Search This Blog

Monday, October 29, 2007

Re: Port 80 Open

On Sun, Oct 28, 2007 at 08:35:30PM -0600, Telly Williams wrote:
> Ansgar, Paolo, and David,
>
> Thanks for the help. I utilized your ideas and ran nmap and
> nothing comes up (I did this from the same host, though). My

er... is your fw supposed to protect you from yourself? ;)
try a remote scanner like grc.com's.

> logs aren't writing anything now, or is it that my ports can't

look at your itables-save, select a chain that goes through LOG, ask grc.com
to strees a port for that chain. See what happens in the logs.

> be "seen"?). Interestingly (to me), ports 0 and 1 come up as
> closed (from grc.com, I assume because of the set limits that
> make my firewall "adaptive").

If by 'adaptive' you mean the -m state on input, yes. Which is btw true for
any other port you did not open explicitly.

>
> Only a small minority of people use the forward chain, right? I

dunno ... you need FORWARD only if your machine routes packets for other
machines, eg your machine sits betweeen the LAN and I'net. Or you've got
some fancy virtual machines / alis iface setup.

> Currently, I have OUTPUT accepting NEW,ESTABLISHED,RELATED. If
> I'm thinking right about what you said Ansgar, the only thing I
> need to worry about in OUTPUT is NEW, so I'm about to change it

you need all 3.

> Then why does the site http://www.grc.com keep referring to
> ports as being under stealth? Are they defining "stealth" in a

I guess (checking their port 113 write up) they just mean what the rule
--state ESTABLISHED,RELATED on INPUT does. ie, in their wording, if you have
such rule in INPUT chain (you do, right?) you can proudly say your machine
if fully 'Stealthy(TM)' ;)

> different way? What does one have to gain by propogating this
> "marketing babble"?

hype behind fw sw market. Just marketing, in other words.

For some tech about 'stealth' mode, 'man nmap' - check for -sS -sF -sX
-sN -sI; also check README and man page for hping2 or hping3 for some other
insights. Good reading.


--
paolo


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: