[24965] in bugtraq
Re: Firewall-1 Identification : port 257 (ie archive : 18701)
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Thu Apr 4 01:07:39 2002
Date: Wed, 3 Apr 2002 16:32:14 +0200 (EEST)
From: Mariusz Woloszyn <emsi@ipartners.pl>
To: Sacha Faust <sacha@severus.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <000101c1da6f$a3c22800$0201a8c0@kidgnaped>
Message-ID: <Pine.LNX.4.43.0204031621240.9613-100000@dzyngiel.ipartners.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
On Tue, 2 Apr 2002, Sacha Faust wrote:
> I did some additional poking at the system and found out that if you connect
> to port 257 and you hit a few keys, the server will return fwa1 string.
>
Keep in mind that in every Checkpoint book they write that there should be
a "Stealth Rule", which block all traffic to firewall. It should be the
very first rule in rules table. It means that if you find computer with
256,257 and 258 ports open that implyes _lame_ installation (or you're on
host explicitly allowed to connect).
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
