nmap problems when pf is enabled

hamba · #1 April 16th, 2009, 11:09

Hi

I have a nice little script that uses nmap to scan for open ports and then use the results to start a nessus scan but there are problems with nmap when I have pf enabled.

Here is an example of the problem with pf enabled

Code:

# /usr/local/bin/nmap -e rl0 -v -v -sS -p- -T4 -r -oA ip-to-scan ip-to-scan

Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-04-16 10:52 BST
Initiating Ping Scan at 10:52
Scanning ip-to-scan [2 ports]
sendto in send_ip_packet: sendto(7, packet, 40, 0, ip-to-scan, 16) => Operation not permitted
Offending packet: TCP host-ip:54914 > ip-to-scan:80 A ttl=47 id=32965 iplen=10240  seq=3451414435 win=4096 ack=1376143384
Completed Ping Scan at 10:52, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:52

and here is the same scan with pf disabled

Code:

# /usr/local/bin/nmap -e rl0 -v -v -sS -p- -T4 -r -oA ip-to-scan ip-to-scan

Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-04-16 10:53 BST
Initiating Ping Scan at 10:53
Scanning ip-to-scan [2 ports]
Completed Ping Scan at 10:53, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:53
Completed Parallel DNS resolution of 1 host. at 10:53, 0.02s elapsed
Initiating SYN Stealth Scan at 10:53
Scanning reverse-ip-to-scan (ip-to-scan) [65535 ports]
Discovered open port 22/tcp on ip-to-scan

Here are my pf rules

Code:

# macros
#
ext_if          = "rl0"
unfiltered      = "{ lo0, enc0 }"

# ports
#
all_services    = "{ http, https, ssh }"
http_ports      = "{ http, https }"

# allowed incoming ICMP types
#
icmp_types      = "{ echoreq, timex, paramprob, unreach code needfrag }"

# options
#
set block-policy drop
set optimization aggressive
set loginterface $ext_if
set limit { states 10000, frags 5000 }
set fingerprints "/etc/pf.os"

# tables
#
table <bruteforce> persist

# normalization
#
scrub in  on $ext_if all           fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

# =========================================================================== #
# filter rules (default block/pass)                                           #
# =========================================================================== #

# pass on unfiltered interfaces
#
pass quick on $unfiltered

# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A

# block and log everything by default
#
block             log
block return-rst  log inet proto tcp
block return-icmp log inet proto udp

# =========================================================================== #
# external interface (all external IPv4 traffic)                              #
# =========================================================================== #

# bruteforce
#
block quick from <bruteforce> to any

# block some known-bad ports without logging
#
block return-rst  in quick on $ext_if proto tcp from any to any port { 111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any port { 137, 138, 139, 1434 }

# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !($ext_if) to any

# =========================================================================== #
# TCP UDP in/out                                                              #
# =========================================================================== #

# pass out all
pass out quick on $ext_if proto tcp all
pass out quick on $ext_if proto udp all
pass out quick on $ext_if proto icmp all

# webserver
#
pass in on $ext_if inet proto tcp from any to ($ext_if) port $http_ports flags S/SA keep state

# ICMP
#
#pass out inet proto icmp all keep state
pass in  inet proto icmp all icmp-type $icmp_types keep state

# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

# =========================================================================== #
# antispoof                                                                   #
# =========================================================================== #

antispoof for $ext_if
antispoof for $unfiltered

I'm running on FreeBSD 7.2-PRERELEASE build on Apr 16 and all the ports are up to date.

Does anyone have an idea as to why I'm getting these messages from nmap?

Thanks
hamba

**SirDice** · #2 April 16th, 2009, 11:15

Firewalls usually modify packets, hence nmap will not function properly. Nmap relies on odd/strange packets. Firewalls don't like that. Turn the firewall off when scanning.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
nmap can't detect the appropriate interface for the default route	kantor	Networking	9	March 25th, 2011 11:58
KDE 4.2.1 - lock ups with desktop effects enabled	ph0enix	KDE	3	December 29th, 2009 02:48
[Solved] Nmap OS detection issue	rbelk	Networking	10	April 13th, 2009 16:11
gethostbyname Segmentation fault on CLI when pspell is enabled	tuaris	Web & Network Services	0	February 4th, 2009 00:26
How to apply patche for NMAP	sniper007	Installation and Maintenance of FreeBSD Ports or Packages	1	January 27th, 2009 14:29