firewall with de-ice help

Viewing 3 reply threads
  • Author
    Posts
    • #7794
      LT72884
      Participant

      Hello all. I finally built a lab with a firewall in it. I am using vmware workstation 8. the newest one. here is my lab set up

      Backtrack 5 vm. net adapter is set with lan segment option with name as lan1 and is in the 192.168.75.0/24 subnet(wan side of pfsense)

      pfsense firewall has 2 nics. nic1=lan segment(name is lan1) ip =192.168.75.1/24

      nic2= lan segment(name is lan2) ip =192.168.1.0/24

      The OS of pfsense is setup with lan1 as the WAN with ip 192.168.75.1/24 no dhcp

      lan2 is the LAN portion of pfsense with dhcp and ip as 192.168.1.1/24

      The firewall is allowing ports 80,443,21 and icmp to be passed through.

      I have ubuntu 12.04 on lan segment(lan2). It grabs the dhcp and i can ping the firewall and even log into the web gui. So that vm is perfect.

      I can even ping from bt5 to ubuntu just fine. nmap works so far on the ubuntu machine from teh bt5 side.

      now the fun part. i add de-ice lvl1 to the lan segment(lan2). Ubuntu can nmap de-ice just fine. so i know the de-ice vm is loading correctly.

      ok, so from the bt5 machine, i run nmap on the de-ice machine and it keeps saying that it is down. I try nmap from bt to ubuntu and it finds the closed/open ports on ubuntu vm just fine. I have even tried the following commands from bt5 to de-ice machine

      nmap -sT 192.168.1.100
      nmap -sP 192.168.1.0/24
      nmap -sN 192.168.1.100
      nmap -sS 192.168.1.100
      nmap -sS -T5 192.168.1.100
      nmap -Pn -T5 192.168.1.100(1 host up with all 1000 ports filtered)

      ok, so im not sure if its the config of the system or if the firewall is doing what it is supposed to be, but then why would the ubuntu ports show up on bt5 nmap scan but not the de-ice.

      here is some output from the ubuntu machine whos ip is 192.168.1.2 and is in same subnet as de0ice

      matt@ubuntu#
      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-03 00:22 EDT
      Nmap scan report for 192.168.1.100
      Host is up (0.00023s latency).
      Not shown: 992 filtered ports
      PORT    STATE  SERVICE
      20/tcp  closed ftp-data
      21/tcp  closed ftp
      22/tcp  closed ssh
      25/tcp  closed smtp
      80/tcp  closed http
      110/tcp closed pop3
      143/tcp closed imap
      443/tcp closed https
      MAC Address: 00:0C:29:9A:56:D7 (VMware)

      (interesting they are all closed though. they should be open since the data didnt even go through the firewall since they are on the same lan. UPDATE. i grabbed the wrong out put, they are open)



      here it is from an nmap sacn on the other side of the firewall. Nmap is being ran from bt5:

      root@bt:~# nmap 192.168.1.2(ubuntu vm on other side of FW)

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:01 EDT
      Nmap scan report for 192.168.1.2
      Host is up (0.0010s latency).
      Not shown: 997 filtered ports
      PORT    STATE  SERVICE
      21/tcp  closed ftp
      80/tcp  closed http
      443/tcp closed https



      ok so i know namp is working fine. now scanning from bt5 to de-ice which we know is up and running according to the ubuntu scan on the same network:

      root@bt:~# nmap 192.168.1.100

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 16:06 EDT
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

      oot@bt:~# nmap -sT 192.168.1.100

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:37 EDT
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
      root@bt:~# nmap -sN 192.168.1.100

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:38 EDT
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 3.05 seconds
      root@bt:~# nmap -sS 192.168.1.100

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 3.09 seconds
      root@bt:~# nmap -sS -T5 192.168.1.100

      Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-13 15:55 EDT
      Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
      Nmap done: 1 IP address (0 hosts up) scanned in 1.55 seconds

      nothing. port 80 should at least show up since i have allowed traffic to that port and when i scan the ubuntu machine, port 80 shows up and it is even closed. so for some reason the ports for de-ice are not making it back to the bt5 vm.

      Any ideas what i can try out?

      tahnks

      Matt

    • #48851
      dynamik
      Participant

      Perform a packet capture while running a scan from the BT system and see what type of responses you’re getting.

      Running nmap with both –reason and -Pn may provide a bit more information.

      Check your firewall logs and see what it’s blocking.

    • #48852
      LT72884
      Participant

      all right, now its gettin strange. i tried hping2 and when i attacked the ubuntu machine, it shows the open ports, but when i attack de-ice with hping2, nothin, nothin at all. i think its just having a bad day is all. still trying to look at logs and see what is happening.

      i can access the de-ice webpage from the ubuntu which is in same subnet but the BT machine cant. I can ping the ubuntu from wan to lan so i know FW is allowing icmp threw like i set it up to. I allowed tcp ports 80,https,ftp and also icmp to be allowed.

      here is what it is blocking:
      192.168.1.100:80 TCP:A

      here is what the firewall rule is
      allow TCP from HTTP to HTTP
      haha

      Ok, according to the firewall logs, nmap is using the udp protocol on port 53 when i issue the comman nmap 192.168.1.100 BUT when i clear the logs and use nmap 192.168.1.2 which is the ubuntu machine, the logs all of a sudden populate with tcp connections. so why is it using UDP for a standard nmap scan but then using the exact same syntax, it uses tcp. makes no sense to me

      UPDATE:

      Ok so more reading and diving into the logs, it shows that the tcp scan to ubuntu is set with the S flag and scanning the de-ice it is using the A flag. I am using the exact same syntax for both scans and i do not know why it is changing between syn and ack scanning between OS’s.
      I checked to see if any were actual ack,s telling the system it was alive but to ubuntu it was all syns even on port 80 but de-ice, they are all acks, but that should not matter because i have allowed tcp port 80. the firewall logs can only show up to 50 entries and and it does show what is passed threw as well.
      thanks

    • #48853
      LT72884
      Participant

      ran a wireshark scan from the BT5 disk which resides on the 192.168.75.0/24 subnet against de-ice on the 192.168.1.0/24 subnet that is on other side of firewall.

      i use a tcp filter so only tcp traffic is seen. so nmap sends the 3 tcp packets, but never gets any back what so ever.

      now, when i run the same syntax against the ubuntu machine, i get replies back and tons of info.

      so in conclusion, i think the de-ice disk somehow does not know how to send replies back to the 75.0/24 subnet. But then again, de-ice should send replies to the LAN interface of the FW which is in the same subnet and then the FW forward them to the 75.0 subnet. It is not making any sense at all.

      firewall is setup to allow tcp on 80,21,443 and icmp. I SHOULD at least get a reply back from de-ice saying that port 80 is open.

      thanks

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?