In some mail from gary flynn, sie said:
>
> > From: <robert.stahlbrand_at_nmac.ericsson.se>
> >
> > The FIN scanning method (presented in Phrack Magazine 49, article 15)
> > where you can scan for open ports on a host behind a packet-filtering
> > firewall even though your rules denys it is certainly working on
> > Checkpoint ver. 2.1(a)
[...]
> I'm not familiar with Checkpoint but any packet filter that is
> filtering on a destination port is going to toss the packet
> regardless of the SYN or any other flag unless there is some
> special programming.
I wouldn't be so sure about that. Checkpoint's FW-1 will pass all
packets through with the ACK flag set (except, I think SYN-ACK)
but will strip the body of any data. They do this so that they can
rebuild state for a connection which has remained open over (say)
the firewall rebooting or connection information expiring. If the
reply packet was returned, anyway, there's your scan!
Darren
Received on Nov 08 1997
Intro
