netbsd-help: Re: nmap results

Subject: Re: nmap results
To: Philip Brodd <pbrodd@blue.weeg.uiowa.edu>
From: Brian Stark <bstark@siemens-psc.com>
List: netbsd-help
Date: 04/18/2000 14:55:24
On Tue, 18 Apr 2000, Philip Brodd wrote:

> I ran an nmap scan on my mac68k 1.4.2 machine and got these strange
> results (the actual command was nmap -v -O):
> 
> ---
> Interesting ports on kenny:
> Port    State       Protocol  Service
> 22      open        tcp        ssh
> 137     filtered    tcp        netbios-ns
> 138     filtered    tcp        netbios-dgm
> 139     filtered    tcp        netbios-ssn
> 1080    filtered    tcp        socks
> 
> TCP Sequence Prediction: Class=random positive increments
>                          Difficulty=8440526 (Good luck!)
> 
> Sequence numbers: 2AD9680C 2BDC5435 2C6F6484 2D501BA2 2F60EE5A 309434CA
> Remote operating system guess: NetBSD 1.3I (after 19990119) or 1.3.4
> ---
> 
> I say strange because I'm not running Samba (which I assume uses those
> netbios-* services), and I'm not altogether sure what socks is.  Port 22
> is the only one I expected to see in the results; netstat -an shows
> nothing on ports 137-9 and 1080.
> 
> Is this just a quirk of nmap?  If not, how do I close off these ports?

Assuming you are using IP Filter, something like this will do the trick:

  block  in log quick on ppp0 proto tcp/udp all port = 22
  block  in log quick on ppp0 proto tcp/udp all port 136 >< 140
  block  in log quick on ppp0 proto tcp/udp all port = 1080

And to be more specific, you could so something like this:

  block  return-rst in log quick on ppp0 proto tcp all port = 22
  block  return-rst in log quick on ppp0 proto tcp all port 136 >< 140
  block  return-rst in log quick on ppp0 proto tcp all port = 1080

  block  in log quick on ppp0 proto udp all port = 22
  block  in log quick on ppp0 proto udp all port 136 >< 140
  block  in log quick on ppp0 proto udp all port = 1080


Of course, you will have to adapt the above to match your network
interface and any rule groups you may be using.

Brian

-------------------------------------------------------------------------
| Brian Stark                       | Internet : bstark@siemens-psc.com |
| Siemens PT&D, Inc.                | Voice    : +1 763 536-4697        |
| Power Systems Control Division    | Fax      : +1 763 536-4919        |
| 7225 Northland Drive, Brooklyn Park, Minnesota 55428   USA            |
-------------------------------------------------------------------------