1. Home
  2. Networking Firewalls
  3. How do firewalls react to UDP port scans?

How do firewalls react to UDP port scans?

I am trying to write a freeware client/server program that needs to scan the server's ports for the server's open UDP port.

Before I get too deep into this, are there any problems that I need to know of if I send a probe UDP packet that looks for the server to all ports on at the server's target IP?

The reason I am asking is that some users of this freeware server will be behind NATs and I may have to probe for the external port assigned to the internal server by the NAT device. The client would send an encrypted string that the server would know how to respond to. If this encrypted value is not what the server expected, no communication would take place.

Any help you can give would be greatly appreciated.

Reply to
smerf
Loading thread data ...

Send one UDP packet to scan all ports? I'm not sure this is possible the way you have described it.

Most client/server apps more typically will require you to either manually configure the NAT firewall so that it will work, or know how the NAT is configured and manually configure the client and server so it will work. Most client/server apps also more typically have a standard port number for the server that is recommended to be configured as a static port number in NAT.

How is the NAT set up? Are you sure the server's port will change to an unknown value during the NAT? How is it that the NAT port being used is not already known? I would expect the client's source port to change dynamically, but the server's destination port to be known by whoever configured the NAT.

Reply to
karl levinson, mvp

What I meant was that the server (behind NAT1) will be expecting an encrypted value from the client (behind NAT2).

I would send this same encrypted info to all UDP ports on the server's known external IP to get a valid connection to the server. Of couse this would mean sending a packet for each possible port, but the packet contents would all be the same.

Sorry for the confusion.

I will not know. Neither may the server operator. Think of it as a P2P app using UDP behind NATs.

I don't want the end user to have to configure firewalls or NATs. I want this to be as simple as possible for them.

Being behind a NAT (and not setting up any manual port forwarding) means that the NAT will choose an unused port at random for outbound UDP connections (just like it does for HTTP connections when you surf the web).

So, the external port for the server will be unknown.

See above.

I am really trying to make this as simple as possible by not requiring the end users to set ports in their NAT or Firewall. Also, some people may want to use the software but not have access to the NAT or Firewall to make manual changes.

Reply to
smerf

Do you want to tr5y to 're-invent' a wheel?

formatting link
just asking, Holger

Reply to
Holger Petersen

Your answer is determined by the question of, is this static or dynamic NAT you are talking about?

If it is dynamic, like the majority, but not all, NAT implementations, you won't be able to scan as the ports are added to firewalls nat table in a dynamic "client port" -> "firewall's external port" mapping. In other words in Dynamic NAT configurations there is no incoming access allowed (Internet to internal pc), generally speaking (there are special proxy ports to allow some protocols to function correctly).

That is, if I fully understand your question. No guarantee there...

Imhotep

Reply to
imhotep

Are you trying to do this to find the "secret" port???

Correct...

It will be dynamic...

Honestly, I think you will need a server in the middle. For example, Client-A connects Internet-Server-A then Client-B connects to Internet-Server-A, Next, they can use the Internet-Server-A as a kind of packet proxy (for lack of a better techie word)...

This would allow you to not force any users to reconfigure their NAT Routers, etc and would be seemless...

Just a thought...

Imhotep

Reply to
imhotep

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.