As I understand, when the external interface of a firewall is being scanned by "nessus", "nmap", or/and other scanning tools, one should not be able to "see" any opening services, EVEN though services, e.g., web, mail, ftp, are published their services using the IP address of the external interface of the firewall.
Recently, a security consultant explained to me that the stealth mode of a firewall is meant just that the firewall does not respond to ICMP only, therefore when the firewall is scanned, the services published using that IP address are still visible/reported.
Stealthing is just misunderstanding protocols. Usually, people mean "not sending ICMP port unreachable or TCP RST on an incoming TCP SYN", when they're using the term "stealting".
This breaches TCP and/or ICMP. And that's all. There is no gain in security by doing so at all.
But if a TCP server is listening on an interface, and the service should work, then of course the TCP server has to do a TCP handshake when a connection is tried. So of course, everybody who tries out a connection will "see" this server.
A wise man once said: If you want to get a good answer, you should ask a reasonable question first. He wanted comments, he got comments. I don't know if he justed wanted to hear that this consultant was wrong, or that he was wrong as well, or that "stealth" is stupid as well. Maybe he just wanted to hear what he would like to hear. Or maybe he wanted candy.
If he knew about it - maybe so. If he knew how to use google, he wouldn't have had to ask in the first place. But he doesn't know that - so either give him the clues or don't bother wasting everyones time and bandwidth with totally useless non-answers.
Posting from... windoze. No, a scanning tool will get one of three results looking at a single port.
CLOSED The remote host said "no service here" either because there is no server running on that port, or a firewall is restricting what addresses may connect.
OPEN There is a server running, and at least the initial stage of a connection is made.
FILTERED No answer received (open _or_ closed) because of a firewall.
Thing is, there are 65000+ TCP ports, _another_ 65000+ UDP ports, and 135+ other protocols besides TCP and UDP. If you want to remain invisible, not only does your firewall have to remain silent for all of those ports and all of those protocols, but your _upstream_ has also got to remain silent as well. Think how the Internet works. You don't connect via a direct wire to every system. You send packets to a router, and that router sends it to another, and that one sends it to another... this continues until it reaches the destination. At any step along the way, a router can go down, and then the router _before_ it sends back a message that says "can't get there". Where "stealth" fails is that message. Your ISP sees that you are connected, so it _doesn't_ send back that message. So if I get nothing at all - I know you exist, but are trying to hide.
If that's really what was said, find a new conslutant - this one has serious knowledge problems. That is like ignoring someone who speaks using language A - say Armenian, and then when the person tries to speak using language B - say Belgian, you act normally.
I almost forgot, you KF me after I posted that your POC didn't work on any of my computers that were properly secured - in fact, you didn't even reply saying anything, except that you KF me since you needed to hide the fact that your POC is just a trick.