Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: PPPoE ADSL modem choice
Date: Mon, 29 Jun 2015 18:51:50
Message-Id: 201506291951.12999.michaelkintzios@gmail.com
In Reply to: [gentoo-user] Re: PPPoE ADSL modem choice by Hans
1 On Monday 29 Jun 2015 10:01:50 Hans wrote:
2 > On 29/06/15 03:40, Mick wrote:
3 > > On Sunday 28 Jun 2015 16:07:30 Hans wrote:
4
5 > >> Bought last year a $300.-- FritzBox 7490. Returned the first one because
6 > >> it did not sync with my ISP. Returned the replacement because GRC
7 > >> Shieldsup (https://www.grc.com/x/ne.dll?bh0bkyd2) test showed 100's of
8 > >> open ports. FritzBox Australia claimed this is "normal" and is not a
9 > >> security risk. The supplier refunded the purchase price, Using now a
10 > >> $78.-- TP-Link TD-VG3631 with Voip. Not as fancy. Just works and has no
11 > >> open ports that can't be closed.
12 > >>
13 > >> Hans
14 > >
15 > > Are you sure it was actually showing "open" ports? It would show
16 > > "closed" ports, rather than "stealth" if your firewall uses '-j REJECT'
17 > > instead of '-j DROP' packets.
18 >
19 > The FritzBox firewall has no provisions to set REJECT or DROP.
20
21 Yes, but essentially that's what the firewall does regardless of exposing this
22 setting directly or not, to the user:
23
24 - DROP makes GRC probes return "stealth"
25 - REJECT makes GRC probes return "closed"
26 - ACCEPT makes GRC probes return "open".
27
28
29 The FritzBox should NOT return "open" for any ports that the user has not
30 purposefully configured to forward incoming connections to a listening
31 application on the LAN (e.g. a web server).
32
33 Some routers have a "stealth" port setting, to implement DROP for incoming
34 packets at the firewall, otherwise the firewall will return 'IMCP -
35 Destination Unreachable' (RFC-792) and so REJECT the packet. GRC ShieldsUp
36 will return "closed" in this case and warn you that this is not secure, which
37 is a bit of FUD to be honest. There's nothing wrong with a firewall returning
38 an ICMP packet to state that the intended destination was unreachable, quite
39 the opposite really, this is the correct TCP/IP behaviour for non-listening
40 ports.
41
42 Now, if the firewall just DROPs the packet, the remote application will wait a
43 number of seconds and then resend it until the threshold for retransmission is
44 reached. A waste of everyone's time and bandwidth, because dedicated port
45 scanners are unlikely to be using this method to deduce if a port is listening
46 or not.
47
48 Something worth noting is that if connection attempts exceed a certain number
49 over a period of time, a clever firewall will start ignoring them and GRC will
50 suddenly show "stealth" instead of "closed". This could give the impression
51 of inconsistent firewall settings, but it is quite safe and is as it should
52 be.
53 --
54 Regards,
55 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature