RE: Open Ports
- From: "Hugo Caye" <Hugo@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 3 Sep 2001 09:38:38 -0300
HTH,
ICMP TYPE NUMBERS
The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.
Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
4 Source Quench [RFC792]
5 Redirect [RFC792]
6 Alternate Host Address [JBP]
7 Unassigned [JBP]
8 Echo [RFC792]
9 Router Advertisement [RFC1256]
10 Router Solicitation [RFC1256]
11 Time Exceeded [RFC792]
12 Parameter Problem [RFC792]
13 Timestamp [RFC792]
14 Timestamp Reply [RFC792]
15 Information Request [RFC792]
16 Information Reply [RFC792]
17 Address Mask Request [RFC950]
18 Address Mask Reply [RFC950]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
37 Domain Name Request [Simpson]
38 Domain Name Reply [Simpson]
39 SKIP [Markson]
40 Photuris [Simpson]
41-255 Reserved [JBP]
Many of these ICMP types have a "code" field. Here we list the types
again with their assigned code fields.
Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
Codes
0 No Code
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
4 Source Quench [RFC792]
Codes
0 No Code
5 Redirect [RFC792]
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address [JBP]
Codes
0 Alternate Address for Host
7 Unassigned [JBP]
8 Echo [RFC792]
Codes
0 No Code
9 Router Advertisement [RFC1256]
Codes
0 No Code
10 Router Selection [RFC1256]
Codes
0 No Code
11 Time Exceeded [RFC792]
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem [RFC792]
Codes
0 Pointer indicates the error
1 Missing a Required Option [RFC1108]
2 Bad Length
13 Timestamp [RFC792]
Codes
0 No Code
14 Timestamp Reply [RFC792]
Codes
0 No Code
15 Information Request [RFC792]
Codes
0 No Code
16 Information Reply [RFC792]
Codes
0 No Code
17 Address Mask Request [RFC950]
Codes
0 No Code
18 Address Mask Reply [RFC950]
Codes
0 No Code
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
39 SKIP [Markson]
40 Photuris [Simpson]
Code
0 Reserved
1 unknown security parameters index
2 valid security parameters, but authentication failed
3 valid security parameters, but decryption failed
===================================================================
REFERENCES
[RFC792] Postel, J., "Internet Control Message Protocol", STD 5,
RFC 792, USC/Information Sciences Institute, September 1981.
[RFC950] Mogul, J., and J. Postel, "Internet Standard Subnetting
Procedure", STD 5, RFC 950, Stanford, USC/Information
Sciences Institute, August 1985.
[RFC1108] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991.
[RFC1256] Deering, S., Editor, "ICMP Router Discovery Messages", RFC
1256, Xerox PARC, September 1991.
[RFC1393] Malkin, G., "Traceroute Using an IP Option", RFC 1393,
Xylogics, Inc., January 1993.
[RFC1475] Ullmann, R., "TP/IX: The Next Internet", RFC 1475, Process
Software Corporation, June 1993.
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC
1812, Cisco Systems, June 1995.
PEOPLE
[JBP] Jon Postel, <postel@xxxxxxx>, September 1995.
[David Johnson]
[Markson] Tom Markson, <markson@xxxxxxxxxxxxxxxxx>, September 1995.
[Simpson] Bill Simpson, <Bill.Simpson@xxxxxxxxxxxxxxx>, October 1995.
[Solo]
[ZSu] Zaw-Sing Su <ZSu@xxxxxxxxxxxxxxxxx>
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: sábado, 1 de setembro de 2001 11:51
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
I agree! This would make for a good article. I'll write something up and
make Hugo the co-author for giving such a great idea! I coverage of what
the default ICMP filters are and what they do would be great.
Thanks!
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: Chris Bond [mailto:chris@xxxxxxxxxxxx]
Sent: Saturday, September 01, 2001 4:05 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
Cheers its set my mind at ease - just find it werid it not meantioned
anywhere. I think it'd be another good addition to isaserver.org!
> -----Original Message-----
> From: Hugo Caye [mailto:Hugo@xxxxxxxxxxxxx]
> Sent: 31 August 2001 8:47
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Open Ports
>
> http://www.ISAserver.org
>
>
>
> If you can "stealth" ports not advertising that they're "closed for
> business" in any TCP/IP host, configure it not sending ICMP
Unreachable.
> In a Cisco router, in the interface level use the "no ip unreachables"
> command.
>
> In ISA, just disable the packet filter called "ICMP unreachable in"
that's
> enable by default. Please note that this preconfigured packet filter
> disables all type 3 codes, and to stealth ports only code 3 (port
> unreachable) is enough.
>
> ICMP Type=3 Destination Unreachable, Code=3 Port Unreachable (RFC792).
>
>
> -----Original Message-----
> From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
> Sent: sexta-feira, 31 de agosto de 2001 10:25
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Open Ports
>
>
> http://www.ISAserver.org
>
>
> According to the TCP/IP spec, every port should respond with one of
two
> options:
> 1: "Here I am, what can I do for you?"
> 2: "Sorry, closed for business."
>
> Paranoid Internet security types have added a third to the mix:
> 3: "..."
> which Steve Gibson so charmingly refers to as 'stealthed' ports.
>
> In other words, you should get a response on every port, but shouldn't
> be able to open a connection that you haven't allowed.
>
> Now, also, bear in mind that what you're doing is NAT. In other
words,
> if you were to throw your firewall wide open, people still wouldn't be
> able to access anything that wasn't explicitly running on your ISA
box,
> but is running behind your ISA box, unless you set up specific
> publishing rules. With a forwarding firewall, you'd be thinking
> differently.
>
> -----Original Message-----
> From: Chris Bond [mailto:chris@xxxxxxxxxxxx]
> Sent: Friday, August 31, 2001 7:27 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Open Ports
>
>
> http://www.ISAserver.org
>
>
> Hi,
>
> Just ran a port scan on the external interface of ISA and get the
> following
> results:
>
> 25 smtp
> 53 domain
> 88 kerberos
> 110 pop3
> 135 epmap
> 139 netbios-ssn
> 143 imap
> 389 ldap
> 443 https
> 445 microsoft-ds
> 464 kpasswd
> 636 ldaps
> 1723 pptp
>
> Plus a few others
>
> Luckly at the moment the cisco router has an ACL on that only allows
25
> through. What is the correct solution to stop it listening for these
> requests on the external interface (apart from port 25 ofcourse).
> Although
> it does seem to say "* BYE Connection refused" and drop the packets, I
> just
> find it werid that it has the ports are open in the first place?
>
> Anybody got any ideas?
>
> Kind Regards,
> Chris Bond
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> slebrun@xxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> Hugo@xxxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
>
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> chris@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
Hugo@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
