Alright,

So I still haven't given up on getting this EnGarde Linux fully functional. I finally fixed my other issues and everything seems to be working correctly on the box itself. I decided to run an nmap scan on it from an external IP to see the results (expecting to see all ports closed). However, this is the list of open ports I received:

21, 25, 3389, 443, 80, 113, 22, 8080, 1720, 1352, 7070, and 139.

Now, my current firewall (iptables) rules are set to a drop policy on input, output and forward. The only accept rules I have in place are to allow me access from the IP doing the scan to SSH and the admin WebTool (1023) for the software. Why in the world is it reporting all of these other ports open? Anyone have any ideas?

I'm running nmap v4, on XP Pro.

The ports I listed show open when doing both a stealth scan and a full connect scan.

I have a virtual EnGarde machine also. When I get home I'll try scanning that one to see what sort of results it produces. Just seems like strange results... or someone compromised my box pretty quick!

I've not heard of nmap having false positive issues with connect scans before. So I think we can assume you scanned *something* the lack of 1023 returning makes me think the scan never reached your box. Are you sure you scanned the right IP
Traceroute turn up anything interesting?

Can you actually reach ssh and webtool?

-stab in dark-
Because *something* has responded on those ports I'd say it was a routing/NAT issue. Do you have any windows boxes running IIS and mail on site?
-/stab in dark-

I pondered this too, but couldn't work out why you'd want to do the full handshake for services that aren't there. And why those ports?



If you can connect that's my NAT idea down the drain!

Perhaps the ISP has put in proxies to prevent people from running servers out of their house.  It wouldn't be the first time that they have used dirty tricks to try and stop people from running a website or FTP site on their home connection.

I'm not sure what your set up is, but if you were to disconnect your firewall from your ISP and then use a crossover cable to connect your scanning machine to the external interface on your firewall then you could scan the firewall and be certain that no interference from your ISP is skewing your results. 

You could also try to telnet to some of those ports and see what server is answering, if it isn't your stuff then you know that there are shenanigans being pulled at the ISP level.

Thanks for the suggestions guys.

I know that the ISP doesn't have anything in place to stop me from running servers. I specifically have static IP addresses so that I can do so. I have also been able to access the web server with no problems when the rules are in place.

I'll try the ideas though, probably starting with trying to telnet to those ports and see what happens. When I get home again tonight I'll try connecting via crossover to my external interface to scan the firewall.

There shouldn't be any other rules in place, as I have flushed everything, created drop all policies, and only added the 4 specific rules for inbound/outbound to allow SSH/WebTool access.

Thanks again for the ideas, I'll keep you guys updated as to what I find out.