using nmap to scan firewall

I've also scanned it with nessus, is there anything else I can do? Thank you

From where? To find out what your firewall looks like from "outside", you have to scan it from there - which might get you in trouble with others, but that's besides the point. Or you could look at the 'netstat' output from the firewall device itself (netstat is a command found in wincrap as well as most other operating systems, and this shows what ports are OTHER THAN closed). Trying to scan your firewall from "inside" won't show what's open/available "out there".

As for parameters to use, did you look at the rather extensive documentation that comes with nmap? See the -sU and -p options

No firewall will protect against blatant stupidity. Most users get

0wn3d because they install something that they think they want or need, and never realize it's mal-ware.

SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506), gzip(gfe),gzip(gfe)

Yeah, you might have a problem there. Still, almost anything is better than Internt Exploiter.

Old guy

Thanks Old Guy, I'm talking about using nmap to scan from the outside. I'll try the parameters you've suggested. My firewall has it's external interface into a 4 port router so I can plug into it and run scans from there. The firewall is in the 'dmz' of this router and the inside port plugs into another linksys wireless router running DD-WRT.

Since I've last wrote this message I've installed Thunderbird/Firefox and removed the IE shortcuts (From vista) and posted my reply from the TB-client so hopefully you won't quote my 'exploitable' headers in this reply, however I'm probably doing something else wrong so please let me know. Wish I could find how to uninstall IE from Vista... Although I could should just post this from an ubuntu VM that I have running on this machine.

Thanks aga> >

As I wrote - be careful, as a full nmap scan may have unforeseen consequences. Some firewalls have a reactive mode, where they "block the attacker" after seeing a port scan - you might see that the first fifty or a hundred ports are closed (being actual results), and then the firewall kicks in and blocks you, so that even open stuff is no longer seen. That's also true of some operating systems in regard to UDP packets. That's why I prefer to use internal commands such as netstat to see what the system is listening to.

[compton ~]$ netstat -tuan Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:21 192.168.1.0:* LISTEN tcp 0 0 0.0.0.0:22 192.168.1.0:* LISTEN [compton ~]$

This is a *nix box on an internal LAN, and the only thing open is SSH and FTP, and only from the LAN address range.

OK, hand-waving time. Lets say that the big bad Internet has assigned an address of... 198.18.20.21 to whatever is connected to the hose coming out of the wall. Is that router translating that address to something like an RFC1918 address (say 192.168.0.xx) for the other ports on the "inside" of the router?

Next, there's a cable between the router and the firewall. THAT is where you want to be when testing the firewall. There, you can flog the snot out of your firewall without pissing of the ISP, and you can see everything that might be open on the firewall from the outside. My normal technique is to unplug that cable, and plug the end that would normally go to the Internet into a lapdoggy that is configured to look like what the firewall would see looking out to the Internet. That way, nothing I do on the laptop causes packets to actually go out to the Internet, and I can be as crude/brash/abusive as I want to to the poor firewall and anything visible behind that. The only caution would then be if your firewall autonomously reacts to block the "attacking" IP (you'll have to reset the firewall before plugging the cable back into the Internet, because the router is going to be ignoring that nasty IP address).

Assuming the inside port of the Internet router is 192.168.0.1, your firewall is 192.168.0.22, and your testing box is "tee-ed" in somehow and is using 192.168.0.55 or is replacing the router as noted above, then you might try

nmap -sS -sU -p 0- 192.168.1.22

_BUT_ see the caution in the -sU option - some O/S will ignore your UDP scans if you scan to quickly. That's another reason to be using the 'netstat' command instead.

That's a good bit better, but why not use a news reader to read/post news, rather than an 'all-singing, all-dancing, do-everything' tool. Browsers are for web pages, and typically are set up in a "let me help you" mode which is what actually gets people in trouble. "Can't see this web page? Let me download a plug-in for you." Oppsie! By the way, versions _before_ 2.0.0.6 have a problem according to a posting on Bugtraq a few weeks ago.

I think they've disabled that mechanism.

I don't see the Posting-Host: header in alt.os.linux.ubuntu ;-) I'm assuming you have nmap installed on the ubuntu box, and can read the 'nmap' and 'netstat' man pages.

Old guy