[ale] Comments sought on port scan

[John Mills]

Jonathan -

I started with 'pmfirewall' and seem do be getting some results, but not
what I expect.

On Tue, 12 Dec 2000, Jonathan Rickman wrote:
> [jonathan at abacus jonathan]$ nmap 192.168.0.254
> 
> Starting nmap V. 2.53 by fyodor at insecure.org ( www.insecure.org/nmap/ )
> Interesting ports on gate2 (192.168.0.254):
> (The 1521 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh                     
> 25/tcp     open        smtp                    
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds

Are you running X11 and the printer port in this host? I added 515
(printer) to the denied ports in my 'pmfirewall.rules.local' and when I
scan from a remote host, a number of ports (including 515) are reported as
"filtered", _even_ when they which do not show in-use at all on an
internal scan.

I notice that 'gnome' seems to use a goodly number of ports around
[1024...] (which also scan as "filtered") which I assume have no need of
an outside interface.

I hypothesize these ports appear in the rules, and that has made them
visible in their 'denial' behavior. Is that a likely explanation? If I
remove them from the 'pmfirewall' default list they might then disappear.
Easy to try, anyway.

I'm going through the IPCHAINS-HOWTO-4 and haven't yet understood how the
rules accumulate and interrelate on a chain. I expect I'll get there,
because that writeup, Bob's book, and the Linux Firewalls book all come at
this, but I am not effective yet.

Should I be able to completely conceal a port used only internally from an
external scan of 'eth0' on the box?

Thanks.
 - John Mills

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.