We have a NAT router with SPI protecting our small LAN.
When I go to
formatting link
and run the shields up scan on common ports, it shows the following ports as open; 21, 23 and 80. If I run the scan again afew seconds later all ports show a stealthed. If I leave it for a few minutes and run the scan again the ports are open again.
OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be better to be closed or stealthed the FIRST time an intrusion was attempted? Can anyone comment on this routers behaviour? I have never seen a router do this before, is it a potential risk, or is it being "smart"?
Do you have any services that need those ports? If so, then the router is reacting to what it thinks is an intrusion by dropping requests to those ports.
"Paul H" wrote in news:13jYd.3226$ snipped-for-privacy@newsfe5-gui.ntli.net:
What router are you talking about? Stealth means nothing to the router. The machine or machines are *stealth* because they are behind the router. The ports on the router are *closed* by default. The only way they are open is due do a machine running a program and the program is making a solicitation to a remote IP causing the port(s) to *ONLY* (especially true with SPI) be open to that traffic. Or you have configured the router by doing port forwarding to open and (leave open) to the public Internet specified inbound ports for a specific program to listen on those port(s).
You should seek out some other testing sites and not depend solely on the Gibson site to tell you what's happening with the ports.
And if the NAT router is like most NAT routers, then it's likely a NAT (no true firewall) router with FW like features.
I am running these test on a windows 2000 PC with no personal firewall on the LAN. The router is am MRi AS502. As far as I understand, "Stealth" in the context and terminology of a web based port scanner is a port on a host/router/Whatever that is both closed and invisible to the outside world...but I've been wrong before..;O)
I have also run a sygate quick scan
formatting link
and the same ports were reported as open. I repeated the scan several times and got the same results each time. I also tried the scan at hackerwatch.com and found the same ports were reported as open.
What is going on here? To summarise:
1st scan using grc.com's Shieldsup reports ports 21,23 and 80 are open
2nd scan using grc.com's Shieldsup reports all ports stealthed Several scans at sygatetech and hackerwatch consistently report these three ports are open.
Are these ports open? If they are then it would seem that ShieldsUp is a very dangerous and misleading tool.
After further testing that doesn't seem to be what's happening..
I have also run a sygate quick scan
formatting link
and the same ports were reported as open. I repeated the scan several times and got the same results each time. I also tried the scan at hackerwatch.com and found the same ports were also reported as open.
What is going on here? To summarise:
1st scan using grc.com's Shieldsup reports ports 21,23 and 80 are open
2nd scan using grc.com's Shieldsup reports all ports stealthed Several scans at sygatetech and hackerwatch consistently report these three ports are open.
Are they open? If they are then it would seem that ShieldsUp is a very dangerous and misleading tool.
What do you think?
Paul
PS. I just want to know what happening here before I set the router back to the factory defaults.
You could also try scanning your system from a different machine. There are several live-cd Linux distros that have scanning tools like nessus and nmap already installed. Download and burn one of those iso's, boot a neighbor (or friend's,,, you get the idea) PC with that and scan your own network. Then you know what is going on by looking at the logs. :)
The best I can tell you is use Active Ports (free) and see if ports are open due to website contact with the machine behind the router. There could be something running on the machine that has the ports open. If the router has logging, the review the logs for in and outbound traffic during the test.
All routers are not created equal so it could be that too.
One thing you could try if the router has a DMZ is port forward the port to a dummy private side router IP (kind of like sending the traffic nowhere) and see if you can pass the test.
0791 Internet Protocol. J. Postel. Sep-01-1981. (Format: TXT=97779 bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005) (Status: STANDARD)
0792 Internet Control Message Protocol. J. Postel. Sep-01-1981. (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950) (Also STD0005) (Status: STANDARD)
0793 Transmission Control Protocol. J. Postel. Sep-01-1981. (Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007) (Status: STANDARD)
1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991. (Format: TXT=65494 bytes) (Status: INFORMATIONAL)
You can find those RFCs at any IETF mirror on the web, such as
formatting link
formatting link
formatting link
formatting link
formatting link
Replace the four zeros with the FOUR digit document number (0791 not 791).
Ports are either open or closed. They are open when there is some server program listening to the port. For example port 80 would be open on your system if you are running a web server. If there is no server program listening to the port, then the port is closed.
'Stealth' is a marketing term invented by grc.com's Steve Gibson where the _operating system_ is blocked from returning an ICMP Unreachable (Type 3) error message to a host that is trying to reach a closed port. He apparently thinks that by not saying anything, your computer is "invisible". This is apparently because he never bothered to look at a traceroute output. When a host is truly not there (turned off or disconnected), the router one step closer will send an ICMP Host Unreachable error. If that error is not received, then the destination host exists, but has it's pants down, and is bending over with it's head in the sand La, La, La, I can't see you, you must not exist, La, La, La. Some networks block pings (which breaks the windoze version of "TRACERT"), while others block ICMP outbound. There are easy ways to detect this, but these require thinking and logic.
Some personal firewalls can be configured to send this 'ICMP Host Unreachable' message, and that's great. The only problem is that the Host Unreachable message is coming from the host that is supposed to be unreachable. What did I say about thinking and logic?
What do you see if you try to telnet (preferred) or point your web browser at those three ports on localhost (or the specific IP address you have been testing)? Do you get
[compton ~]$ telnet localhost 21 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'.
and some welcoming message, or do you get
[compton ~]$ telnet localhost 21 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused [compton ~]$
Most home firewalls default to logging connection attempts, so they can show that they are on the job and protecting you from the malicious world. So, what shows up in your logs? As for the ShieldsUp site, I'd bet if you did some research at google on that site, or on Steve Gibson, you might find a lot of opinions both ways.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.