How to detect whether firewall service is provided by server or by ISP?

m4rtin · 09-16-2010, 06:17 PM

I have two servers behind different networks. First network is protected with firewall provided by the router and there is no firewall in the server:

Code:

[root@martin ~]# nmap --reason -n -PN -p445 192.168.217.73

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:57 EEST
Interesting ports on 192.168.217.73:
PORT    STATE    SERVICE      REASON
445/tcp filtered microsoft-ds no-response

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
[root@martint ~]#

The other server is in the second network and there is no firewall service provided by the router, but firewall is activated in the server:

Code:

[root@martin ~]# nmap --reason -n -PN -p9731 192.168.13.19

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-16 13:56 EEST
Interesting ports on 192.168.13.19:
PORT     STATE    SERVICE REASON
9731/tcp filtered unknown no-response

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds
[root@martin ~]#

As you see, there are no difference in nmap output

If I check with tcpdump, which packets are sent from 192.168.217.73 and 192.168.13.19(tcpdump -i eth0 src host 192.168.217.73 and tcpdump -i eth0 src host 192.168.13.19 respectively) towards me during nmap scan, there are none. It's understandable, as there should be no reply when port is filtered.

Is there somehow possible to detect, whether firewall is active in the server or in the router?

Hangdog42 · 09-17-2010, 11:36 AM

Wouldn't traceroute do the trick as long as you specify the port? Seeing where the packets die should give you an indication of where the firewall is.

anomie · 09-17-2010, 11:59 AM

Quote:

Originally Posted by m4rtin

If I check with tcpdump, which packets are sent from 192.168.217.73 and 192.168.13.19(tcpdump -i eth0 src host 192.168.217.73 and tcpdump -i eth0 src host 192.168.13.19 respectively) towards me during nmap scan, there are none. It's understandable, as there should be no reply when port is filtered.

Nyet. If it's your host-level firewall doing the filtering, tcpdump(8) will still show the TCP SYN packets being received. If it's a perimeter firewall (sitting between your host and the scanner), tcpdump(8) will of course show nothing.

OlRoy · 09-18-2010, 12:35 PM

I'd suggest you enable logging on your router or host based firewall if you haven't already to answer your question. Just grep for log entries coming from your IP that is doing the Nmap scan. The other option is like you said, tcpdump or some other protocol analyzer, and if that's the route you take, I agree with anomie.