hpntbast101_8
- 8 -
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING (IIS)
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING (RpsSs)
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING (RpcSs)
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING (IIS)
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING (???)
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING (???)
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 127.0.0.1:1025 ESTABLISHED
UDP 0.0.0.0:135 *:* (RpcSs)
C:\>
We will have to live with this. The TCP/IP security filters should deny any connection attempts made to those
ports.
Test of TCP/IP security filters
Lets try the TCP/IP security filters. First I configured the filters to allow only tcp/80 and udp/1111. Then I fired
up listeners with netcat (http://www.l0pht.com/~weld/netcat/) on tcp/80,81 and udp/1110,1111. To test I used
netcat to try to connect to the server on the listener ports.
The tcpdump output below shows the behavior of the filter function.
UDP packets to port 1110 (blocked) shows no output on the listener.
22:54:14.041112 arp who-has 10.0.0.43 tell 10.0.0.5
22:54:14.041171 arp reply 10.0.0.43 is-at 0:10:5a:e6:cf:74
22:54:14.041240 10.0.0.5.1252 > 10.0.0.43.1110: udp 10
22:54:16.909514 10.0.0.5.1252 > 10.0.0.43.1110: udp 11
UDP packets to port 1111 (unblocked) shows output on the listener.
22:58:30.045340 10.0.0.5.1254 > 10.0.0.43.1110: udp 10
22:58:32.807513 10.0.0.5.1254 > 10.0.0.43.1110: udp 11
UDP packets to port 1111 (unblocked) with no listener sends ICMP udp port unreachable.
23:00:39.497178 10.0.0.43 > 10.0.0.5: icmp: 10.0.0.43 udp port 1111 unreachable
23:00:39.725978 10.0.0.5.1255 > 10.0.0.43.1111: udp 2
23:00:39.726038 10.0.0.43 > 10.0.0.5: icmp: 10.0.0.43 udp port 1111 unreachable
23:00:39.979497 10.0.0.5.1255 > 10.0.0.43.1111: udp 5
TCP connect to port 80 (unblocked) shows output on the listener.
23:03:05.220808 10.0.0.5.1264 > 10.0.0.43.http: S 52482:52482(0) win 8192 <mss 1460> (DF) [tos
0x10]
23:03:05.220922 10.0.0.43.http > 10.0.0.5.1264: S 61918:61918(0) ack 52483 win 8760 <mss 1460>
(DF)
23:03:05.221044 10.0.0.5.1264 > 10.0.0.43.http: . ack 1 win 8760 (DF) [tos 0x10]
23:03:07.289221 10.0.0.5.1264 > 10.0.0.43.http: P 1:7(6) ack 1 win 8760 (DF) [tos 0x10]
23:03:07.395725 10.0.0.43.http > 10.0.0.5.1264: . ack 7 win 8754 (DF)
23:03:11.146798 10.0.0.5.1264 > 10.0.0.43.http: P 7:8(1) ack 1 win 8760 (DF) [tos 0x10]
23:03:11.301110 10.0.0.43.http > 10.0.0.5.1264: . ack 8 win 8753 (DF)
23:03:11.960993 10.0.0.5.1264 > 10.0.0.43.http: R 52490:52490(0) win 0 (DF) [tos 0x10]
TCP connect to port 81 (blocked) shows no output on the listener. NT sends RST.
23:23:43.669792 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos
0x10]
23:23:43.669857 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 52553 win 0
23:23:44.168936 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos
0x10]
23:23:44.168995 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0
23:23:44.669639 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos
0x10]
23:23:44.669697 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0
23:23:45.170337 10.0.0.5.1286 > 10.0.0.43.81: S 52552:52552(0) win 8192 <mss 1460> (DF) [tos
0x10]
23:23:45.170392 10.0.0.43.81 > 10.0.0.5.1286: R 0:0(0) ack 1 win 0