There is NO bug.

With correct firewall rules, only TCP and SYN scan works.

  iptables -A INPUT -m state --state INVALID -m limit --limit 4/s -j LOG --log-prefix "INPUT INVALID "
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -m limit --limit 4/s -j LOG --log-prefix "TCP INPUT without SYN "
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -i eth0 -j to-me
  iptables -A INPUT -i eth1 -j to-me
  iptables -A INPUT -m limit --limit 4/s -j LOG --log-prefix "INPUT bad "
  iptables -A INPUT -j DROP

where to-me is a user defined rule where you allowed connection to certains ports.

Extract from nmap documentation:
> -sF -sX -sN
> Stealth FIN, Xmas Tree, or Null scan modes:
> <snip>
> The idea is that closed ports are required to reply to your probe packet with an RST,
> while open ports must ignore the packets in question (see RFC 793 pp 64).

Your stealth packets are dropped by the firewall, check your logs.

        Christophe

--
Global Secure
78, rue de la Condamine
75017 PARIS
Tel : 01 44 70 48 03
Fax : 01 44 70 48 49
Email : cgrglobal-secure.fr 
> -----Message d'origine-----
> De : Justin Piszcz [mailto:warstarband.net]
> Envoyé : jeudi 28 février 2002 13:27
> À : netfilterlists.samba.org
> Cc : vuln-devsecurityfocus.com; bugtraqsecurityfocus.com
> Objet : Bigger bug than expected?
> 
> 
> Further NMAP testing shows the following: (IPTables 
> 1.2.4/Kernel 2.4.18)
> 
> nmap -P0 -sT -p 21,80 IP
> 21/tcp     filtered    ftp
> 80/tcp     filtered    http
> 
> nmap -P0 -sF -p 21,80 IP
> 21/tcp     open        ftp
> 80/tcp     open        http
> 
> nmap -P0 -sX -p 21,80 IP
> 21/tcp     open        ftp
> 80/tcp     open        http
> 
> nmap -P0 -sN -p 21,80 IP
> 21/tcp     open        ftp
> 80/tcp     open        http
> 
> 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]