Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Block NMAP

Hi folks, im just wondering if there is a way to stop the sonicwall reporting anything back to an NMAP scan:

for example

if someone runs:

nmap -sS 192.168.0.1

The firewall returns:


Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-08 15:36 GMT

Nmap scan report for 192.168.0.1

Host is up (0.00051s latency).

All 1000 scanned ports on 192.168.0.1 are in ignored states.

Not shown: 1000 closed tcp ports (reset)

MAC Address: XX:XX:XX:XX:XX:XX (SonicWall)


Nmap done: 1 IP address (1 host up) scanned in 13.21 seconds

I've enabled stealthmode and disabled DNS resolution, not sure what else i can do here

Category: Mid Range Firewalls
Reply

Answers

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    My sarcastic side says unplug it from the network

    The whole Idea behind Nmap is to identify devices, it may not respond to ping but it will to an ARP, NMAP is matching the MAC address to the Vendor

    The MAC of an interface can be overridden.


  • CSCMGNTCSCMGNT Newbie ✭

    Okay a question to sorta add to that if said user runs

    nmap -sS 8.8.8.8

    Nmap scan report for 8.8.8.8

    Host is up (0.00051s latency).

    All 1000 scanned ports on 8.8.8.8 are in ignored states.

    Not shown: 1000 closed tcp ports (reset)


    I'm assuming thats the sonicwall resetting the connection as it has no outbound to the internet :)

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    In that command you are running a TCP syn scan with NMAP. it does appear you are blocking outbound TCP from that client (at least for the default 1000 port list)

    If your NMAP client is not blocked and all ports were open on the firewall you should see TCP 443 (googles dns over HTTPS) 8.8.8.8

    UDP 53 and 8.8.8.8 does also respond to ICMP

    You wont get an ARP entry for 8.8.8.8. ARP is a mechanism to find a local MAC address and match it to a IP address. (look at the example in the wiki page)

    8.8.8.8 won't be on your network so what is returned it the mac address of the gateway.

    BTW your stealth mode only works on WAN and DMZ zones turn off ICMP on the LAN's on the management options.

    1000 closed tcp ports (reset) - Also have a look at how a deny or discard rule works.

    Access Rules page, traffic may be blocked by specifying either the "deny" or "discard" action. Choosing the deny action means that a reset packet will be sent to the machine requesting the blocked traffic. Choosing the discard action means that no reset packet will be sent in response to blocked traffic. Instead, the firewall will act as though it were in stealth mode for the access rule in question.

Sign In or Register to comment.