nmap'ing myself

[Norm Vilmer]

Chuck Swiger wrote:

> Norm Vilmer wrote:
> [ ... ]
> 
>> My question is: from a "well" configured firewall, "Should" I be able 
>> to nmap the public interface using a console session on the firewall
>> itself?
> 
> 
> Sure.  nmap should return close to zero open ports.
> 
>> Will allowing this compromising security of the machine?
> 
> 
> nmap doesn't compromise the security of your machine.  Having open ports 
> connected to vulnerable services is the primary security risk.
> 
>> Basically, should I even attempt to make this work?
> 
> 
> What is "this"?
> 
>> What's a good way to test your own firewall without driving down
>> the road (and hacking into an unsecured linksys wireless router....
>> just kidding)?
> 
> 
> Put another machine on the subnet of your external interface, and do an 
> nmap scan from there.  That represents what your ISP would see, or a bad 
> guy who compromised the ISP possibly up through the DSL modem you have.
> 
Sorry about the ambiguity, i was referring to loosening my firewall rules
and other settings to allow nmap to work properly. If it "should" work,
then I have things either misconfigured or tightened down too much.

Connecting a machine to the public subnet won't work for
me. My ISP uses PPPoe, I have one static IP assigned to my firewall's
MAC address. I tried it, just to see if it would assign the other
machine a dynamic IP if I made a PPPoe connection, but it doesnt.

I tried ShieldsUp website, but it did not work from links (gui-less).