Hello all. I finally built a lab with a firewall in it. I am using vmware workstation 8. the newest one. here is my lab set up

Backtrack 5 vm. net adapter is set with lan segment option with name as lan1 and is in the 192.168.75.0/24 subnet(wan side of pfsense)

pfsense firewall has 2 nics. nic1=lan segment(name is lan1) ip =192.168.75.1/24

nic2= lan segment(name is lan2) ip =192.168.1.0/24

The OS of pfsense is setup with lan1 as the WAN with ip 192.168.75.1/24 no dhcp

lan2 is the LAN portion of pfsense with dhcp and ip as 192.168.1.1/24

The firewall is allowing ports 80,443,21 and icmp to be passed through.

I have ubuntu 12.04 on lan segment(lan2). It grabs the dhcp and i can ping the firewall and even log into the web gui. So that vm is perfect.

I can even ping from bt5 to ubuntu just fine. nmap works so far on the ubuntu machine from teh bt5 side.

now the fun part. i add de-ice lvl1 to the lan segment(lan2). Ubuntu can nmap de-ice just fine. so i know the de-ice vm is loading correctly.

ok, so from the bt5 machine, i run nmap on the de-ice machine and it keeps saying that it is down. I try nmap from bt to ubuntu and it finds the closed/open ports on ubuntu vm just fine. I have even tried the following commands from bt5 to de-ice machine

nmap -sT 192.168.1.100
nmap -sP 192.168.1.0/24
nmap -sN 192.168.1.100
nmap -sS 192.168.1.100
nmap -sS -T5 192.168.1.100
nmap -Pn -T5 192.168.1.100(1 host up with all 1000 ports filtered)

ok, so im not sure if its the config of the system or if the firewall is doing what it is supposed to be, but then why would the ubuntu ports show up on bt5 nmap scan but not the de-ice.

here is some output from the ubuntu machine whos ip is 192.168.1.2 and is in same subnet as de0ice

matt@ubuntu#
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-03 00:22 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00023s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  closed ftp
22/tcp  closed ssh
25/tcp  closed smtp
80/tcp  closed http
110/tcp closed pop3
143/tcp closed imap
443/tcp closed https
MAC Address: 00:0C:29:9A:56:D7 (VMware)

(interesting they are all closed though. they should be open since the data didnt even go through the firewall since they are on the same lan. UPDATE. i grabbed the wrong out put, they are open)
---------------------

here it is from an nmap sacn on the other side of the firewall. Nmap is being ran from bt5:

root@bt:~# nmap 192.168.1.2(ubuntu vm on other side of FW)

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:01 EDT
Nmap scan report for 192.168.1.2
Host is up (0.0010s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
21/tcp  closed ftp
80/tcp  closed http
443/tcp closed https
-------------------

ok so i know namp is working fine. now scanning from bt5 to de-ice which we know is up and running according to the ubuntu scan on the same network:

root@bt:~# nmap 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:06 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

oot@bt:~# nmap -sT 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:37 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
root@bt:~# nmap -sN 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:38 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
root@bt:~# nmap -sS 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds
root@bt:~# nmap -sS -T5 192.168.1.100

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.55 seconds


nothing. port 80 should at least show up since i have allowed traffic to that port and when i scan the ubuntu machine, port 80 shows up and it is even closed. so for some reason the ports for de-ice are not making it back to the bt5 vm.

Any ideas what i can try out?

tahnks

Matt

all right, now its gettin strange. i tried hping2 and when i attacked the ubuntu machine, it shows the open ports, but when i attack de-ice with hping2, nothin, nothin at all. i think its just having a bad day is all. still trying to look at logs and see what is happening.

i can access the de-ice webpage from the ubuntu which is in same subnet but the BT machine cant. I can ping the ubuntu from wan to lan so i know FW is allowing icmp threw like i set it up to. I allowed tcp ports 80,https,ftp and also icmp to be allowed.

here is what it is blocking:
192.168.1.100:80    TCP:A

here is what the firewall rule is
allow TCP from HTTP to HTTP
haha

Ok, according to the firewall logs, nmap is using the udp protocol on port 53 when i issue the comman nmap 192.168.1.100 BUT when i clear the logs and use nmap 192.168.1.2 which is the ubuntu machine, the logs all of a sudden populate with tcp connections. so why is it using UDP for a standard nmap scan but then using the exact same syntax, it uses tcp. makes no sense to me


UPDATE:

Ok so more reading and diving into the logs, it shows that the tcp scan to ubuntu is set with the S flag and scanning the de-ice it is using the A flag. I am using the exact same syntax for both scans and i do not know why it is changing between syn and ack scanning between OS's.
I checked to see if any were actual ack,s telling the system it was alive but to ubuntu it was all syns even on port 80 but de-ice, they are all acks, but that should not matter because i have allowed tcp port 80. the firewall logs can only show up to 50 entries and and it does show what is passed threw as well.
thanks