# nmap problems when pf is enabled



## hamba (Apr 16, 2009)

Hi

I have a nice little script that uses nmap to scan for open ports and then use the results to start a nessus scan but there are problems with nmap when I have pf enabled.

Here is an example of the problem with pf enabled

```
# /usr/local/bin/nmap -e rl0 -v -v -sS -p- -T4 -r -oA ip-to-scan ip-to-scan

Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-04-16 10:52 BST
Initiating Ping Scan at 10:52
Scanning ip-to-scan [2 ports]
sendto in send_ip_packet: sendto(7, packet, 40, 0, ip-to-scan, 16) => Operation not permitted
Offending packet: TCP host-ip:54914 > ip-to-scan:80 A ttl=47 id=32965 iplen=10240  seq=3451414435 win=4096 ack=1376143384
Completed Ping Scan at 10:52, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:52
```

and here is the same scan with pf disabled

```
# /usr/local/bin/nmap -e rl0 -v -v -sS -p- -T4 -r -oA ip-to-scan ip-to-scan

Starting Nmap 4.85BETA7 ( http://nmap.org ) at 2009-04-16 10:53 BST
Initiating Ping Scan at 10:53
Scanning ip-to-scan [2 ports]
Completed Ping Scan at 10:53, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:53
Completed Parallel DNS resolution of 1 host. at 10:53, 0.02s elapsed
Initiating SYN Stealth Scan at 10:53
Scanning reverse-ip-to-scan (ip-to-scan) [65535 ports]
Discovered open port 22/tcp on ip-to-scan
```

Here are my pf rules

```
# macros
#
ext_if          = "rl0"
unfiltered      = "{ lo0, enc0 }"

# ports
#
all_services    = "{ http, https, ssh }"
http_ports      = "{ http, https }"

# allowed incoming ICMP types
#
icmp_types      = "{ echoreq, timex, paramprob, unreach code needfrag }"

# options
#
set block-policy drop
set optimization aggressive
set loginterface $ext_if
set limit { states 10000, frags 5000 }
set fingerprints "/etc/pf.os"

# tables
#
table <bruteforce> persist

# normalization
#
scrub in  on $ext_if all           fragment reassemble
scrub out on $ext_if all random-id fragment reassemble

# =========================================================================== #
# filter rules (default block/pass)                                           #
# =========================================================================== #

# pass on unfiltered interfaces
#
pass quick on $unfiltered

# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
#
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A

# block and log everything by default
#
block             log
block return-rst  log inet proto tcp
block return-icmp log inet proto udp

# =========================================================================== #
# external interface (all external IPv4 traffic)                              #
# =========================================================================== #

# bruteforce
#
block quick from <bruteforce> to any

# block some known-bad ports without logging
#
block return-rst  in quick on $ext_if proto tcp from any to any port { 111, 445, 1080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any port { 137, 138, 139, 1434 }

# block and log outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
#
block out log quick on $ext_if inet from !($ext_if) to any

# =========================================================================== #
# TCP UDP in/out                                                              #
# =========================================================================== #

# pass out all
pass out quick on $ext_if proto tcp all
pass out quick on $ext_if proto udp all
pass out quick on $ext_if proto icmp all

# webserver
#
pass in on $ext_if inet proto tcp from any to ($ext_if) port $http_ports flags S/SA keep state

# ICMP
#
#pass out inet proto icmp all keep state
pass in  inet proto icmp all icmp-type $icmp_types keep state

# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

# =========================================================================== #
# antispoof                                                                   #
# =========================================================================== #

antispoof for $ext_if
antispoof for $unfiltered
```

I'm running on FreeBSD 7.2-PRERELEASE build on Apr 16 and all the ports are up to date.

Does anyone have an idea as to why I'm getting these messages from nmap?

Thanks
hamba


----------



## SirDice (Apr 16, 2009)

Firewalls usually modify packets, hence nmap will not function properly. Nmap relies on odd/strange packets. Firewalls don't like that. Turn the firewall off when scanning.


----------

