On Sat, May 19, 2001 at 10:41:03PM +0200, Tazio Ceri wrote:
just to check the security of my machine I run "nmap -vv -sU mymachineip" from another box on the internet.
nmap returns that udp ports 137, 138, 272, 464, 635, 929, 1110 1464 and 2002 are open. I run netstat from my machine and I note that only 137 and 138 are really open, not the others. Furthermore, 137 and 138 are firewalled with ipchains (-j DENY option).
Can anybody explain me why nmap does these mistakes, if they really are mistakes? Why it sees 137 and 138 as open while they are firewalled?
Did you create this firewall yourself? The fact that you've firewalled 137 and 138 with the DENY target explains why these ports are showing up on the nmap scan. When nmap performs a UDP scan, it looks for ICMP post unreachable packets being returned when it prods a port. If it doesn't receive such a packet when it prods a port, then it assumes that port is open. By using the DENY target, ipchains (or iptables) will just drop the packet completely, pretending as if it had never received it. This does not generate an ICMP responce to the probing host, so nmap assumes an open port. To get rid of the 'phantom open ports', then use the REJECT target for your firewalling rules, and the appropriate packet will be returned to the nmap'ing host, and all will be well. I assume ports 272, 464, etc. are also firewalled using the DENY target? Hope that helps, Chris -- __ _ -o)/ / (_)__ __ ____ __ Chris Reeves /\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005 _\_v __/_/_//_/\_,_/ /_/\_\