I am using shorewall 1.4 (love it) on redhat 9 but am having problems with nmap. Running "nmap -O 10.5.75.10" returns errors of : "sendto in send_tcp_raw: sendto(3, packet, 60, 0, 10.5.75.7, 16) => Operation not permitted" The faq says to : Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to "NEWNOTSYN=Yes" then restart Shorewall. Which I have, but I am still getting the same result. My policy has fw to net, loc and dmz accept. There is no mention of any problems in /var/log/messages. I have built a second machine with redhat 9, updates but no shorewall and am able to run nmap with the -O option. Has anyone else ran into this? Anything else to try? I have combed the website and archives but have not seen an answer. Thanks for your time. Steve
On Fri, 2003-10-17 at 11:46, Steve Postma wrote:> I am using shorewall 1.4 (love it) on redhat 9 but am having problems with > nmap. > Running "nmap -O 10.5.75.10" returns errors of : > "sendto in send_tcp_raw: sendto(3, packet, 60, 0, 10.5.75.7, 16) => > Operation not permitted" > The faq says to : > Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to > "NEWNOTSYN=Yes" then restart Shorewall. > Which I have, but I am still getting the same result. My policy has fw to > net, loc and dmz accept. > There is no mention of any problems in /var/log/messages. > I have built a second machine with redhat 9, updates but no shorewall and am > able to run nmap with the -O option. > Has anyone else ran into this? Anything else to try? I have combed the > website and archives but have not seen an answer.Looks like the -O option sends packets that are trapped by Netfilter as having an invalid state. The workaround is to add this to your /etc/shorewall/start file: run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP This will allow you to run "nmap -O" on the shorewall box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Steve this is just a guess but I think what the problem is, is that if your running nmap from behind the FW and are pointing nmap at the firewall then you should be denied because you don''t have a rule or policy that allows from loc>fw... HTH''s JBanks --- Steve Postma <spostma@travizon.com> wrote:> I am using shorewall 1.4 (love it) on redhat 9 but am having problems with > nmap. > Running "nmap -O 10.5.75.10" returns errors of : > "sendto in send_tcp_raw: sendto(3, packet, 60, 0, 10.5.75.7, 16) => > Operation not permitted" > The faq says to : > Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to > "NEWNOTSYN=Yes" then restart Shorewall. > Which I have, but I am still getting the same result. My policy has fw to > net, loc and dmz accept. > There is no mention of any problems in /var/log/messages. > I have built a second machine with redhat 9, updates but no shorewall and am > able to run nmap with the -O option. > Has anyone else ran into this? Anything else to try? I have combed the > website and archives but have not seen an answer. > Thanks for your time. > > Steve > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
Great! Thanks Tom, that worked. Unfortunately I have a very similar problem running nbtscan (http://www.inetcat.org/software/nbtscan.htm) with the -r option(use local port 137 for scans. Win95 boxes respond to this only) I receive the error message " Failed to bind: Address already in use". Again this will run on a Redhat 9 box where shorewall is not installed, no entries in /var/log/messages. I had hoped to kill two birds with one stone... Again thanks for the fast reply and a great firewall Tom. Steve -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 17, 2003 2:59 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] problems with nmap On Fri, 2003-10-17 at 11:46, Steve Postma wrote:> I am using shorewall 1.4 (love it) on redhat 9 but am having problems with > nmap. > Running "nmap -O 10.5.75.10" returns errors of : > "sendto in send_tcp_raw: sendto(3, packet, 60, 0, 10.5.75.7, 16) => > Operation not permitted" > The faq says to : > Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to > "NEWNOTSYN=Yes" then restart Shorewall. > Which I have, but I am still getting the same result. My policy has fw to > net, loc and dmz accept. > There is no mention of any problems in /var/log/messages. > I have built a second machine with redhat 9, updates but no shorewall andam> able to run nmap with the -O option. > Has anyone else ran into this? Anything else to try? I have combed the > website and archives but have not seen an answer.Looks like the -O option sends packets that are trapped by Netfilter as having an invalid state. The workaround is to add this to your /etc/shorewall/start file: run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP This will allow you to run "nmap -O" on the shorewall box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 2003-10-17 at 12:23, Steve Postma wrote:> Great! Thanks Tom, that worked. Unfortunately I have a very similar problem > running nbtscan (http://www.inetcat.org/software/nbtscan.htm) with the -r > option(use local port 137 for scans. Win95 boxes > respond to this only) I receive the error message " Failed to bind: Address > already in use". Again this will run on a Redhat 9 box where shorewall is > not installed, no entries in /var/log/messages. I had hoped to kill two > birds with one stone...That error message has nothing to do with firewalling, I''m afraid. Do you have Samba running on the box with Shorewall installed? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I do Tom, Thanks for the pointer and your help. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, October 17, 2003 3:37 PM To: Shorewall Users Mailing List Subject: RE: [Shorewall-users] problems with nmap On Fri, 2003-10-17 at 12:23, Steve Postma wrote:> Great! Thanks Tom, that worked. Unfortunately I have a very similarproblem> running nbtscan (http://www.inetcat.org/software/nbtscan.htm) with the -r > option(use local port 137 for scans. Win95 boxes > respond to this only) I receive the error message " Failed to bind:Address> already in use". Again this will run on a Redhat 9 box where shorewall is > not installed, no entries in /var/log/messages. I had hoped to kill two > birds with one stone...That error message has nothing to do with firewalling, I''m afraid. Do you have Samba running on the box with Shorewall installed? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm