Netgear DG834 - blocking port 80

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
A friend has recently acquired a Netgear DG834 router. He informs me
that the Sygate firewall test shows port 80 is open, even though he has
made no configuration changes and the default incoming "block all" rule
is the only one present. All I have managed to find out by Googling is
a suggestion that Netgear routers normally leave ports 80 and 21 open
by default. If that is the case, I would have thought I would have
found people wanting to close these ports, because surely there is no
need to have port 80 open unless you want to allow external access to a
web server on your computer? I downloaded a PDF manual for the router,
and nothing in there suggests that any ports are open by default.

Do DG834 routers normally leave port 80 open, and if so, is it possible
to close it?


Re: Netgear DG834 - blocking port 80


spambucket@tech-pro.co.uk wrote:
Quoted text here. Click to load it
without a server listing on that port, it just doesn't matter.

if you wish, you can always add as the last rule
    deny inbound all ip all ports tcp/udp nolog

depending upon your OS, you may then need to enable some LAN input
access, eg file/print sharing on 139,445; dhcp, bootp

Re: Netgear DG834 - blocking port 80



Jeff B wrote:

Quoted text here. Click to load it

Then why do many people say that it's better for all ports to be not
just closed but stealthed? An open port, even without a server
listening, is telling the world that there is a system there that is
potentially attackable. When I try these test sites from my own system,
which has an SMC router / firewall, nothing at all is detected.

Quoted text here. Click to load it

I'll suggest that he tries that.

Quoted text here. Click to load it

Why would you need to allow LAN access from the internet?


Re: Netgear DG834 - blocking port 80


spambucket@tech-pro.co.uk wrote:
Quoted text here. Click to load it

yea, I'm configd that way too.  It's like a burgler going around testing
the locks on all the external doors/windows -- the issue is not which
one is locked, but are they ALL secured.

Quoted text here. Click to load it


poor choice of wording.  the perimeter firewall/router should ALWAYS
deny ports 135-139,445.  The internal LAN systems will need these
(specifically MS Windoz) for various reasons, including file/print
sharing.  SAMBA also uses 139/445


Re: Netgear DG834 - blocking port 80


spambucket@tech-pro.co.uk schrieb:

Quoted text here. Click to load it

Because they have no clue what they are talking about?

Quoted text here. Click to load it

There is no open port without a server listening. A port is open if and
only if a server is listening there. Certainly there are some broken
tools out there that will show a port open even if it is not.

Quoted text here. Click to load it

I doubt this. I would assume the test shows all ports stealthed. Which
in turn leaves no doubt that there is a system trying to hide.

Quoted text here. Click to load it

This should be standard - at least on the WAN interface.

Regards
Thomas


Re: Netgear DG834 - blocking port 80



spambucket@tech-pro.co.uk wrote:
<snip>
Quoted text here. Click to load it

look up the topic of "port forwarding" in the manual.  It really should
be clear there which ports are forwarded. How to add/delete a "port
forwarding entry".  You want to delete the entry that forwards port 80
(if there is one).


Re: Netgear DG834 - blocking port 80



q_q_anonymous@yahoo.co.uk wrote:

Quoted text here. Click to load it

That's the trouble. There isn't one. There is only the one default rule
that appears to say that it is blocking everything inbound.


Re: Netgear DG834 - blocking port 80



spambucket@tech-pro.co.uk wrote:
Quoted text here. Click to load it


ok.
There are a few possible tessts you can do. Thes are
alternatives/contain alternatives

I've never posted this - and it's a lot, and i'm no expert on security.
There are questions of security ..  But these tests work for me..   I
suggest waiting for other responses , incase others have a better idea.
Or anything to add or improtant point to make.

Test 1  is totally safe.

Test 2 has some questions, but is slightly better. And is sort of more
conclusive than test 1 .  As it's possible that after test1, we are
still inconclusive, and need test2. Whereas test2 can stand alone under
all possibilities.

An objections to test2 might be
  - find a more secure server there are others that are easy and quick
to set up!!
  and possibly an answer to a safe way to set up a server that isn't
too paranoid.  Is Disconnecting from the internet. Setting the
firewall. Reconnecting.  Too paranoid? causing too much hassle.  I
think it's reasonable.  Not sure if blocking everything except the port
scanner is over paranoid. But if it's not too much hassle, I think it's
reasonable.
Is it TOO unsafe if for 5min you have a server running and open to
everybody.? (I never had any problems doing that. But at the same time,
I don't do online banking or run a business from this computer or
anything like that).

Anyhow, here we go

Test1
With this one, you needn't instal any extra servers.

1  Using (whichever host firewall) either the ZA FW. Or the Windows FW.
(Only have 1 FW on - you almost certainly do anyway since 'personal
firewalls' I tried turn the windows firewall off).
2 Make an exception for port 80.
An Alternative to 1 and 2,  is to turn the host firewall off
completely. That is less safe, though should be ok if you have no
servers, - no standard windows servers like 'file and printer sharing'
or netbios  I suppose there'll be RPC- port 135 . But your router will
block all the ports anyway. So it's not *that* unsafe.
3  Go to an online port scanner like grc.com "Shields up" (Much of his
information is a con. But his port scanner works).
4  scan some arbitrary ports.  port 61 port 32
Does it say  Stealth ?    Or does it say Closed? (Don't think that one
is more secure than another, that is Gibson's propaganda. But this is a
useful test)
noet that result. It will be teh same for port 61 and 32 or 91 or any
arbitrary one.
5  Scan port 80. Does it say stealth, or does it say closed?

if  4)stealth 5)closed
It means port 80 is open.

if 4)closed 5)stealth
 it means you did steps 1-2 wrong.

if 4)closed 5)closed
  It means we don't know.   So do Test2 (which is an alternative to
Test 1)


Test 2
A very smiple test. The only thing I question, is how to do it safely
and without paranoia(perhaps you don't want to be TOO safe. It can get
philosophical)..

Or in a way that is safe at a level that other posters here agree!

Like test1's Step 1,2 and alternative.
Involves either makign an exception for port 80 in your firewall. Or
turning your firewall off. You have a NAT Router so turning it off
isn't so unsafe.

Run a server on port 80.  , do a scan on port 80, if it says open then
the router's port is open.

Regarding running a server.. A paranoidly insanely safe way of doing
this might be to get the program(it should be some reliably secure
against exploits server), disconnect  from the internet, run the
server, set the firewall(to only allow the ip/ips of the port scanner),
then reconnect to the internet.
Though you'll only have the server running for 5 minutes anyway

Some windows servers that are quick to set up , are Quick n Easy FTP.
And BPFTP. And BRS WebWeaver
Though they may not be that secure.against exploits. So maybe there are
more appropriate ones

But in this test,  i'd set up one of those, on port 80 (not port 21)

And you could set the firewall to only allow the ip of the port scanner
(for gibson I think it's 4.79.x.y ). Or you could just let anybody
connect. It's only up for 5 minutes or 10 seconds anyway.

do a web scan e.g. using grc, of port 80
If it says "open" then the port on your router is forwarded. (Test
concludes that port 80 is open on the router)
if it says closed or stealth. Then test concludes you're ok. Assuming
you set up the server on port 80. But, to make sure you did that
correctly, check that the server is actually running.. do netstat -aon
 (at the cmd prompt) and look for 0.0.0.0:80 once the server starts.

turn the server off.  firewall back on, remove any exception for
(incoming) port 80


Re: Netgear DG834 - blocking port 80


Just a few comments for you...



Is your friend's ISP using a Transparent Proxy?  One website

that tests for this is (http://www.helpbytes.co.uk/tproxy.php ).



Your friend should be aware that the Netgear DG834 series runs

Linux and Netfilter (iptables can be used to at least view the

actual configuration via the DG834's telnet interface (Google

for further information if interested)).



Most DG834 variants that i've seen leave a number of ports

open and/or "unstealthed" by default.  The default INBOUND

"Block always" firewall-rule lies.  TCP ports 1863 , 1864 , 4443 ,

5190 , and 5566 are probably OPEN.  TCP ports 40000 - 40099

and UDP ports 40000 - 41000 are probably UNSTEALTHED.  Many

of the websites that provide port-scanning only test more

common ports by default , your friend will need to search

for these ports specifically ("Custom Port-Probe" and etc.).



If your friend has the time and can find a site (or a remote

friend with NMap) that will perform the testing , scanning all

65535 TCP and 65535 UDP ports would be a better indicator of

exactly which ports are OPEN , CLOSED , or STEALTHED.



What I would recommend to your friend would be what I would

recommend to all Netgear DG834 owners.  Simply add a DUPLICATE

"Block always" (Block Drop) firewall-rule to the INBOUND firewall-rules

(#1 Enable (tick-box) Any(ALL) Block always Any Any Never).



Should your friend wish to allow some types of connection-attempts

originating from the Internet at some point in the future , all

they would need to do is add an appropriate rule to the

INBOUND rules so that the new rule(s) appear ABOVE (before)

the DUPLICATE "Block always" rule.



The Linux Netfilter firewall reads firewall-rules from top

to bottom , the first matching rule "wins".


Site Timeline