Reading Output from nmap | Troubleshooting Linux Firewalls

The reliability of data from nmap depends on the type of scanning being used and the types of systems you're scanning. Just remember, you can get false positives! If you're not sure, scan things more than once.

Personally, we favor TCP and SYN scanning; FIN and UDP scanning are unreliable when dealing with slow networks. Especially in the case of Microsoft-based systems, FIN scans are next to useless. UDP scanning is by nature very unreliable and time consuming. In general you'll find that doing full 65K port scans are not going to be fast unless you are on a very fast network. Let's look at some example firewall output:

TCP scan against the first 1024 ports (nmap -sT -P0 -p 1-1024 Host-B) to a DMZ web server from the outside. The firewall policy is flawed, so it's not really blocking things as it should.

 Port       State       Service 21/tcp     open        ftp 22/tcp     open        ssh 25/tcp     open        smtp 53/tcp     open        domain 80/tcp     open        http 106/tcp    open        pop3pw 110/tcp    open        pop-3 143/tcp    open        imap2 443/tcp    open        https 465/tcp    open        smtps 466/tcp    open        digital-vrc 505/tcp    open        mailbox-lm 993/tcp    open        imaps 995/tcp    open        pop3s

Now what's interesting about this output is that the targeted system is actually running one more service, RPC Bind (portmapper, port 111), but is using local iptables/netfilter firewall rules to disallow access to that port (using REJECT, which returns an ICMP message). Let's see that output again, but using a SYN scan (nmap -sS -P0 -p 1-1024 Host-B):

 Port       State       Service 21/tcp     open        ftp 22/tcp     open        ssh 25/tcp     open        smtp 53/tcp     open        domain 80/tcp     open        http 106/tcp    open        pop3pw 110/tcp    open        pop-3 111/tcp    filtered    sunrpc 143/tcp    open        imap2 443/tcp    open        https 465/tcp    open        smtps 466/tcp    open        digital-vrc 505/tcp    open        mailbox-lm 993/tcp    open        imaps 995/tcp    open        pop3s

Note that this time the SYN scan picked up the filtered port. This demonstrates the value of varying your scanning methods. TCP scans are by far the most accurate in terms of "can you get to the service," but SYN scans can show you more information. A FIN scan returns similar results (nmap -sF -P0 -p 1-1024 Host-B):

 Port       State       Service 21/tcp     open        ftp 22/tcp     open        ssh 25/tcp     open        smtp 53/tcp     open        domain 80/tcp     open        http 106/tcp    open        pop3pw 110/tcp    open        pop-3 111/tcp    filtered    sunrpc 143/tcp    open        imap2 443/tcp    open        https 465/tcp    open        smtps 466/tcp    open        digital-vrc 505/tcp    open        mailbox-lm 993/tcp    open        imaps 995/tcp    open        pop3s

However, let's try these same scans on a Windows PC, Host-C, first using a TCP scan(nmap -sS -P0 -p 1-1024 Host-C).

PORT STATE SERVICE

 135/tcp open  msrpc 139/tcp open  netbios-ssn 445/tcp open  microsoft-ds

SYN scan (nmap -sS -P0 1-1024 Host-C):

PORT STATE SERVICE

 135/tcp open  msrpc 139/tcp open  netbios-ssn 445/tcp open  microsoft-ds

And finally a FIN scan (nmap -sF -P0 1-1024 Host-C)

PORT STATE SERVICE

As you can see, this scan returns no data on a Microsoft OS. We also have seen FIN scans return all ports as being open or sometimes just a few random ones. If you doubt the results, scan things multiple times. This doesn't mean that FIN scans are useless in terms of testingquite the opposite. You might have configured your firewall to test for impossible TCP combinations, a FIN packet coming before a SYN packet for example. The iplog/nmap method is a very fast, reusable diagnostic procedure for testing all sorts of rules (the last thing you want to do is keep writing custom tools for custom rules!).

For the most accurate results, it's best if you can get on the systems and see what services those systems are running, first-hand, using the netstat command or a local nmap scan (we recommend both). Here is the output of the same system, Host-B just described, using netstat:

 [root@Host-B root]# netstat -an tcp        0      0 0.0.0.0:21                0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:22                0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:25                0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:80                0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:106               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:110               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:111               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:143               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:443               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:465               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:466               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:505               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:993               0.0.0.0:*                LISTEN tcp        0      0 0.0.0.0:995               0.0.0.0:*                LISTEN

Note

A useful addition to this is the netstat -pan command, which will show you the process name associated with each port.