why port scans from BEHIND nat/firewall are inaccurate?
 

I recently got a new ISP and after configuring I wanted to port scan my ip from outsite my home network to make sure the open port footprint was as I expected.
I was very thrown at first when I got so many reports of open ports (thirty something). I quickly realized I was scanning from a machine on my work network which was behind a firewall/nat/proxy server.

However, the next day after configuring my firewall at work to allow just my host all outbound access (all ports and protocols) and doing the port scan again I was lost as to why I still got the same inaccurate results?

I got NO info from the vendor of my firewall (through newsgroup posts) so I decided to post here thinking now that this is probably a common issue to all firewall/nat/proxy devices with regard to what I am trying to do. To reiterate, I am trying to get an accurate port scan of a machine FROM BEHIND a nat/firewall/proxy device.

1) so what are the issues with being able to do this? Is it possible?

I tried a couple different port scanners from different clients and all had the same results. (nmap on suse linux 9.1, superscan4 on windows 2000) I am even doing standard full connect tcp scans. I realize its a firewall/nat/proxy issue and not a client issue but I don't know what, if anything, I can do about it.

any info on this would be greatly appreciated.

an easy solution is the shields up service at GRC this will externally scan your host to give you an idea of what is visible from the outside.

If that does not work you will need to run the scan from a machine that is on the same network, and whose scan will not route through the proxy server you described.

If you get really desparate, you can at least find out which ports have running/listening services with (I am assuming this is a Linux box you are talking about..)

thank you for the replies. I have used grc.com to check the machine in question however what I am really interested in is to learn 'why' these scans are inaccurate and 'how' I may be able to configure the firewall (generally speaking, I know, I have not stated what firewall I'm using) to allow them to be accurate, 'if' that is even possible.

I do appreciate the comments though. Thanks.

Basically, if you want the scan against your local machine to be accurate you should not have a NAT device or proxy server sitting between you and the port scanner.

[edit]My post was useless after re-reading [edit]