[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  Alex Sandini <asandini at blue dash chip dot be>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] tcp open ports on wan interface in 1.1
 Date:  Fri, 3 Sep 2004 13:56:06 -0400
On Fri, 03 Sep 2004 13:51:05 +0200, Alex Sandini <asandini at blue dash chip dot be> wrote:
> /usr/local/bin/nmap -O -A -T4 example.com
> Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-09-03 13:03
> Warning:  OS detection will be MUCH less reliable because we did not
> find at least 1 open and 1 closed TCP port
> Interesting ports on example.com (xxx.xxx.xxx.xxx):
> (The 1656 ports scanned but not shown below are in state: filtered)
> 22/tcp   open  ssh           OpenSSH 3.9p1 (protocol 1.99)
> 389/tcp  open  ldap?
> 1002/tcp open  windows-icfw?
> 1720/tcp open  microsoft-rdp Microsoft Terminal Service (Used with
> Netmeeting, Remote Desktop, Remote Assistance)
> Device type: general purpose|media device|broadband router
> Running: Linux 2.4.X, Pace embedded, Panasonic embedded
> OS details: Linux 2.4.6 - 2.4.21, Pace digital cable TV receiver,
> Panasonic IP Technology Broadband Networking Gateway, KX-HGW200
> Nmap run completed -- 1 IP address (1 host up) scanned in 207.037 seconds
> nmap is ran from my office, the m0n0wall is at home.
> The only forwarded port is the 22.
> I can indeed connect to to ports 389, 1002 and 1720 from the WAN interface.
> The telnet connections on are not shown when typing netstat -an in exec.php.

You sure you're scanning the right host?  I see you didn't use the -P0
nmap option (port scan even if host does not respond to ping).  Unless
you explicitly enabled ICMP echo reply, m0n0wall will need to be
scanned using the -P0 option.

Ports 389 and 1002 are generally indicative of Black Ice firewall
running on the machine you're scanning.  1720 is usually H.323 video
call setup port.

I'm in agreement with Chet, either you're picking that up from your
broadband router or modem, or you're scanning something other than
yourself (though that's probably unlikely).

To check this, you can put a hub (not a switch) between your m0n0wall
WAN and broadband modem, and plug in another machine with a packet
sniffer (ethereal, tcpdump, etc.) on that hub.  Connect to those
ports, and see if you see those connections being established.  My
guess is you won't, because it's happening before it gets to your
m0n0wall.  .