Iam port scanning with XP my router's external ip address (nikos.no-ip.org) and i see except from the port iam forwarding laso the ports 21 and 23 as open.
I never opened them. Why are they open?
Iam using Speedtouch 530. Thoughts? Provider did this?
Also ic ant diabel them form my routers web configuration panel. it has no option.
I doubt that they are open. You should scan with something else.
The ISP has no control over the configuration of your router.
You want to write English here.
Duane :)
Duane why you say its not open? If its noit open why 3 scanners say they are? Of course iam scanning from my own pc.
Also you say "The ISP has no control over the configuration of your router. " Here i have to say that this modem was sent to me by them.
The firmware for the router modem on its own without some kind of configuration by someone is not going to have ports open. They are closed by default on the NAT router.
You see some agreement with them that they were going to remote access your router modem and configure it?
If the ISP has configured that modem/router to open ports, you would clearly see that in the configuration screens some kind of way like maybe some remote configuration access to the router.
Do you see it? After all, it's setting in front of you and you can also call your ISP and asked if they have some kind of remote configuration to your router.
If your concerned about some ports you think are open, then port forward the ports to a dummy IP in the DMZ if the router has a DMZ and you'll pass the tests for what that's worth.
Duane :)
In the web panel i see an option called Remote assistance but i have it disabled..
Also i only have 1 host so ok lets sayi forward 21 and 23 ports to
10.0.0.1(localhost) how can i see the output since no program await input from those forwarding ports?
So you're say that you have disabled remote assist and the ports are still open when you do the scan?
If the router has a syslog, then you would be able to see traffic being directed to the dummy IP in the DMZ. If you don't have a syslog, you won't see it.
So, I'll assume you only have one machine behind the router connected to it. Then forward the ports to any IP on the router no machine has a possibility of using that IP on the router.
Duane :)
>
Yes.
My router doesnt have a syslog functionality. Just an event viewer. Maybe this is it? itsa liek this: Mar 18 21:15:31 LOGOUT User Nikos logged out on FTP (10.0.0.1)
Info Mar 18 21:15:31 LOGIN User Nikos logged in on FTP (10.0.0.1)
Error Mar 18 21:15:30 FIREWALL exact tcp seqnr check (1 of 3): Protocol: TCP Src ip: 10.0.0.1 Src port: 30180 Dst ip: 88.209.203.130 Dst port: 2874
Info Mar 18 21:15:01 LOGOUT User Nikos logged out on FTP (10.0.0.1)
Info Mar 18 21:15:01 LOGIN User Nikos logged in on FTP (10.0.0.1)
Warning Mar 18 21:14:57 FIREWALL rule (1 of 4) : Protocol: TCP Src ip:
82.209.245.175 Src port: 49212 Dst ip: 10.0.0.1 Dst port: 80 Chain: forward_host_service Rule Id: 1 Action: acceptInfo Mar 18 21:14:31 LOGOUT User Nikos logged out on FTP (10.0.0.1)
Whats a dummy ip and what a dmz? Sorry i dotn follow.
Like I said, a dummy IP would be any IP on the router that a machine connected to the router could not use. If you got two machines connected to the router starting at 10.0.0.1 and 10.0.0.2, then 10.0.0.255 is not possibly going to be used unless you have 255 computers using DHCP on the router. In that case and you don't have 255 computers, then
10.0.0.255 would be a dummy IP that would not be used on the router by a machine. Would you agree?And since you would not have a machine normally setting in the DMZ of the router, then setting port forwarding a port to a dummy IP in the DMZ with no computer using the dummy IP is the same as sending the traffic to infinity or nowhere.
Duane :)
Yeap! so if i had 2 machines then all ip range from 10.0.0.3 -
10.0.0.255 would be dummy ips aka also knows ip that will never been used actaully by machines connected to the router. Yes, i think i got it right. :-)I lost you here
ok, iam reading it at the moment cause DMZ its unknown abbreviation for me.
You take a dummy IP and tell the router that IP will be used in the DMZ. Either there is a *real machine* using an IP in the DMZ or there is no machine in the the DMZ and a dummy IP is being used and you port forward port 21 the the dummy IP setting in the DMZ *nothing* is there to receive the traffic being forwarded, so the port is basically closed on the scan and to all traffic coming down the port if any -- nothing is there.
Think Vietnam War (maybe before your time) and the Demilitarized Zone and what it meant in that war. Now they are talking about N. and S. Korea.
Thanks but is till dotn understand why there is a need for DMZ. The site says that is a router functionality but i cant understand its purpose.
Also i would like to ask you if there is a way to actually port forward all incoming traffic to ports 21 & 23 on my WAN IP and sent it over to
10.0.0.1(my only host) so to see what kind of data arrives in that port. I think this is may be possible but on the other hand what application on 10.0.0.1 would handle this portforwarded incoming traffic, if there is any....
The purpose of the DMZ is to take a single IP/machine behind the NAT router and completely expose the computer/its ports to the public Internet. That means all ports 65,535 TCP and 65,535 UDP ports are exposed to the public Internet opening all the inbound ports for that computer to the public Internet, instead of using port forwarding to selectively open inbound ports.
Sometimes, there is a need to just stick the whole computer into the DMZ so that it can be accessed by the public. But that would be done by someone that knew what he or she was doing to protect the O/S and other software running on the computer that was being put into the DMZ. You can use Google to further understand why a computer would be setting in the DMZ of any FW solution. But I suggest that you not do it or not use the DMZ. You should keep your computer out of the DMZ at all costs, if you ever get a solution that has a DMZ.
Well, you have to have software running on the computer listening on the ports for it to mean anything.
Port 21 is used for a FTP server that would be running on you machine and 23 is for Telnet sessions. If the software is not running on your machine, it means nothing that you have forwarded the ports to an IP/machine is the bottom line. If no software is running that would be listening on the forwarded ports, it means *nothing*.
Duane :)
It just occured to me as a thought so to dump ionto 10.0.0.1 (to a .txt) all the incoming traffic to port 21 and 23. possible?!
In my routers web panel all i can do is just list, add, edit ports the i want to forward. When i list them i see nowhere that 21 and 23 ports are open, so i ahve to power to close them.
My Google-Fu is weak! :-)
No....the purpose of a DMZ is to create a security zone that can exist to be more open than the internal network. You would place hosts into the DMZ that you would expose to the internet. You would then have rules in place that define the traffic that can pass from those hosts to your internal network. You should never open a host to all ports but only those ports that it needs to have open. The goal of the DMZ zone is to provide some protection to the internal LAN when the host in the DMZ is compromised People still need to follow the same methdology in deciding what ports need to be opened. This is a decision that depends on the requirements of the user.
If you have only one computer it does not matter, the exposure is the same. A DMZ only makes sense if you have more than one computer and you have a requirement to open one of those systems to the internet for selected types of access.
Please bear in mind that this applies to a solution that allows full configuration of the firewall device and the ability to define a coherent policy for all zones.
I think that anyone who knows about FW(s) and a NAT router would know what was being said. Of course, ports are open on the computer in the DMZ based on what applications that are running on the machine that had the ports open and are listening. That's a given. If an application is not running listening on the port it's not open to begin with.
Of course, the user has to make a determination as to the applications or services running on a machine in the DMZ that will have ports open and applications or services exposed.
If the OP wanted to know more about the DMZ and how it can be used and what it's used for, then he can use Google.
The OP with that NAT router for home usage with its so called DMZ can only do one of two things:
1) Expose the entire machine to the Internet 2) Not expose the entire machine to the InternetThen it's up to the user to expose or not expose what is needed.
There are no rules that can be set on the typical NAT router for home usage that I know about that's going to allow routing of traffic from a machine in the DMZ to the internal LAN.
Agreed. However, most home users don't know that and will stick the entire machine into the DMZ of the NAT router to avoid complications.
The typical NAT router for home usage doesn't have the ability and either the entire machine is or is not being exposed.
The bottom line to me is to make the post geared to the intended recipient.
Duane :)
Thanks again both of you of trying to help me catch the emaningbut still i didnt understand anything about the DMZ, nor my last question was answered about how can i view incoming traffic to ports 21 & 23 or even better dump them to a .txt file in 10.0.0.1 to have a look.
Also Duane's last post put me in thoughts of how to expose my entire machine to the Internet. By default it is hidden behind the NAT router....
Use a packet sniffer, for example Ethereal.
Yours, VB.
nice idea! damn, i had a sniffer and it didnt even crosss my mind :-)
I have SmartSniff and iam capturing all data on my NIC Realtec then sort out traffic on ports 21 and 23.
Here the results the snifefr game thankfully in ASCII for ftp port
21.(sorry for the paste though). This is from my Speedtouch 530 IP monitor that i run on 10.0.0.1 which it access by ftp the router to disply me stats.... As for telnet traffic nothing in.....80 and other psorts yes but not in ASCII formay so i cant really understand much.
220 Inactivity timer = 120 seconds. Use 'site idle ' to change.USER Nikos
331 SpeedTouch Password required.PASS tiabhp2r
230 OKTYPE I
200 TYPE is now 8-bit binarySYST
215 UNIX Type: L8SITE ip iflist
200- Interface Group MTU RX TX TX-Drop Status HW-address 200- 0 loop local 65535 39996443 9598611 0 [UP] 00:0e:50:3e:3f:74 200- 1 Internet wan 1500 3813842207 2494275276 0 UP200- 2 LocalNetwork lan 1500 2520392792 3847673161 0 [UP] 00:0e:50:3e:3f:74
200- 200 CLI command "ip iflist" executedSITE connection stats
200- Connection statistics: 200- ------------------------------------------- 200- Maximum number of connections : 1024 200- Maximum number of halfopen connections : 1024 200- ------------------------------------------- 200- Number of active connections : 300 200- Number of halfopen connections : 19 200- Number of expected connections : 0 200- Number of loose connections : 0 200- Number of closing connections : 0 200- Number of idle connections : 137 200- ------------------------------------------- 200- Number of TCP connections : 53 200- Number of UDP connections : 247 200- Number of ICMP connections : 0 200- Number of non TCP/UDP/ICMP connections : 0 200- ------------------------------------------- 200- Number of TCP open connections : 1 200- Number of TCP established connections : 24 200- Number of TCP closing connections : 28 200- 200- Stream cache statistics: 200- ------------------------------------------- 200- Maximum number of hash collisions : 4 200- % of hash entries with collisions : 12.50 200- % of hash entries unused : 57.12 200- 200- CONN/NAT application helper statistics: 200- ------------------------------------------- 200- Maximum number of helper bindings : 24 200- Maximum number of connections with helper : 128 200- ------------------------------------------- 200- Number of helper bindings : 17 200- Number of connections with active helper : 3 200- 200 CLI command "connection stats" executedSITE ipqos queue stats dest=pvc_Internet
200- Name Queue # packets # packets # packets # packets # packets Marking 200- added marked removed dropped replaced 200- pvc_Internet 0 3311822 0 3311817 206370 2197 11% 200- 1 2132575 0 2025245 107330 0 0% 200- 2 187925 0 187925 6 4 0% 200- 3 0 0 0 0 0 0% 200- 4 39574 0 39574 0 0 0% 200- 5 745 0 745 0 0 0% 200- 200- Errors : 0 200- Marking : 0 already marked, 0 marked 200- Notification: 2132575 notified, 489373 resend, 107330 dropped, 2025245 send 200- 200 CLI command "ipqos queue statsdest" executedQUIT
221 Goodbye. You uploaded 0 and downloaded 0 kbytes.nice idea! damn, i had a sniffer and it didnt even crosss my mind :-)
I have SmartSniff and iam capturing all data on my NIC Realtec then sort out traffic on ports 21 and 23.
Here the results the snifefr game thankfully in ASCII for ftp port
21.(sorry for the paste though). This is from my Speedtouch 530 IP monitor that i run on 10.0.0.1 which it access by ftp the router to disply me stats.... As for telnet traffic nothing in.....80 and other psorts yes but not in ASCII formay so i cant really understand much.
220 Inactivity timer = 120 seconds. Use 'site idle ' to change.USER Nikos
331 SpeedTouch Password required.PASS ;-)(edited)
230 OKTYPE I
200 TYPE is now 8-bit binarySYST
215 UNIX Type: L8SITE ip iflist
200- Interface Group MTU RX TX TX-Drop Status HW-address 200- 0 loop local 65535 39996443 9598611 0 [UP] 00:0e:50:3e:3f:74 200- 1 Internet wan 1500 3813842207 2494275276 0 UP200- 2 LocalNetwork lan 1500 2520392792 3847673161 0 [UP] 00:0e:50:3e:3f:74
200- 200 CLI command "ip iflist" executedSITE connection stats
200- Connection statistics: 200- ------------------------------------------- 200- Maximum number of connections : 1024 200- Maximum number of halfopen connections : 1024 200- ------------------------------------------- 200- Number of active connections : 300 200- Number of halfopen connections : 19 200- Number of expected connections : 0 200- Number of loose connections : 0 200- Number of closing connections : 0 200- Number of idle connections : 137 200- ------------------------------------------- 200- Number of TCP connections : 53 200- Number of UDP connections : 247 200- Number of ICMP connections : 0 200- Number of non TCP/UDP/ICMP connections : 0 200- ------------------------------------------- 200- Number of TCP open connections : 1 200- Number of TCP established connections : 24 200- Number of TCP closing connections : 28 200- 200- Stream cache statistics: 200- ------------------------------------------- 200- Maximum number of hash collisions : 4 200- % of hash entries with collisions : 12.50 200- % of hash entries unused : 57.12 200- 200- CONN/NAT application helper statistics: 200- ------------------------------------------- 200- Maximum number of helper bindings : 24 200- Maximum number of connections with helper : 128 200- ------------------------------------------- 200- Number of helper bindings : 17 200- Number of connections with active helper : 3 200- 200 CLI command "connection stats" executedSITE ipqos queue stats dest=pvc_Internet
200- Name Queue # packets # packets # packets # packets # packets Marking 200- added marked removed dropped replaced 200- pvc_Internet 0 3311822 0 3311817 206370 2197 11% 200- 1 2132575 0 2025245 107330 0 0% 200- 2 187925 0 187925 6 4 0% 200- 3 0 0 0 0 0 0% 200- 4 39574 0 39574 0 0 0% 200- 5 745 0 745 0 0 0% 200- 200- Errors : 0 200- Marking : 0 already marked, 0 marked 200- Notification: 2132575 notified, 489373 resend, 107330 dropped, 2025245 send 200- 200 CLI command "ipqos queue statsdest" executedQUIT
221 Goodbye. You uploaded 0 and downloaded 0 kbytes.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.