On Wed, 9 Jul 2003 22:41:24 -0400, Dusty wrote:
> An Nmap scan on my server reports open states on ports 137:139. But I know
> they are not open because I am dropping INPUT packets on those ports in the
> firewall rules, and definitely can't connect to those ports from the outside
> using an smbclient or nmbstat command. That said, samba is running on the
> machine for use internally.
>
> My question... what would give Nmap a "false positive"? I read that nmap
> needs an destination-unreachable icmp packet, and the absence of one would
> be interpreted as "open".

This is true.

> I think I'm outputting that icmp type.

You are using REJECT then, not DROP?

# tcpdump -vvvni <external interface> icmp and src <your ip address>

run this while scanning from the outside, and you'll see exactly what
ICMP packets you send.

> Are there
> any other possibilities? Or is any udp packet explicity dropped in iptables
> going to show as "open" to nmap?

It's the way UDP works, really.

Normally, there are only two ways a host will _not_ recieve either an
icmp 'unreachable' or an icmp 'time exceeded': a) the packet is accepted
by an application (open), or b) the packet dies a horrible death in some
packet filter (filtered). Neither Nmap, nor any bad guys can tell the
difference.


- Eirik
--
New and exciting signature!