nmap can't detect the appropriate interface for the default route

I have FreeBSD 6.3 installed, a PPPoE connection and the latest nmap from the ports tree. If I run nmap as normal user all is fine, even if I run nmap as the root user but with connect scan (full TCP scan). But if I use nmap as the root user and want to make a SYN scan for instance (to send raw packets), I'm getting the following error:


# nmap -PN -vv -T4 http://www.freebsd.org

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-24 21:52 EET
WARNING: Unable to find appropriate interface for system route to 10.0.0.1
nexthost: failed to determine route to 69.147.83.33
QUITTING!

This occurs only if I'm trying to send raw packets.
I made some research and I found similar problems on other forums, mailing lists, here are some of them:

http://www.daemonnews.org/mailinglists/FreeBSD/freebsd-stable/msg37054.html
http://lists.freebsd.org/pipermail/freebsd-questions/2006-September/131768.html
http://blogs.securiteam.com/index.php/archives/264 (here read the user comment at the bottom of the page)

I really don't know how to fix this issue (though I searched a lot for a solution, but nothing found yet). If somebody else experienced the same problem, and maybe has a good hint or workaround, then please let me know
 
by the way here is my ifconfig and netstat -rn output

ifconfig:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.32.46 netmask 0xffffffe0 broadcast 192.168.32.63
ether 00:0f:ea:b2:87:2a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 79.114.86.77 --> 10.0.0.1 netmask 0xffffffff
Opened by PID 339


netstat -rn:
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGS 0 32225 tun0
10.0.0.1 79.114.86.77 UH 1 1 tun0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.32.32/27 link#1 UC 0 0 vr0

Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 U lo0
fe80::1%lo0 link#2 UHL lo0
ff01:2::/32 fe80::1%lo0 UC lo0
ff01:3::/32 link#3 UC tun0
ff02::%lo0/32 fe80::1%lo0 UC lo0
ff02::%tun0/32 link#3 UC tun0
 
Hi there,

So vr0 is on the 192.168.32/26 subnet. And you have a tun0 device (which honestly I am not familiar with - I just read through its manpage now). Default gateway is 10.0.0.1.

My guess is this (unusual?) configuration is confusing nmap. Can you explain a little more about your setup? Maybe your description will lend itself better to a fix.
 
I've had that same problem after I build nmap in a jail. It's probably due to not having access to the bpf devices during the build.
Make sure you have bpf in your kernel config and rebuild libdnet.
 
SirDice said:
I've had that same problem after I build nmap in a jail. It's probably due to not having access to the bpf devices during the build.
Make sure you have bpf in your kernel config and rebuild libdnet.

Thanks for the advice, but it is not working. I checked and the bpf device is loaded (I have a /dev/bpf0). I uninstalled and reinstalled libdnet and after that nmap from the ports tree but the problem is the same :(
 
by the way here is my ppp.conf file

default:
#set log Phase Chat LCP IPCP CCP tun command
set ifaddr 10.0.0.1/0 10.0.0.2/0
set device PPPoE:vr0
set authname USERNAME
set authkey PASS
set dial
set login
add default HISADDR

I wrote all in the default so I do not need to specify the ISP or whatever name is chosen if I want to start the connection manually, I only write ppp -ddial
 
I have jail in
Code:
FreeBSD 8.1-RELEASE-p1 #0: Wed Nov 17 16:01:50 MSK 2010

When I try to start inside jail:

Code:
#/usr/local/bin/nmap -sS -p 21,80,139 -v -PE -n  8.8.8.0/24               

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-24 17:34 MSK
Warning: Unable to open interface em0 -- skipping it.
Warning: Unable to open interface em0 -- skipping it.
nexthost: failed to determine route to 8.8.8.0
QUITTING!

Code:
#/usr/local/bin/nmap --iflist                              

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-24 17:35 MSK
Warning: Unable to open interface em0 -- skipping it.
Warning: Unable to open interface em0 -- skipping it.
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)

Code:
sysctl -a | grep jail                         
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.param.linux.oss_version: 0
security.jail.param.linux.osrelease: 65
security.jail.param.linux.osname: 65
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0

I have looked many pages found in Google, most of the are old.

As I remember under FreeBSD 7.2 there was no any problem.

What I have to do?
 
Did you build nmap inside the jail too? Was allow_raw_sockets set at that time?
 
SirDice said:
Did you build nmap inside the jail too? Was allow_raw_sockets set at that time?

I did build nmap inside the jail.

allow_raw_sockets was even before the jail was made.

Some more information.

I also have:
Code:
:~:uname -v
FreeBSD 7.2-RELEASE-p6 #0: Tue Feb 16 20:35:17 MSK 2010
:~:

And its jails have the same problem.
Code:
:/:/usr/local/bin/nmap --iflist

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-25 10:17 UTC
Warning: Unable to open interface em3 -- skipping it.
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)
:/:

I have tried to build nmap in the main machine root.
There nmap works.

The content of nmap file build in in the main machine root and inside jail are the same.
 
Back
Top