norm at etherealconsulting.com
Thu Oct 7 13:56:44 PDT 2004
Chuck Swiger wrote:
> Norm Vilmer wrote:
> [ ... ]
>> My question is: from a "well" configured firewall, "Should" I be able
>> to nmap the public interface using a console session on the firewall
> Sure. nmap should return close to zero open ports.
>> Will allowing this compromising security of the machine?
> nmap doesn't compromise the security of your machine. Having open ports
> connected to vulnerable services is the primary security risk.
>> Basically, should I even attempt to make this work?
> What is "this"?
>> What's a good way to test your own firewall without driving down
>> the road (and hacking into an unsecured linksys wireless router....
>> just kidding)?
> Put another machine on the subnet of your external interface, and do an
> nmap scan from there. That represents what your ISP would see, or a bad
> guy who compromised the ISP possibly up through the DSL modem you have.
Sorry about the ambiguity, i was referring to loosening my firewall rules
and other settings to allow nmap to work properly. If it "should" work,
then I have things either misconfigured or tightened down too much.
Connecting a machine to the public subnet won't work for
me. My ISP uses PPPoe, I have one static IP assigned to my firewall's
MAC address. I tried it, just to see if it would assign the other
machine a dynamic IP if I made a PPPoe connection, but it doesnt.
I tried ShieldsUp website, but it did not work from links (gui-less).
More information about the freebsd-questions