SRX

Greetings,

Do any of you folks know why I'm getting results like these...

C:\Users\flannigan>nmap -sS -T4 -v -A 1.1.1.1
Starting Nmap 5.51 ( http://nmap.org ) at 2011-12-15 10:52 Central Standard Time
NSE: Loaded 57 scripts for scanning.
Initiating Ping Scan at 10:52
Scanning 1.1.1.1 [4 ports]
Completed Ping Scan at 10:52, 0.58s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:52
Completed Parallel DNS resolution of 1 host. at 10:52, 0.11s elapsed
Initiating SYN Stealth Scan at 10:52
Scanning 1.1.1.1 [1000 ports]
Discovered open port 22/tcp on 1.1.1.1
Discovered open port 443/tcp on 1.1.1.1
Discovered open port 8001/tcp on 1.1.1.1
Discovered open port 1011/tcp on 1.1.1.1
Discovered open port 1783/tcp on 1.1.1.1
Discovered open port 500/tcp on 1.1.1.1
Discovered open port 33354/tcp on 1.1.1.1
Discovered open port 49999/tcp on 1.1.1.1
Discovered open port 9900/tcp on 1.1.1.1
Discovered open port 7007/tcp on 1.1.1.1
Discovered open port 19801/tcp on 1.1.1.1
Discovered open port 19283/tcp on 1.1.1.1
Discovered open port 4899/tcp on 1.1.1.1
Discovered open port 10003/tcp on 1.1.1.1
Discovered open port 5405/tcp on 1.1.1.1
Discovered open port 3071/tcp on 1.1.1.1
Discovered open port 636/tcp on 1.1.1.1
Discovered open port 1805/tcp on 1.1.1.1
Discovered open port 20/tcp on 1.1.1.1
Discovered open port 6001/tcp on 1.1.1.1
Discovered open port 1102/tcp on 1.1.1.1
Discovered open port 4848/tcp on 1.1.1.1
Discovered open port 2049/tcp on 1.1.1.1
Discovered open port 666/tcp on 1.1.1.1
Discovered open port 31337/tcp on 1.1.1.1
Discovered open port 1000/tcp on 1.1.1.1
Discovered open port 543/tcp on 1.1.1.1
Discovered open port 8600/tcp on 1.1.1.1
Discovered open port 6668/tcp on 1.1.1.1
Discovered open port 1033/tcp on 1.1.1.1
Discovered open port 1174/tcp on 1.1.1.1
Discovered open port 4446/tcp on 1.1.1.1
Discovered open port 5730/tcp on 1.1.1.1
Discovered open port 1071/tcp on 1.1.1.1
Discovered open port 51493/tcp on 1.1.1.1
Discovered open port 1875/tcp on 1.1.1.1
Discovered open port 9100/tcp on 1.1.1.1
Discovered open port 42510/tcp on 1.1.1.1
Discovered open port 1097/tcp on 1.1.1.1
Discovered open port 9502/tcp on 1.1.1.1
Discovered open port 1053/tcp on 1.1.1.1
Discovered open port 1/tcp on 1.1.1.1
Discovered open port 90/tcp on 1.1.1.1
Discovered open port 32768/tcp on 1.1.1.1
Discovered open port 49176/tcp on 1.1.1.1
Discovered open port 2021/tcp on 1.1.1.1
Discovered open port 8649/tcp on 1.1.1.1
Discovered open port 51103/tcp on 1.1.1.1
Discovered open port 515/tcp on 1.1.1.1
Discovered open port 912/tcp on 1.1.1.1
Discovered open port 15000/tcp on 1.1.1.1
Discovered open port 3390/tcp on 1.1.1.1
Discovered open port 5432/tcp on 1.1.1.1
Discovered open port 5225/tcp on 1.1.1.1
Discovered open port 146/tcp on 1.1.1.1
Discovered open port 7200/tcp on 1.1.1.1
Discovered open port 1055/tcp on 1.1.1.1
Discovered open port 1110/tcp on 1.1.1.1
Discovered open port 16992/tcp on 1.1.1.1
Discovered open port 2394/tcp on 1.1.1.1
Discovered open port 14441/tcp on 1.1.1.1
Discovered open port 2170/tcp on 1.1.1.1
Discovered open port 2909/tcp on 1.1.1.1
Discovered open port 1024/tcp on 1.1.1.1
Discovered open port 6510/tcp on 1.1.1.1
Discovered open port 593/tcp on 1.1.1.1
Discovered open port 544/tcp on 1.1.1.1
Discovered open port 9050/tcp on 1.1.1.1
Discovered open port 32774/tcp on 1.1.1.1
Discovered open port 1183/tcp on 1.1.1.1
Discovered open port 9535/tcp on 1.1.1.1
Discovered open port 6006/tcp on 1.1.1.1
Discovered open port 898/tcp on 1.1.1.1
Discovered open port 9898/tcp on 1.1.1.1
Discovered open port 4002/tcp on 1.1.1.1
Discovered open port 1081/tcp on 1.1.1.1
Discovered open port 2003/tcp on 1.1.1.1
Discovered open port 2106/tcp on 1.1.1.1
Discovered open port 2038/tcp on 1.1.1.1
Discovered open port 3801/tcp on 1.1.1.1
Discovered open port 3005/tcp on 1.1.1.1
Discovered open port 9200/tcp on 1.1.1.1
Discovered open port 1600/tcp on 1.1.1.1
Discovered open port 2381/tcp on 1.1.1.1
Discovered open port 14442/tcp on 1.1.1.1
Discovered open port 2875/tcp on 1.1.1.1
Discovered open port 12000/tcp on 1.1.1.1
Discovered open port 2190/tcp on 1.1.1.1
Discovered open port 1062/tcp on 1.1.1.1
Discovered open port 1039/tcp on 1.1.1.1
Discovered open port 667/tcp on 1.1.1.1
Discovered open port 9003/tcp on 1.1.1.1
Discovered open port 306/tcp on 1.1.1.1
Discovered open port 161/tcp on 1.1.1.1
Discovered open port 3128/tcp on 1.1.1.1
Discovered open port 4000/tcp on 1.1.1.1
Discovered open port 16993/tcp on 1.1.1.1
Discovered open port 16012/tcp on 1.1.1.1
Discovered open port 5280/tcp on 1.1.1.1
Discovered open port 2910/tcp on 1.1.1.1
Discovered open port 1501/tcp on 1.1.1.1
Discovered open port 2702/tcp on 1.1.1.1
Discovered open port 32781/tcp on 1.1.1.1
Discovered open port 7000/tcp on 1.1.1.1
Discovered open port 9618/tcp on 1.1.1.1
Discovered open port 7676/tcp on 1.1.1.1
Discovered open port 1001/tcp on 1.1.1.1
Discovered open port 787/tcp on 1.1.1.1
Discovered open port 9099/tcp on 1.1.1.1
Discovered open port 901/tcp on 1.1.1.1

...with an untrust zone configured like this?

fe-0/0/0.0 {
    host-inbound-traffic {
        system-services {
            ssh;
            https;
            ike;
        }
    }
}

At first I wondered if it had anything to do with source NAT but that doesn't make sense because several of the ports are under 1024.

Thanks for any and all assistance.

Flannigan

This may seem like an obvious question, but do you mean that 1.1.1.1 is your interface IP? Also are there any zone level services configured?

Even if he had all servies under the zone level it would not account for all those open ports.  

This is expected behavior due to TCP RST from the srx.

rikim has a great answer here.
http://forums.juniper.net/t5/SRX-Services-Gateway/port-scans/m-p/35080#M2466
 

---

@Magraw wrote:

Even if he had all servies under the zone level it would not account for all those open ports.  

This is expected behavior due to TCP RST from the srx.

 

rikim has a great answer here.
http://forums.juniper.net/t5/SRX-Services-Gateway/port-scans/m-p/35080#M2466
 

---

Very interesting.  Since I don't have any tcp-rst options configured on the firewall I disabled the syn-flood tcp screen and it resolved the problem.  After re-reading the documentation I still don't understand why the  RST packets are generated though; especially as the syn-flood tcp screen is enabled in the default documentation.

Thanks,

Flannigan

Are you sure that NMap works in this fashion? My understanding is that if it discovers a live host and then proceeds to scan it any RST are recognized as closed ports. However, if something in the middle like a firewall with deny policies or syn-flood protection filters the packets and silently drops them NMap will assume these ports are filtered and tag them as open.

I just went through and tested this and was able to see that if I locked down syn-flood attack thresholds on an SRX 210 almost all of the scanned ports were filtered by the screen protection and NMap saw it as open. Once I turned off syn-flood protection completely I could see all of the RST coming back in Wireshark and sure enough NMap only showed the ports I expected to be open as open.

I think in this case turning off syn-flood screen did the trick but not for the reason suggested. I am writing up my findings and will share if anyone wants to see them.