Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: DENY x REJECT
From: niceshorts () yahoo com
Date: Tue, 9 Oct 2001 15:37:05 -0500

Ofir Arkin hat geschrieben:

The best way to differ between a port which the firewall is configured
to "drop" a packet(s) and a port the firewall is configured to "reject"
a packet(s) is to look for the ICMP Error Message (Destination
Unreachable - Communication with Destination Network is Administratively
Prohibited) as you stated.

    This is to expand on what Ofir wrote.

    If a TCP packet is =not= filtered, and there is no listening
    socket, the response should be a RST. This should also be taken
    into account. If a UDP packet is =not= filtered, and there is
    a listening socket, a response is application layer specific
    and typically a misunderstood datagram will be dropped. So a
    firewall dropping a UDP packet and a listening UDP socket can
    be difficult to differentiate. If there is no listening
    UDP socket, a Destination Port Unreachable message should be
    returned. But if we are talking about a firewall between
    source and destination, we don't know anything if the
    firewall happens to drop those Unreachables. Such is life
    made more difficult.

Today, I am not familiar with any tool parsing the ICMP Error message
coming from a port which the firewall rejects the packets for.

    Perhaps,

    icmpinfo -vvvn

As a thumb rule configuring a firewall to "reject" rather than "drop" is
a mistake. The firewall needs to be transparent as possible for traffic
going through. 

    It depends if the firewall returns a RST on reject. One
    example where this is useful is to RST ident. I think the
    actual reject response (ICMP or TCP RST) is implementation
    specific and depends on semantics.

-----Original Message-----
From: Rosenau [mailto:rosenau () netsec com br] 
Sent: ã 03 àå÷èåáø 2001 17:53
To: pen-test () securityfocus com
Subject: DENY x REJECT

Hi

Does anybody know a port scanner that could distinguish a "deny"
filtered
tcp port (firewall drops packets for the port) from a "reject" filtered
tcp
port (firewall returns an ICMP - port unreachable)?.

Nmap seems to report boths cases simply as "filtered". Actually, both
cases
are filtered, but when you receive a ICMP, you can be sure that the port
is
really filtered. If you do not receive nothing, the port could be
filtered,
or packets could have been lost...

Regards,
Rosenau.



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

-- 
HTTP request sent, awaiting response... 404 Object Not Found
ERROR 404: Object Not Found.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault