Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Nmap and Watchguard firewalls
From: MadHat <madhat () unspecific com>
Date: Tue, 24 May 2005 13:29:34 -0500

On May 24, 2005, at 8:16 AM, Kern, Tom wrote:
Hi. I don't know if this is the appropriate place to send this  
email so i apologize in advance.

I have an issue where i'm running an nmap scan against my interent  
router(cisco). This router sits in front of a Watchguard firebox X  
firewall. Whenever i run the scan, the fingerprint that I get back  
is the Watchguard itself.
This happens when I run it against my home network(or any host  
outside the firewall). It always comes back as Watchguard.

I run nmap with the -vv sS -O switches against the ip of the host.

I've run nmap from a Windows xp sp1 box and a RedHat Enterprise  
Linux box. Same result.

Also, the linux box is not NAT/PATed by the firewall or router. The  
router does no NAT.
The firewall is running an smtp and dns proxy. All the other  
services are stateful packet inspection.
Watchguard has been silent on the issue but it seems the firebox x  
is doing some rewriting but I can't tell for sure.
When i run ethereal from the nmap host, i can see the packets going  
to the destination ok.
However, at the router, when i run a packet filter, i see nothing  
going to the destination i'm nmaping or the source nmap host.

I was wondering if you knew of any isses with nmap and Watchguard.  
I apologize again if this is the wrong place to email this or for  
wasting your time.

I saw similar issues when scanning from behind a Cisco PIX firewall a  
few years ago.  The issue was that the pix touched each packet as it  
went through the firewall.  This was by design.  And in doing so,  
when doing OS fingerprints, everything was unknown, at that time.  If  
I remember properly, later the unknowns started showing up as PIX  
because someone had submitted the fingerprint as a PIX, when to me it  
looked more like a device on the other side of the pix.  Not sure, I  
don't work there anymore, so I can't test.  As for the specific  
reasons why, that depends on how the internals of the firewall.  You  
might find more answers from a firewall specific list or white papers  
on how that firewall works.

Sent through the nmap-dev mailing list

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]