IP Spoofing, so it does
not
>> set off portsentry (first test that DIDN'T)  It was also the first
test
>> ever to say I had ports open/visible.  I'm using EB2 LRP, and have
been
>> on it awhile.  I'm no expert, so could some of you experts take a
look
>> at the tests (there are 2) and tell me what you see?
>
>This is the only scan I've ever taken (with EigerSteinBeta2) that
told
>me I have ports 135, 137, 138 and 139 open. And ESB2 by default
closes
>these ports.
>
>Also, it says port 21 (ftp), 80 (web) is open for me. This is true.
Yet
>somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
>which I am also running, and therefore should both show as open.
>
>Also says some of the 'scare' ports - 27374, 31337, etc (the ports
that
>SubSeven, Back Oriface, and others use) - are visible, but not open.
>
>Makes me wonder about this scan. It missed some blatent ones, and
>reported on other ports that other scan sites did not.
>
>
>--
>
>--
>Michael J. Leone  Registered Linux user #201348
><mailto:[EMAIL PROTECTED]>ICQ: 50453890
>PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
>
>Pysche closed for renovations.
>
>
>
>___
>Leaf-user mailing list
>[EMAIL PROTECTED]
>http://lists.sourceforge.net/lists/listinfo/leaf-user



___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Robert Chambers 

I have also tried this site, and the same for me open ports 135, 137, 138,
139 and visable ports 1080, 3128.  I am also running Eigerstien2beta.
When I test my system with Steve Gibson's site grc.com it says that I am a
hard target and all ports that are tested are in stealth mode.
Robert Chambers

Michael Leone wrote:

> On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> > To all,
> >
> > This is an interesting new test site.  Uses IP Spoofing, so it does not
> > set off portsentry (first test that DIDN'T)  It was also the first test
> > ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> > on it awhile.  I'm no expert, so could some of you experts take a look
> > at the tests (there are 2) and tell me what you see?
>
> This is the only scan I've ever taken (with EigerSteinBeta2) that told
> me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
> these ports.
>
> Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
> somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
> which I am also running, and therefore should both show as open.
>
> Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
> SubSeven, Back Oriface, and others use) - are visible, but not open.
>
> Makes me wonder about this scan. It missed some blatent ones, and
> reported on other ports that other scan sites did not.
>
> --
>
> --
> Michael J. Leone  Registered Linux user #201348
> ICQ: 50453890
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
>
> Pysche closed for renovations.
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Firewall testing

2001-06-26 Thread Dan 

~~
   D I S C L A I M E R
~~
I am a newb to this, but I am using the same system you guys are.  My
response here is a "guess" to see if my thinking is correct.  Please don't
confuse it with the well-informed
input I hope it will draw :)

~~

My first guess:  In looking thru my own filter rules, I notice the
following:

  0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   137
  0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   135
257 20046 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   137
  0 0 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   135
  0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   138:139
146 34019 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
  * ->   138


... and so forth.  My _guess_ is that the default config "rejects" these
packets, which sends back a message to the probing machine that allows it to
determine that the port in fact exists and is responding.  If the probe app
is "dumb" it will report ANY reply as "vulnerable."  Most other filters in
E2B seem to use DENY, but if I am correct, there are some comments in the
E2B scripts related to Windows doing "braindead things" --- this may be part
of the cure for that, as these are Windows default networking ports.

As far as the 1080, that's SOCKS --- I don't know why it is showing for all
of us (myself included).  I am definitely NOT running any such proxy here.
Port 3128 is not one I can find any info on.

My last guess is this:  the probe app is a POS, and not to be trusted.

Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Chambers
Sent: Tuesday, June 26, 2001 11:35 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Firewall testing


I have also tried this site, and the same for me open ports 135, 137, 138,
139 and visable ports 1080, 3128.  I am also running Eigerstien2beta.
When I test my system with Steve Gibson's site grc.com it says that I am a
hard target and all ports that are tested are in stealth mode.
Robert Chambers

Michael Leone wrote:

> On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> > To all,
> >
> > This is an interesting new test site.  Uses IP Spoofing, so it does not
> > set off portsentry (first test that DIDN'T)  It was also the first test
> > ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> > on it awhile.  I'm no expert, so could some of you experts take a look
> > at the tests (there are 2) and tell me what you see?
>
> This is the only scan I've ever taken (with EigerSteinBeta2) that told
> me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
> these ports.
>
> Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
> somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
> which I am also running, and therefore should both show as open.
>
> Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
> SubSeven, Back Oriface, and others use) - are visible, but not open.
>
> Makes me wonder about this scan. It missed some blatent ones, and
> reported on other ports that other scan sites did not.
>
> --
>
> --
> Michael J. Leone  Registered Linux user #201348
> <mailto:[EMAIL PROTECTED]>ICQ: 50453890
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
>
> Pysche closed for renovations.
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Glenn A. Thompson 

Hey,
I'm a newbie also.  I have a question.  Doesn't using these "testing" sites say;
hey, here I am come and get me?
I mean are they really to be trusted?  I know it's nice to know how secure you
are but I'm afraid to use them.

Glenn

Dan wrote:

> ~~
>D I S C L A I M E R
> ~~
> I am a newb to this, but I am using the same system you guys are.  My
> response here is a "guess" to see if my thinking is correct.  Please don't
> confuse it with the well-informed
> input I hope it will draw :)
>
> ~~
>
> My first guess:  In looking thru my own filter rules, I notice the
> following:
>
>   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   137
>   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   135
> 257 20046 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   137
>   0 0 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   135
>   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   138:139
> 146 34019 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
>   * ->   138
>
> ... and so forth.  My _guess_ is that the default config "rejects" these
> packets, which sends back a message to the probing machine that allows it to
> determine that the port in fact exists and is responding.  If the probe app
> is "dumb" it will report ANY reply as "vulnerable."  Most other filters in
> E2B seem to use DENY, but if I am correct, there are some comments in the
> E2B scripts related to Windows doing "braindead things" --- this may be part
> of the cure for that, as these are Windows default networking ports.
>
> As far as the 1080, that's SOCKS --- I don't know why it is showing for all
> of us (myself included).  I am definitely NOT running any such proxy here.
> Port 3128 is not one I can find any info on.
>
> My last guess is this:  the probe app is a POS, and not to be trusted.
>
> Dan
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
> Chambers
> Sent: Tuesday, June 26, 2001 11:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Leaf-user] Firewall testing
>
> I have also tried this site, and the same for me open ports 135, 137, 138,
> 139 and visable ports 1080, 3128.  I am also running Eigerstien2beta.
> When I test my system with Steve Gibson's site grc.com it says that I am a
> hard target and all ports that are tested are in stealth mode.
> Robert Chambers
>
> Michael Leone wrote:
>
> > On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> > > To all,
> > >
> > > This is an interesting new test site.  Uses IP Spoofing, so it does not
> > > set off portsentry (first test that DIDN'T)  It was also the first test
> > > ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> > > on it awhile.  I'm no expert, so could some of you experts take a look
> > > at the tests (there are 2) and tell me what you see?
> >
> > This is the only scan I've ever taken (with EigerSteinBeta2) that told
> > me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
> > these ports.
> >
> > Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
> > somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
> > which I am also running, and therefore should both show as open.
> >
> > Also says some of the 'scare' ports - 27374, 31337, etc (the ports that
> > SubSeven, Back Oriface, and others use) - are visible, but not open.
> >
> > Makes me wonder about this scan. It missed some blatent ones, and
> > reported on other ports that other scan sites did not.
> >
> > --
> >
> > --
> > Michael J. Leone  Registered Linux user #201348
> > <mailto:[EMAIL PROTECTED]>ICQ: 50453890
> > PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
> >
> > Pysche closed for renovations.
> >
> > ___
> > Leaf-user mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-user
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread jdnewmil 

On Tue, 26 Jun 2001, Glenn A. Thompson wrote:

> Hey,
> I'm a newbie also.  I have a question.  Doesn't using these "testing" sites say;
> hey, here I am come and get me?
> I mean are they really to be trusted?  I know it's nice to know how secure you
> are but I'm afraid to use them.

You should be much more afraid not to.  Your machine is probably already
getting several hits a day at random.

Also, unless a machine at or near the scanner's site is compromised,
J. Random Cracker won't even know you used the service.

See http://leaf.sourceforge.net's security section for some decent
scanners.

[...]

---
Jeff NewmillerThe .   .  Go Live...
DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Greg Morgan 

You have nothing to fear about grc.com.  If anything Steve Gibson want's
to protect your privacy.  He even goes as far as mailing a confirmation
email to you that you have to reply to.  Once you reply, you are queued
for a scan.  grc.com is an interesting site.  The dude is into writing
most everything in assembler.  He seems pretty picky and maybe his work
is  more acturate.  I keep meaning to scan my firewall with nmap.  nmap
will look at the signature of your TCP stack and take a guess at your
OS.

Greg

"Glenn A. Thompson" wrote:
> 
> Hey,
> I'm a newbie also.  I have a question.  Doesn't using these "testing" sites say;
> hey, here I am come and get me?
> I mean are they really to be trusted?  I know it's nice to know how secure you
> are but I'm afraid to use them.
> 
> Glenn
> 
> Dan wrote:
> 
> > ~~
> >D I S C L A I M E R
> > ~~
> > I am a newb to this, but I am using the same system you guys are.  My
> > response here is a "guess" to see if my thinking is correct.  Please don't
> > confuse it with the well-informed
> > input I hope it will draw :)
> >
> > ~~
> >
> > My first guess:  In looking thru my own filter rules, I notice the
> > following:
> >
> >   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   137
> >   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   135
> > 257 20046 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   137
> >   0 0 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   135
> >   0 0 REJECT tcp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   138:139
> > 146 34019 REJECT udp  -- 0xFF 0x00  eth0  0.0.0.0/0  0.0.0.0/0
> >   * ->   138
> >
> > ... and so forth.  My _guess_ is that the default config "rejects" these
> > packets, which sends back a message to the probing machine that allows it to
> > determine that the port in fact exists and is responding.  If the probe app
> > is "dumb" it will report ANY reply as "vulnerable."  Most other filters in
> > E2B seem to use DENY, but if I am correct, there are some comments in the
> > E2B scripts related to Windows doing "braindead things" --- this may be part
> > of the cure for that, as these are Windows default networking ports.
> >
> > As far as the 1080, that's SOCKS --- I don't know why it is showing for all
> > of us (myself included).  I am definitely NOT running any such proxy here.
> > Port 3128 is not one I can find any info on.
> >
> > My last guess is this:  the probe app is a POS, and not to be trusted.
> >
> > Dan
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
> > Chambers
> > Sent: Tuesday, June 26, 2001 11:35 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Leaf-user] Firewall testing
> >
> > I have also tried this site, and the same for me open ports 135, 137, 138,
> > 139 and visable ports 1080, 3128.  I am also running Eigerstien2beta.
> > When I test my system with Steve Gibson's site grc.com it says that I am a
> > hard target and all ports that are tested are in stealth mode.
> > Robert Chambers
> >
> > Michael Leone wrote:
> >
> > > On 09 Jun 2001 08:55:01 -0400, Sean E. Covel wrote:
> > > > To all,
> > > >
> > > > This is an interesting new test site.  Uses IP Spoofing, so it does not
> > > > set off portsentry (first test that DIDN'T)  It was also the first test
> > > > ever to say I had ports open/visible.  I'm using EB2 LRP, and have been
> > > > on it awhile.  I'm no expert, so could some of you experts take a look
> > > > at the tests (there are 2) and tell me what you see?
> > >
> > > This is the only scan I've ever taken (with EigerSteinBeta2) that told
> > > me I have ports 135, 137, 138 and 139 open. And ESB2 by default closes
> > > these ports.
> > >
> > > Also, it says port 21 (ftp), 80 (web) is open for me. This is true. Yet
> > > somehow, the scan missed port 22 (SSH), and port 113 (ident), both of
> > > which I am also running, and therefore should both show as open.
> > >
> > > Also says some of the 'scare' ports - 27374, 31337, etc (the

Re: [Leaf-user] Firewall testing

2001-06-26 Thread Glenn A. Thompson 

Hmmm

I guess I'll have to try some of these.

Thanks,
Glenn

[EMAIL PROTECTED] wrote:

> On Tue, 26 Jun 2001, Glenn A. Thompson wrote:
>
> > Hey,
> > I'm a newbie also.  I have a question.  Doesn't using these "testing" sites say;
> > hey, here I am come and get me?
> > I mean are they really to be trusted?  I know it's nice to know how secure you
> > are but I'm afraid to use them.
>
> You should be much more afraid not to.  Your machine is probably already
> getting several hits a day at random.
>
> Also, unless a machine at or near the scanner's site is compromised,
> J. Random Cracker won't even know you used the service.
>
> See http://leaf.sourceforge.net's security section for some decent
> scanners.
>
> [...]
>
> ---
> Jeff NewmillerThe .   .  Go Live...
> DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
>   Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
> /Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
> ---
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-27 Thread Mike Noyes 

Jonathan Rawson, 2001-06-26 23:27 -0400
>I checked this site, questionable results.  It successfully determined
>I have port 80 open.  Didn't report any ports as being open that
>really aren't, but it missed ssh, whois, and smtp.  So, out of four
>ports I know are open, it missed three, and only hit the obvious one.
>
>I'd stick with shieldsup and dslreports.

Jonathan,
There are a couple of other quality scanning sites.

Web Links  Main / Security Audits
http://leaf.sourceforge.net/links.php?op=viewlink&cid=6

--
Mike Noyes <[EMAIL PROTECTED]>
FAQs sec00: LEAF SourceForge Site Answers
How do I request help?
http://sourceforge.net/docman/display_doc.php?docid=1891&group_id=13751


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Firewall testing

2001-06-27 Thread Anthony Lieuallen 

Port 3128 is the default for the squid caching proxy
(http://www.squid-cache.org).  Chances are you aren't running that if
you didn't know it, and that scanner is in fact as useful as peering at
your computer through a toilet paper tube, at least for finding
security flaws.

--- Dan <[EMAIL PROTECTED]> wrote:
[snip]
> Port 3128 is not one I can find any info on.



=
  _
 / \  Some great sites:
[  Tony Lieuallen   ] http://www.dilbert.com
[  [EMAIL PROTECTED]   ] http://www.borg.com/~rjgtoons/
[   ] http://www.memepool.com
 \_/  http://www.bottomquark.com/

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Firewall testing

2001-06-27 Thread Tony 

netstat -an ought to do it.

Tony

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Sean E. Covel
> Sent: Saturday, June 09, 2001 14:52
> To: [EMAIL PROTECTED]
> Subject: [Leaf-user] Firewall testing
>
>
> I've been conversing with the "Expert Team" at PC Flank
> (http://www.pcflank.com./) about their scanner.  So far they
> have asked
> for additional information about my firewall, but have not
> defended the
> results.
>
> So  How can I verify that a certain port is/is not open?
> The report
> I got noted port 3128 (which Firewall Forensics says is "squid") was
> "open".  Later in the report it said all the trojan ports were open
> (27374, 12345, 1243, 31337, 12348) (I doubt it!)  How can I be sure?
>
> As far as the "spoofing" and why they would want to do it... Anyone
> running portsentry?  Ever gone up against "Shields Up" or
> "DSL Reports"
> tests?  What happens?  After a few scans from the same IP, they end up
> in hosts.deny and a firewall rule is added, both automatically.  Once
> that is done, further scanning is moot.  My first run against PcFlank
> noted more ports open than what I listed above, so I checked out my
> network.conf.  The variables EXTERN_UDP_PORTS and EXTERN_TCP_PORT had
> some ports listed (_domain _ntp _bootpc)(_smtp).  I cleaned those up
> (had to leave _bootpc(?) for dnsclient) and the next scan listed fewer
> ports.  Neither "Shields Up" or "DSL Reports" got far enough along in
> their scans before portsentry kicked in to see those other ports!
>
> So, once again, how do I tell for sure if the above listed ports are
> open/visible/stealth?
>
> Thanks,
>
> Sean
>
> P.S.  Did you run the "advanced" test.  Take a look at your
> logs.  What
> a mess!  What does it all mean.  Did LRP really pass the test?
>
>
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
>


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-27 Thread Dale Long 

On Wed, 27 Jun 2001, Mike Noyes wrote:
> >I checked this site, questionable results.  It successfully determined
> >I have port 80 open.  Didn't report any ports as being open that
> >really aren't, but it missed ssh, whois, and smtp.  So, out of four
> >ports I know are open, it missed three, and only hit the obvious one.
> >
> >I'd stick with shieldsup and dslreports.
> 
> Jonathan,
> There are a couple of other quality scanning sites.
> 
> Web Links  Main / Security Audits
> http://leaf.sourceforge.net/links.php?op=viewlink&cid=6

Do you still need me to complete the scanning task, or is the web based
scanner enough for each user/leader to do?

Dale.


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] Firewall testing

2001-06-27 Thread jdnewmil 

On Wed, 27 Jun 2001, Tony wrote:

> netstat -an ought to do it.

That only gives the "which services are running" part of the picture.

Use "ipchains -L -n" to find out how the firewall is configured.  You
probably want to concentrate on the input list, and work your way down the
list one rule at a time.  It _is_ possible to ask ipchains how it would
respond to a particular packet, but you have to specify all the pertinent
values to get it to work, which can be error-prone.

> 
> Tony
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Sean E. Covel
> > Sent: Saturday, June 09, 2001 14:52
> > To: [EMAIL PROTECTED]
> > Subject: [Leaf-user] Firewall testing
> >
> >
> > I've been conversing with the "Expert Team" at PC Flank
> > (http://www.pcflank.com./) about their scanner.  So far they
> > have asked
> > for additional information about my firewall, but have not
> > defended the
> > results.
> >
> > So  How can I verify that a certain port is/is not open?
> > The report
> > I got noted port 3128 (which Firewall Forensics says is "squid") was
> > "open".  Later in the report it said all the trojan ports were open
> > (27374, 12345, 1243, 31337, 12348) (I doubt it!)  How can I be sure?
> >
> > As far as the "spoofing" and why they would want to do it... Anyone
> > running portsentry?  Ever gone up against "Shields Up" or
> > "DSL Reports"
> > tests?  What happens?  After a few scans from the same IP, they end up
> > in hosts.deny and a firewall rule is added, both automatically.  Once
> > that is done, further scanning is moot.  My first run against PcFlank
> > noted more ports open than what I listed above, so I checked out my
> > network.conf.  The variables EXTERN_UDP_PORTS and EXTERN_TCP_PORT had
> > some ports listed (_domain _ntp _bootpc)(_smtp).  I cleaned those up
> > (had to leave _bootpc(?) for dnsclient) and the next scan listed fewer
> > ports.  Neither "Shields Up" or "DSL Reports" got far enough along in
> > their scans before portsentry kicked in to see those other ports!
> >
> > So, once again, how do I tell for sure if the above listed ports are
> > open/visible/stealth?
> >
> > Thanks,
> >
> > Sean
> >
> > P.S.  Did you run the "advanced" test.  Take a look at your
> > logs.  What
> > a mess!  What does it all mean.  Did LRP really pass the test?
> >
> >
> > ___
> > Leaf-user mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-user
> >
> 
> 
> ___
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
> 

---
Jeff NewmillerThe .   .  Go Live...
DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-27 Thread Victor McAllister 

"Sean E. Covel" wrote:

> I've been conversing with the "Expert Team" at PC Flank
> (http://www.pcflank.com./) about their scanner.  So far they have asked
> for additional information about my firewall, but have not defended the
> results.
>
> So  How can I verify that a certain port is/is not open?  The report
> I got noted port 3128 (which Firewall Forensics says is "squid") was
> "open".  Later in the report it said all the trojan ports were open
> (27374, 12345, 1243, 31337, 12348) (I doubt it!)  How can I be sure?
>
> As far as the "spoofing" and why they would want to do it... Anyone
> running portsentry?  Ever gone up against "Shields Up" or "DSL Reports"
> tests?  What happens?  After a few scans from the same IP, they end up
> in hosts.deny and a firewall rule is added, both automatically.  Once
> that is done, further scanning is moot.  My first run against PcFlank
> noted more ports open than what I listed above, so I checked out my
> network.conf.  The variables EXTERN_UDP_PORTS and EXTERN_TCP_PORT had
> some ports listed (_domain _ntp _bootpc)(_smtp).  I cleaned those up
> (had to leave _bootpc(?) for dnsclient) and the next scan listed fewer
> ports.  Neither "Shields Up" or "DSL Reports" got far enough along in
> their scans before portsentry kicked in to see those other ports!
>
> So, once again, how do I tell for sure if the above listed ports are
> open/visible/stealth?

Eiger has ports > 1024 open to the outside.  This allows some things to work
without changing the firewall rules.  It is reasonably secure because there
is NOTHING running on the router that is listening to these ports and they
are NOT being forwarded to some internal machine unless you make such a
rule.  Some services on internal boxes that run masq modules like ICQ, IRC,
real audio and quake can use inbound connections higher than 1024.  The
connections are likely initiated from your masq network - not from unknown
outsider.
It sounds to me like this outfit is expecting to test personal firewalls on
a Windows box, where the firewall and applications are on the same machine.
Psentry is useful to lock out scanners on a protected port - makes an
ipchains rule that DENYs them immediately.  The rule stays in place until
you do "svi network ipfilter reload" to get rid of the accumulated rules.


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-28 Thread Mike Noyes 

Dale Long, 2001-06-28 13:19 +0930
>On Wed, 27 Jun 2001, Mike Noyes wrote:
> > There are a couple of other quality scanning sites.
> >
> > Web Links  Main / Security Audits
> > http://leaf.sourceforge.net/links.php?op=viewlink&cid=6
>
>Do you still need me to complete the scanning task, or is the web based
>scanner enough for each user/leader to do?

Dale,
Yes. I think they will provide a good reference for users to compare there 
setup with. Also, scans from the DMZ, and the internal network can't be 
performed by these web based audits.

--
Mike Noyes <[EMAIL PROTECTED]>
http://leaf.sourceforge.net/


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-28 Thread Dale Long 

On Thu, 28 Jun 2001, Mike Noyes wrote:
> >Do you still need me to complete the scanning task, or is the web based
> >scanner enough for each user/leader to do?

> Yes. I think they will provide a good reference for users to compare there 
> setup with. Also, scans from the DMZ, and the internal network can't be 
> performed by these web based audits.

Are there any particular builds you want me to test against? I am planning
to redo the latest Oxygen and EigerStein on my LAN.

What is the official release of each type as opposed to the development
releases?

Do you want me to try each affiliated firewall with them, of just with the
'out of the box' product?

Dale.


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] Firewall testing

2001-06-29 Thread Mike Noyes 

Dale Long, 2001-06-29 09:58 +0930
>On Thu, 28 Jun 2001, Mike Noyes wrote:
> > >Do you still need me to complete the scanning task, or is the web
> > >based scanner enough for each user/leader to do?
>
> > Yes. I think they will provide a good reference for users to compare
> > there setup with. Also, scans from the DMZ, and the internal network
> > can't be performed by these web based audits.
>
>Are there any particular builds you want me to test against? I am
>planning to redo the latest Oxygen and EigerStein on my LAN.
>
>What is the official release of each type as opposed to the development
>releases?

Dale,
The official releases are in our files area. (ES2b & O2 May 2001)

>Do you want me to try each affiliated firewall with them, of just with the 
>'out of the box' product?

Start with the 'out of the box' products. If you get ambitious you can do 
the rest. :)

--
Mike Noyes <[EMAIL PROTECTED]>
http://leaf.sourceforge.net/


___
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [leaf-user] Firewall testing?

2005-11-30 Thread Tom Eastep 
On Wednesday 30 November 2005 10:09, Jim Ford wrote:
> Now I'm all snug and cosy behind my Leaf Bering firewall (thanks to the
> helpful folk on this forum), I'd like to see just how secure it appears
> from the outside. There are various sites, some of them commercial, that
> give a free firewall security test. I've tried some of them and they give
> varying results. I'm also aware that it's in the interest of the commercial
> sites to say that my firewall is insecure - so they can sell me their
> solution!
>
> Any recommendations (or is it good enough for me to nmap from outside)?

You need to carefully evaluate all results -- see Shorewall FAQ 4 and it's 
related sub-FAQs. 

If you don't understand a particular report, I recommend running tcpdump on 
your firewall while doing the scan to verify that the probes are actually 
reaching your firewall and that they are not being responded to by an 
intermediate router.

-Tom
-- 
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


pgpQskrtbwHhW.pgp
Description: PGP signature

Re: [leaf-user] Firewall testing?

2005-11-30 Thread Marko Nurmenniemi 

Tom Eastep wrote:


On Wednesday 30 November 2005 10:09, Jim Ford wrote:
 


Now I'm all snug and cosy behind my Leaf Bering firewall (thanks to the
helpful folk on this forum), I'd like to see just how secure it appears
from the outside. There are various sites, some of them commercial, that
give a free firewall security test. I've tried some of them and they give
varying results. I'm also aware that it's in the interest of the commercial
sites to say that my firewall is insecure - so they can sell me their
solution!

Any recommendations (or is it good enough for me to nmap from outside)?
   



You need to carefully evaluate all results -- see Shorewall FAQ 4 and it's 
related sub-FAQs. 

If you don't understand a particular report, I recommend running tcpdump on 
your firewall while doing the scan to verify that the probes are actually 
reaching your firewall and that they are not being responded to by an 
intermediate router.


-Tom
 


grc.com makes analyse but doesn't sell services.

-M


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/