July 24, 2008 01:40am pdt

1. gheist 10,500
2. noci 3,200
3. DonKoyote 2,500
4. svs 2,000
4. JustUNIX 2,000
4. rindi 2,000
7. eoinosul... 1,500
8. ahoffmann 1,250
9. jbrahy 1,000
9. Roadrunn... 1,000
9. Rance_Hall 1,000
12. TeRReF 500
12. srgilani 500
14. arnold 80

1. gheist 122,328
2. it_alche... 20,000
3. sunnycoder 7,324
4. Crossley 3,470
5. noci 3,200
6. DonKoyote 2,500
6. SteveSloan 2,500
8. jimbb 2,330
9. svs 2,000
9. JustUNIX 2,000
9. smokeyser 2,000
9. jasonsbytes 2,000
9. anfi 2,000
9. rindi 2,000
9. vico1 2,000

02.28.2008 at 05:30AM PST, ID: 23200135

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.9

NMAP shows ports that I know nothing about in the "filtered" state

Zones: OpenBSD, Unix Operating Systems, BSD Unix

Tags: OpenBSD, Packet Filtering, 3.9

I noticed yesterday that when I run an NMAP against the external interface of my OpenBSD firewall it shows ports in the "filtered" state, that I know nothing about. In the past it would only show the ports that I purposely opened in the PF.CONF file. I don't know what changed, that's making me now see these "filtered" ports. Below is output from NMAP.

Starting Nmap 4.10 ( http://www.insecure.org/nmap ) at 2008-02-28 08:18 Eastern Standard Time
Interesting ports on email.eoc.psu.edu (128.118.20.198):
Not shown: 1661 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
554/tcp filtered rtsp
1025/tcp open NFS-or-IIS
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3389/tcp open ms-term-serv
5060/tcp filtered sip
49400/tcp filtered compaqdiag
50000/tcp filtered iiimsf
50002/tcp filtered iiimsf
54320/tcp filtered bo2k
61439/tcp filtered netprowler-manager
61440/tcp filtered netprowler-manager2
61441/tcp filtered netprowler-sensor
65301/tcp filtered pcanywhere

Nmap finished: 1 IP address (1 host up) scanned in 2.250 seconds

The ports in the OPEN state, are the ones that I opened on purpose. The ones in the filtered state, I know nothing about. Below is my pf.conf file

# VARIABLES
ext_if="xl1"
int_if="xl0"
tcp_services="{ 1025 }"
icmp_types="echoreq"
ssh="192.168.1.3"
web="192.168.1.3"
email="192.168.1.2"
ftp_server="192.168.1.3"

# OPTIONS
set block-policy return
set loginterface $ext_if
set skip on lo

# SCRUB
scrub in

# NAT/RDR
nat on $ext_if from !($ext_if) -> ($ext_if:0)

################# FTP ##################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $ext_if proto tcp from any to any port 21 -> $ftp_server port 21
rdr on $ext_if proto tcp from any to any port 49152:65535 -> \
$ftp_server port 49152:65535
################# FTP ##################

rdr on $ext_if proto tcp from any to any port 80 -> $web
rdr on $ext_if proto tcp from any to any port smtp -> $email
rdr on $ext_if proto tcp from any to any port 3389 -> $web
rdr on $ext_if proto tcp from any to any port 22 -> $ssh

# FILTER RULES
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for {lo $int_if }

pass in on $ext_if proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $ext_if proto tcp from any to $web port 80 \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $web port 3389 \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $email port smtp \
flags S/SA synproxy state

pass in on $ext_if proto tcp from any to $ssh port 22 \
flags S/SA synproxy state

################# FTP #################
pass in quick on $ext_if proto tcp from any to $ftp_server \
port 21 keep state
pass in quick on $ext_if proto tcp from any to $ftp_server \
port > 49151 keep state
pass out quick on $int_if proto tcp from any to $ftp_server \
port 21 keep state
pass out quick on $int_if proto tcp from any to $ftp_server \
port > 49151 keep state
################# FTP #################

pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: psueoc

Solution Provided By: ahoffmann

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

02.29.2008 at 10:20AM PST, ID: 21015998

ForestDenizen:

psueoc,
We have sent a message to some of our more experienced Experts asking them to review your question, and will check back again to see if you are getting the help you need.

Please do not respond to this comment or post another request; we are monitoring the notifications from your question for activity from the Experts.

Thank you for using Experts Exchange,

ForestDenizen
Community Support Moderator
http://www.experts-exchange.com/Q_23202638.html

03.01.2008 at 11:53AM PST, ID: 21023207

Vee_Mod:

psueoc

Another message has been sent to some of our more experienced Experts asking them to review your question.

I will check back again to see if you are getting the help you need.

Thank you for using Experts Exchange,

Vee_Mod
Experts Exchange Moderator
Link to CS-G post:
http://www.experts-exchange.com/Q_23202638.html

03.01.2008 at 12:43PM PST, ID: 21023436

Rank: Guru

ahoffmann:

stolen from man nmap

Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed

03.03.2008 at 05:18AM PST, ID: 21031106

psueoc:

what would cause them to start showing up as filtered. I didn't change anything. Could my firewall be compromised?

I used to only see the OPEN ports.

03.04.2008 at 01:20PM PST, ID: 21045234

Rank: Guru

ahoffmann:

stolen from nmap's man page again:

open|filtered
Nmap places ports in this state when it is unable to determine
whether a port is open or filtered. This occurs for scan types
in which open ports give no response. The lack of response could
also mean that a packet filter dropped the probe or any response
it elicited. So Nmap does not know for sure whether the port is
open or being filtered. The UDP, IP Protocol, FIN, Null, and
Xmas scans classify ports this way.

Accepted Solution

03.11.2008 at 11:58PM PDT, ID: 21103608

Rank: Guru

gheist:

Your pf.conf does not return anything via "block in" rule, so nmap's "filtered" is expected.
No-one is compromised. Could it be you restarted system and firewall enabled finally :S

Assisted Solution

gheist

06.06.2008 at 05:44AM PDT, ID: 21728445

icmp rate limiting kicked in and you did not get response from some closed ports. why you are using nmap when you have system access including "netstat"

20080236-EE-VQP-29 / EE_QW_2_20070628