Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-12-2014, 02:17 AM
|
#1
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep:
|
is there a good way to run nmap scans over the public net?
i've heard it's no bueno to do this...
|
|
|
04-12-2014, 04:15 AM
|
#2
|
LQ Addict
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316
|
The net itself doesn't matter or mind, but when you check the ports of a host that you don't own, it can be interpreted as searching for a way to break in.
|
|
|
04-12-2014, 01:04 PM
|
#3
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
should have clarified, most definitely to one of my own hosts
|
|
|
05-04-2014, 02:44 PM
|
#4
|
Member
Registered: Jul 2005
Location: UK
Posts: 101
Rep:
|
Interesting one. Surely as this is his/her own telephone line there shouldn't be any other traffic but his/hers and his/hers ISPs. Or am I missing something basic?
|
|
|
05-04-2014, 03:18 PM
|
#5
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by turnbui
Interesting one. Surely as this is his/her own telephone line there shouldn't be any other traffic but his/hers and his/hers ISPs. Or am I missing something basic?
|
it's actually Comcast cable as my ISP on both ends, and yes, theoretically traffic to/from 2 endpoints on the same ISP SHOULD never cross other providers lines, provided the 2 endpoints are geographically close to each other. Going cross-country, i could see you potentially getting routed across peered links of some sort.
But even on the same ISP, i had figured that port scans could potentially violate some sort of terms-of-service, because as berndbausch said, it can be seen as a security circumvention attempt. A cursory glance at Comcasts TOS don't explicity show anything of the sort, but it wouldn't surprise me to find that they'd rather you not do this.
|
|
|
05-04-2014, 07:25 PM
|
#6
|
Member
Registered: Jul 2005
Location: UK
Posts: 101
Rep:
|
Last edited by turnbui; 05-04-2014 at 07:30 PM.
|
|
|
05-04-2014, 07:45 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by psycroptic
should have clarified, most definitely to one of my own hosts
|
Apart from TOS etc kind of depends what you can do. Is it to be a targeted scan? Nmap has speed settings. If you target your own machine with specific ports, say "-p21,22,23,25,80,443,993,10000", no excessive retries and try "-T1"? Or a general vulnerability assessment? You know there's sites that can do that for you for free, only requiring registration (added bonus of having a 3rd party to "blame" ;-p)?
|
|
|
05-04-2014, 09:22 PM
|
#8
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
Apart from TOS etc kind of depends what you can do. Is it to be a targeted scan? Nmap has speed settings. If you target your own machine with specific ports, say "-p21,22,23,25,80,443,993,10000", no excessive retries and try "-T1"? Or a general vulnerability assessment? You know there's sites that can do that for you for free, only requiring registration (added bonus of having a 3rd party to "blame" ;-p)?
|
Lol! no i was just gonna do a range of 1-1024 on my own firewall, from my parents house. rather not have to register for yet another site. both locations have comcast.
|
|
|
05-05-2014, 02:13 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by psycroptic
i was just gonna do a range of 1-1024 on my own firewall
|
Post output of 'iptables-save'?
|
|
|
05-05-2014, 02:18 AM
|
#10
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
Post output of 'iptables-save'?
|
why?
|
|
|
05-05-2014, 01:47 PM
|
#11
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by psycroptic
why?
|
Because we see in one glance if it's worth doing so?
|
|
|
05-05-2014, 02:36 PM
|
#12
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 3/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j DROP
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
though we're straying from the topic somewhat, marking as solved
|
|
|
05-05-2014, 02:43 PM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
You have a default filter table INPUT chain DROP policy and you only allow ingress traffic (any protocol) for existing connections so running nmap should not show any ports open.
|
|
|
05-07-2014, 06:13 PM
|
#14
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
You have a default filter table INPUT chain DROP policy and you only allow ingress traffic (any protocol) for existing connections so running nmap should not show any ports open.
|
yes. i know
i was more concerned with the TOS/general network courtesy kinds of implications. one thing i do know, i would never in a million years install a firewall without nmap'ing it locally, before putting it out into the wild
|
|
|
05-07-2014, 07:20 PM
|
#15
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by psycroptic
i was more concerned with the TOS/general network courtesy kinds of implications.
|
Ah, OK.
|
|
|
All times are GMT -5. The time now is 11:51 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|