Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Firewall / NAT question/

  1. August 28th, 2006, 03:36 PM #11
    Maestr0
    Maestr0 is offline
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    You can use TTL to determine if the packets are making it downstream of the firewall.

    http://www.packetfactory.net/projects/firewalk/

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
    Reply With Quote Reply With Quote
  2. August 28th, 2006, 06:00 PM #12
    IKnowNot
    IKnowNot is offline
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    thatch, I think you got your answers, but I think everyone looked at this a little differently and answered accordingly.
    Let me see if I can clarify:

    Do firewalls when NATing take all traffic from the external IP and pass it to the internal nertwork and expect the server to have the remaing services closed down
    Depends on how it is configured, but usually no. ( it would actually be silly to do so. )

    do they only take traffic destined for a port and drop everything else.
    For the purpose of this discussion, this is a more accurate statement. And, as you know, it may not be just one port to one machine. There may be additional services running on that box so there could be more then one port forwarded to it, and/or it could be to several different boxes for other services and/or load balancing.

    if it's the later, when i scan am i only scaning the 1 port that is allowing traffic to be forward to it?
    Again, this has been answered, but yes, I think you have the idea.

    Is there a way of determining if the firewall is blocking the traffic to the other ports or if the Server has been locked down and is blocking them?
    Yes and no.
    No, because once the ports are blocked at the firewall the server will never see the scan if coming in that way.
    You could have port 23 wide open on a server, but if you are scanning the perimeter ( from outside hitting the firewall box first ) and that port is blocked by the firewall, the port will appear closed from the outside when on the server it is actually wide open.
    Yes, scan the servers from the other side of the firewall.

    i fired up Wireshark and the set a scan going using another tool then looked at my responses in wireshark. i could see that the responses from closed ports were all coming from a source that was a cisco device (which i know to be my firewall). when i performed the same technique on another server i got the same.
    I am wondering here how you scanned the server and got the same results as scanning the firewall ( cisco device responding ) ... how did you scan the server, from inside, or still from the outside? If it was from the inside, is there another cisco device in between? Or, after understanding the other answers is this question now moot?

    Is this technique sufficient to prove that i have identified that the servers are behind a cisco firewall that is NATing addresses and only allowing traffic through on certain ports? or am i missing something obvious that would mean this technique is only valid in this situation?
    I would say no, and leave you to think about this:
    what if there actually is no firewall?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules