I've noticed some very strange behaviour in my firewall lately. If I do a port scan on my desktop machine (XP) from a site like security.symantec.com then I get some open ports listed, such as
25,80,110... These ports aren't open on my machine, fport even says so. If I explicitly block 110 on my firewall the scan still reports it as being open. I'm using Fedora Core 4 with 2.6.11-1 kernel and iptables to filter traffic over a bridge. When I block 110 I insert a rule like this:iptables -I FORWARD 1 -p tcp --dport 110 -j DROP
the packet counters for this rule are incrementing when I port scan, so packets are matching. Has anyone seen anything like this before??? Is it possible that something upstream from my firewall is causing this???
Beau