Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: DENY x REJECT
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 8 Oct 2001 11:26:28 +0200

Rosenau,

The best way to differ between a port which the firewall is configured
to "drop" a packet(s) and a port the firewall is configured to "reject"
a packet(s) is to look for the ICMP Error Message (Destination
Unreachable - Communication with Destination Network is Administratively
Prohibited) as you stated.

Today, I am not familiar with any tool parsing the ICMP Error message
coming from a port which the firewall rejects the packets for.

As a thumb rule configuring a firewall to "reject" rather than "drop" is
a mistake. The firewall needs to be transparent as possible for traffic
going through. 

Other than differing between a port which is filtered "reject" or
filtered "drop" you can differ between the operating systems the
firewall is installed on (if this is a software based firewall). Than
the best friend you have is your sniffer. 

You can look at several parameters very easily to establish your
conclusion. It can range from the IP Time-To-Live field, to even
changing/crafting the offending packet and looking for several changes
with the ICMP Error message produced by the firewall.

I bet adding this functionality to NMAP is easy.
I will be looking to add this functionality to Xprobe as well.


Resources you can use are:
Xprobe & X: http://www.sys-security.com/html/projects/X.html [Version
0.2.x soon to be released]
ICMP Usage in scanning research (more details):
http://www.sys-security.com/html/projects/icmp.html 


Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA


-----Original Message-----
From: Rosenau [mailto:rosenau () netsec com br] 
Sent: ד 03 אוקטובר 2001 17:53
To: pen-test () securityfocus com
Subject: DENY x REJECT

Hi

Does anybody know a port scanner that could distinguish a "deny"
filtered
tcp port (firewall drops packets for the port) from a "reject" filtered
tcp
port (firewall returns an ICMP - port unreachable)?.

Nmap seems to report boths cases simply as "filtered". Actually, both
cases
are filtered, but when you receive a ICMP, you can be sure that the port
is
really filtered. If you do not receive nothing, the port could be
filtered,
or packets could have been lost...

Regards,
Rosenau.



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault