[Dshield] little experiment

Henry Hertz Hobbit hhhobbit at comcast.net
Tue Mar 1 15:50:27 GMT 2005

On Mon, 2005-02-28 at 19:59, Jonathan C. Webster wrote:
> Interesting: My NATing router/firewall is  a Netgear FVS318 v1. NOTHING is supposed to be open.
> The Linux boxes in my tiny network do not listen on those ports.
>   Probes to both ports 53  and 137 *DO* show up in the router log as being dropped,  137 very often.
>  From your scan report:
> Jonathan
> ___________________snip_________________________
> Note! This scanner tends to show firewalled UDP ports as open!
> Interesting ports on xxx.xxx.xxx.xxx.adsl.snet.net
> 53/udp  open  domain?
> 137/udp open  netbios-ns?
> Nmap run completed -- 1 IP address (1 host up) scanned in 31.035 seconds

Many of these little broadband router / switches will show this, but
when you make a request to the unit on either port, it shows up in the
logs as being blocked.  I wonder why nmap thinks they are open?  nmap
thinks that DLink is a Cisco PIX firewall (chuckle, chuckle).  Oh yes, I
am running iptables BEHIND that firewall, so I have a double firewall. 
I suspect it is the cable or DSL modem that is fooling nmap into finding
these "open" ports.  To test it we need to remove the unit from the WAN
link and put a machine on the WAN side of the unit and nmap it from that
machine attached to the WAN port.  You would either have to set the IP
address on the unit or make the machine on the WAN port be a DHCP

Key Name:  "Henry Hertz Hobbit"
Key fingerprint = 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5

More information about the list mailing list