Blame it all on the firewall!
Dustin Decker
dustind at moon-lite.com
Fri Apr 4 19:39:37 CST 2003
On Fri, 4 Apr 2003, Jason Clinton wrote:
> Okay, you're confused.
>
> Filtered is when a firewall is actively prohibiting anything from going
> through a port.
>
> Closed just means that nothing was bound to that port to accept connections.
>
> Filtered is better than closed.
Well.. that's a purely subjective statement. It all depends on whether I
want the firewall to behave as though nothing is bound at all (i.e. when I
only want a particular IP to be allowed to connect to a port, and play
dead for all others), or if I feel like actually responding with an ICMP
error indicating connection is prohibited, or whatever. Some times, I
just want to drop the packet entirely, no response whatsoever, whether
a socket is bound or not.
NMAP (and other scanners) is/are quite crafty when intelligence is in the
drivers seat. Running with different flags and observing behavior can
help one determine the actual ruleset on the firewall. Not generally a
big deal really - but then again, we're talking about intelligence here...
secrets, lies and deception are at play. So... I might want to lie to
anyone taking a look.
"Filtered" and "closed" as a result, both have their place.
D.
--
o-----------------------------------o
| Dustin Decker - CNA, MCP |
| dustin at dustindecker.com o--------------------------------------o
| Network Engineer | "It is the eternal folly of man. |
| Preferred Physicians Group | To be chasing after the sweet flesh,|
o-------------------------------| without realizing that it is simply |
| a pretty cover for bones." |
o--------------------------------------o
More information about the Kclug
mailing list