Dan, Did you run this scan against the internal or external interface of the SonicWall? Every scan I've ever run against a SonicWall from the outside exhibited the OS Characteristics of the OS actually running services port forwarded behind it. e.g. a friend with a SonicWall was running his web and mail servers behind a Sonicwall on an AIX box. When we nmap scanned the external interface of the Sonicwall, it showed up as an AIX box. -john At 05:17 PM 7/25/2001 -0600, Dan Ferris wrote: >This may not seem bad, but to me it seems that this defeats the point of NAT >if somebody can steal your sessions. Note the section on TCP sequence >prediction. This was a Sonicwall SOHO firewall. > >======= >Host (192.168.1.254) appears to be up ... good. >Initiating SYN half-open stealth scan against (192.168.1.254) >Adding TCP port 80 (state open). >The SYN scan took 8 seconds to scan 1523 ports. >For OSScan assuming that port 80 is open and port 1 is closed and neither >are firewalled >Interesting ports on (192.168.1.254): >(The 1518 ports scanned but not shown below are in state: closed) >Port State Service >23/tcp filtered telnet >67/tcp filtered bootps >80/tcp open http >137/tcp filtered netbios-ns >514/tcp filtered shell > >TCP Sequence Prediction: Class=64K rule > Difficulty=1 (Trivial joke) > >Sequence numbers: 3EC519BD 3EC613BD 3EC70DBD 3EC807BD 3EC901BD 3EC9FBBD >Remote operating system guess: Accelerated Networks - High Speed Integrated >Access VoDSL >OS Fingerprint: >TSeq(Class=64K) >T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNW) >T2(Resp=N) >T3(Resp=Y%DF=N%W=2000%ACK=O%Flags=A%Ops=) >T4(Resp=Y%DF=N%W=2000%ACK=O%Flags=R%Ops=) >T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) >T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) >T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) >PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=0%UCK=0%ULEN=134%DAT=E) > > >Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
