You are not logged in.
- Topics: Active | Unanswered
#1 2013-04-23 14:15:28
- phunni
- Member
- From: Bristol, UK
- Registered: 2003-08-13
- Posts: 768
Certain ports closed rather than dropping
I'm running arno's firewall script on my router and, I believe, that I am setting it to drop all unsolicited packets. However, grc.com reports that at least ports 135, 139 & 445 are reporting closed rather than just dropping the packets. I'm fairly certain that I didn't close them, although I'm not sure how to tell. I think, therefore, that my ISP is closing them, although they deny it.
How can I confirm whether these ports are properly stealthed on my firewall and, therefore, whether this is my mistake or my ISPs?
Offline
#2 2013-04-23 15:22:53
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Certain ports closed rather than dropping
Take a look at your rules:
iptables-saveAlthough that's probably a monster 
To be most confident that those ports are set to DROP, add simple rules to drop, at the very start of your iptables ruleset.
Offline
#3 2013-04-23 16:18:35
- chris_l
- Member
- Registered: 2010-12-01
- Posts: 390
Re: Certain ports closed rather than dropping
Stop iptables, and then, with iptables stopped, check again on that website.
"open source is about choice"
No.
Open source is about opening the source code complying with this conditions, period. The ability to choose among several packages is just a nice side effect.
Offline
#4 2013-04-23 21:40:13
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Certain ports closed rather than dropping
I could never understand what GRC.com means by "closed" or "stealth"... Do an nmap scan against your IP from a remote machine, or post your IP here and I'll run nmap for you...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#5 2013-04-24 01:32:27
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Certain ports closed rather than dropping
It's the difference between iptables' REJECT vs DROP.
Offline
#6 2013-04-24 18:00:53
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Certain ports closed rather than dropping
It's the difference between iptables' REJECT vs DROP.
No, that's too simplistic. The "closed" state will occur when I do "REJECT --reject-with tcp-reset" for tcp packets (this is what kernel does when no ip_/xt_ modules are loaded). Meanwhile, if I reject with "icmp-host-prohibited", the port will be identified as "filtered" in nmap terminology. In fact, if nmap is run as a non-root user against such a firewall, it'll conclude that the host is down (so you'll have to add -P0).
So probably "stealth" is the same kind of jargon for "filtered" as "anonymous internet requests" (thanks, Cisco) for "ping".
And of course, using DROP for anything but fragmented packets is just a bad habit...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#7 2013-04-24 20:15:36
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: Certain ports closed rather than dropping
I think that grc.com will tag as "closed" any port for which it gets any kind of reject response. Stealth just means the packed was silently dropped or never got anywhere.
As for checking if the ISP is dropping packets to some ports, just add rules to the top of the INPUT chain and log any packets destined to those ports and see if you get anything logged in dmesg.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#8 2013-04-24 20:57:01
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Certain ports closed rather than dropping
So probably "stealth" is the same kind of jargon for "filtered"
Er, no, it's much more sensible to assume what I just said - that "stealthy" means that NOTHING is sent back - which is what iptables' DROP does.
Offline