1 |
On Monday 29 Jun 2015 10:01:50 Hans wrote: |
2 |
> On 29/06/15 03:40, Mick wrote: |
3 |
> > On Sunday 28 Jun 2015 16:07:30 Hans wrote: |
4 |
|
5 |
> >> Bought last year a $300.-- FritzBox 7490. Returned the first one because |
6 |
> >> it did not sync with my ISP. Returned the replacement because GRC |
7 |
> >> Shieldsup (https://www.grc.com/x/ne.dll?bh0bkyd2) test showed 100's of |
8 |
> >> open ports. FritzBox Australia claimed this is "normal" and is not a |
9 |
> >> security risk. The supplier refunded the purchase price, Using now a |
10 |
> >> $78.-- TP-Link TD-VG3631 with Voip. Not as fancy. Just works and has no |
11 |
> >> open ports that can't be closed. |
12 |
> >> |
13 |
> >> Hans |
14 |
> > |
15 |
> > Are you sure it was actually showing "open" ports? It would show |
16 |
> > "closed" ports, rather than "stealth" if your firewall uses '-j REJECT' |
17 |
> > instead of '-j DROP' packets. |
18 |
> |
19 |
> The FritzBox firewall has no provisions to set REJECT or DROP. |
20 |
|
21 |
Yes, but essentially that's what the firewall does regardless of exposing this |
22 |
setting directly or not, to the user: |
23 |
|
24 |
- DROP makes GRC probes return "stealth" |
25 |
- REJECT makes GRC probes return "closed" |
26 |
- ACCEPT makes GRC probes return "open". |
27 |
|
28 |
|
29 |
The FritzBox should NOT return "open" for any ports that the user has not |
30 |
purposefully configured to forward incoming connections to a listening |
31 |
application on the LAN (e.g. a web server). |
32 |
|
33 |
Some routers have a "stealth" port setting, to implement DROP for incoming |
34 |
packets at the firewall, otherwise the firewall will return 'IMCP - |
35 |
Destination Unreachable' (RFC-792) and so REJECT the packet. GRC ShieldsUp |
36 |
will return "closed" in this case and warn you that this is not secure, which |
37 |
is a bit of FUD to be honest. There's nothing wrong with a firewall returning |
38 |
an ICMP packet to state that the intended destination was unreachable, quite |
39 |
the opposite really, this is the correct TCP/IP behaviour for non-listening |
40 |
ports. |
41 |
|
42 |
Now, if the firewall just DROPs the packet, the remote application will wait a |
43 |
number of seconds and then resend it until the threshold for retransmission is |
44 |
reached. A waste of everyone's time and bandwidth, because dedicated port |
45 |
scanners are unlikely to be using this method to deduce if a port is listening |
46 |
or not. |
47 |
|
48 |
Something worth noting is that if connection attempts exceed a certain number |
49 |
over a period of time, a clever firewall will start ignoring them and GRC will |
50 |
suddenly show "stealth" instead of "closed". This could give the impression |
51 |
of inconsistent firewall settings, but it is quite safe and is as it should |
52 |
be. |
53 |
-- |
54 |
Regards, |
55 |
Mick |