On Wed, Jul 03, 2002 at 02:49:08PM +0800, Dan Jacobson wrote: | Is it true that nmap makes little sense if you run it to check the | machine it is running on? It makes little sense IF you want to see what some arbitrary host on the outside network would see. I have different rules for different interfaces (lo, eth0, eth1) and each one also has some host-based exceptions. For lo, everything is allowed. If I run 'nmap localhost' I'll get a list of every listening service (including spamd, postgres and ldap) even though they are not accessible from the outside world. If I run nmap from some random host on the internet (eg school) you'll only get ssh, smtp, and http access (and ESTABLISHED and RELATED stuff, eg if I make a request out or if I use IRC DCC which is all per-host anyways). (actually, some nimbda/codered hosts won't get a darn thing) If I run nmap from a host on the LAN here, I'll get access to ldap and postgres in addition to ssh, smtp and http. If I run nmap on my external interface from certain locally controlled hosts on the same subnet I'll get access to some of those "extra" services as well. With a ruleset like mine, there is no single location from which the port scan can be done to get conclusive information. Actually, 'iptables -L' and 'iptables -t nat -L' is the truly conclusive source for that information. -D -- You have heard the saying that if you put a thousand monkeys in a room with a thousand typewriters and waited long enough, eventually you would have a room full of dead monkeys. (Scott Adams - The Dilbert principle) http://dman.ddts.net/~dman/
Attachment:
pgpfv6yxVRz4m.pgp
Description: PGP signature