LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-19-2006, 01:33 AM   #1
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Unfamiliar "Shields Up!" Firewall Test Results


I finally entered the 21st century and now have broadband. Not the fastest in the world (1-2 Mbps), but a world of difference from dialup! I'm still somewhat in a state of disbelief and mild shock.

To support the change, I've been tinkering and reconfiguring various things throughout the day. I visited the grc.com Shields Up! web site to test my Windows and Slackware firewall rules. Previously, since the 1990s---or whenever Gibson posted his well-known web site---I always have achieved full stealth with all ports. This is true for my Slackware iptables rules too.

Now, please! I do not want to entertain Yet Another Debate About Stealth Versus Closed Ports.

However, today's testing resulted in ports 113, 135, 139, 445, 1025, and 5000 being closed while all other ports being stealth. Many people will recognize most of those ports as particular to the Windows world (excepting port 113).

I also know the ISP owner is using GNU/Linux for his servers. So this is not exactly a Windows server issue.

I received the same result in Windows and Slackware. Just to be sure, I tried the test again through dialup and all ports showed stealth using the same firewall rules. Therefore my initial conclusion is either I do not have something configured correctly with the DHCP client (possible and probable), or the ISP server is configured in a funky manner. I'm inclined to think the former reason because the grc.com test did correctly display my assigned IP address from the DHCP server, therefore I don't think the Shields Up test was hitting the ISP server instead of my box.

Although modifying my Windows and Slackware configurations went smoothly and surfing with broadband is working nicely, I am not at all familiar with DHCP. Another brave new world to explore! Regardless, I'd be grateful if anybody has a notion to share about why I now obtain these unfamiliar firewall test results. Why are those ports showing closed rather than stealth despite using the same firewall rules and dialup showing all ports stealth?

I also would be grateful if anybody knows of some good info to read about properly configuring the DHCP client. I've been surfing for some decent reading, but I am not finding anything that seems substantive. Overwhelmingly most of the material online is about DHCP servers. Then again, as philosophers would ponder, how do those who don't know, know they don't know? I don't know and that is why I am asking for some leads.

Currently my testing is with my multi-boot box. The box currently is not connected to a local network. In Windows the Server service currently is disabled, etc. In Slackware, samba is disabled, etc. I'm using just the one NIC, just the software firewalls. No routers in between.

Thanks again.
 
Old 09-19-2006, 02:34 AM   #2
cs-cam
Senior Member
 
Registered: May 2004
Location: Australia
Distribution: Gentoo
Posts: 3,544
Blog Entries: 4

Rep: Reputation: 56
How are you connecting? If it's through a router, it'll be portscanning the router, not your computer unless forward all ports to your machine which would be a stupid move.
 
Old 09-19-2006, 04:04 AM   #3
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
Quote:
Originally Posted by Woodsman
I finally entered the 21st century and now have broadband. Not the fastest in the world (1-2 Mbps), but a world of difference from dialup! I'm still somewhat in a state of disbelief and mild shock.

To support the change, I've been tinkering and reconfiguring various things throughout the day. I visited the grc.com Shields Up! web site to test my Windows and Slackware firewall rules. Previously, since the 1990s---or whenever Gibson posted his well-known web site---I always have achieved full stealth with all ports. This is true for my Slackware iptables rules too.

Now, please! I do not want to entertain Yet Another Debate About Stealth Versus Closed Ports.

However, today's testing resulted in ports 113, 135, 139, 445, 1025, and 5000 being closed while all other ports being stealth. Many people will recognize most of those ports as particular to the Windows world (excepting port 113).

I received the same result in Windows and Slackware.
If you received the same results in Windows and Slackware then what cs-cam said is the key- these ports are answering closed from your router. It's almost 100% sure. There should be an admin panel you can get to from the web (try 168.192.2.1) and maybe there will be some options to tweak. Drop ICMP and whatever else you can if you want to stealth everything. If for some reason you can't stealth everything, at least make sure the ports that are closed don't get forwarded to your box.

Quote:
Originally Posted by Woodsman
Just to be sure, I tried the test again through dialup and all ports showed stealth using the same firewall rules. Therefore my initial conclusion is either I do not have something configured correctly with the DHCP client (possible and probable), or the ISP server is configured in a funky manner.
Probably C: none of the above

The DHCP client just manages your DHCP lease (negotiating for an IP address for an agreed-upon length of time) and doesn't have anything to do with open or closed ports.

Quote:
Originally Posted by Woodsman
I am not at all familiar with DHCP. Another brave new world to explore! Regardless, I'd be grateful if anybody has a notion to share about why I now obtain these unfamiliar firewall test results. Why are those ports showing closed rather than stealth despite using the same firewall rules and dialup showing all ports stealth?

I also would be grateful if anybody knows of some good info to read about properly configuring the DHCP client. I've been surfing for some decent reading, but I am not finding anything that seems substantive. Overwhelmingly most of the material online is about DHCP servers.
The reason is that the DHCP client is really a no-brainer. If you turn on the right stuff in configs you'll see something like:

dhcpcd -d -t 10 eth0

in your startup.

Take a look at /etc/rc.d/rc.inet1.conf. There is a section for eth0. If you are using DHCP then
just change USE_DHCP[0]="YES" and leave everything else blank.

That's pretty much it. Make sure you have rc.inet1 and rc.inet2 executable (they probably are). But since you are connected you probably already did this. Since the DHCP client won't affect your ports being stealthed or not just forget about all that and look at how the router is setup.

Rand

Last edited by Randux; 09-19-2006 at 04:07 AM.
 
Old 09-19-2006, 08:25 AM   #4
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,198
Blog Entries: 3

Rep: Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426
Hi,

Quote:
Originally Posted by Woodsman
I finally entered the 21st century and now have broadband. Not the fastest in the world (1-2 Mbps), but a world of difference from dialup! I'm still somewhat in a state of disbelief and mild shock.

To support the change, I've been tinkering and reconfiguring various things throughout the day. I visited the grc.com Shields Up! web site to test my Windows and Slackware firewall rules. Previously, since the 1990s---or whenever Gibson posted his well-known web site---I always have achieved full stealth with all ports. This is true for my Slackware iptables rules too.

Now, please! I do not want to entertain Yet Another Debate About Stealth Versus Closed Ports.

However, today's testing resulted in ports 113, 135, 139, 445, 1025, and 5000 being closed while all other ports being stealth. Many people will recognize most of those ports as particular to the Windows world (excepting port 113).

I also know the ISP owner is using GNU/Linux for his servers. So this is not exactly a Windows server issue.
What modem are you using with the broadband? Most new units do provide firewalls that you can enable/configure. If the rule(s) are not configured properly the states of the ports/service will be shown at that level of closed. Since you have IPTABLES with known rules that worked before but now show a different condition over the lan than when you dial-up then the problem exists on the client side of the LAN (you).

Quote:
Currently my testing is with my multi-boot box. The box currently is not connected to a local network. In Windows the Server service currently is disabled, etc. In Slackware, samba is disabled, etc. I'm using just the one NIC, just the software firewalls. No routers in between.

Thanks again.
Yes, you are on a LAN with your modem. Just a direct connection at this time. I would suspect as stated above the problem is the rules relative to the broadband modem.

Quote:
I received the same result in Windows and Slackware. Just to be sure, I tried the test again through dialup and all ports showed stealth using the same firewall rules. Therefore my initial conclusion is either I do not have something configured correctly with the DHCP client (possible and probable), or the ISP server is configured in a funky manner. I'm inclined to think the former reason because the grc.com test did correctly display my assigned IP address from the DHCP server, therefore I don't think the Shields Up test was hitting the ISP server instead of my box.
Here, getting your IP via DHCP from the broadband modem should not effect the firewall on your(client) machine. Look at the broadband modem. The 'ShieldsUp' would show the IP of the Broadband modem IP that is assigned by the ISP.

edit: If closed ports are being shown for your client then indeed the rules fail on the client somehow not the modem. Are you sure the ports that showup are for the client? I suspect you are confusing the ports shown as client but are the ports/service on the modem.

Most new modems have the firewall enabled but with a minimum rule set.

Rather lengthy response, hope I kept things straight.

Last edited by onebuck; 09-19-2006 at 08:31 AM.
 
Old 09-19-2006, 05:21 PM   #5
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Yes, you are on a LAN with your modem. Just a direct connection at this time. I would suspect as stated above the problem is the rules relative to the broadband modem.
Well, to clarify, I am not using a home router or a LAN (at least not for these tests). In my OP I wrote that I am not using a router and that these tests were performed from a stand-alone (multi-boot) box. No networking, no NAT, nada, etc. Yes, I understand that with respect to the ISP I am connected to his LAN, but my original intent was that there are no additional devices here inside my office.

Quote:
Take a look at /etc/rc.d/rc.inet1.conf. There is a section for eth0. If you are using DHCP then
just change USE_DHCP[0]="YES" and leave everything else blank.
Thanks, already done, but off topic. As I wrote in my OP, the DHCP connection is working just fine. I'm merely confused by the unfamiliar port testing results.

Quote:
What modem are you using with the broadband? Most new units do provide firewalls that you can enable/configure.
No modem. This is a proprietary wireless system. The "modem" is a microwave transceiver, or "sending unit" (SU) in vendor parlance. The SU provides no firewalling. The SU is pass-through only.

Quote:
The 'ShieldsUp' would show the IP of the Broadband modem IP that is assigned by the ISP.
The ISP owner told me that he assigns "non-routable" IP addresses to the SUs. He uses the 10.x.x.x subnet for the SUs.

Quote:
Most new modems have the firewall enabled but with a minimum rule set.
Understood, but these microwave SUs provide no firewall protection.

With that all said, I just got off the phone with the ISP owner. He told me what I half suspected and I think some of you tried to articulate. He has configured his server to provide transparent IP forwarding for all ports except the ones listed. He configured his server to refuse forwarding any packet request for those ports listed above. This actually is a Good Thing for most of his customers who understand little about computers. In other words, for those blocked ports, his server is actually doing the responding to the grc.com port test (and any script kiddies). Therefore, the grc.com port test is misleading in this one respect. In conclusion, I no longer can run full "stealth." A reasonable trade to now have broadband. Again, I am not going to discuss closed vs. stealth ports. I am aware that a closed port is just as effective as a stealthed port. I also am aware that running stealth is meaningless to any server I initiate contact.

However, because the ISP owner uses GNU/Linux in his servers, I am going to ask him to consider reconfiguring his iptables rules to drop packet requests to those ports rather than respond that they are closed. This would save his server a couple of milliseconds with each request---and provide me the desired grc.com port test results.
 
Old 09-20-2006, 08:54 AM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,198
Blog Entries: 3

Rep: Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426Reputation: 1426
Hi,

Now that we have the scenario for the network. Knowing the equipment used would have indicated to us that the problem did exist on the ISP side. We or I thought you were using a broadband cable/dsl modem. Instead your connection via the 'SU' as the modem interface.

That is why we/I should not try to use the cracked crystal ball! Posting of the equipment in use would have clarified things.
 
Old 09-20-2006, 12:18 PM   #7
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Posting of the equipment in use would have clarified things.
Well, I thought I did when I posted the OP. In hindsight I did not post information about the ISP equipment, but like with many posts, I lacked sufficient foresight and I did not conceive of reporting that information. Tough to always try to outguess everybody on these types of discussions as to what information might be relevant without trying to peer into everybody's mind and trying to see into the future. And there is always the challenge of providing too much information such that most people simply will not respond to help.

Regardless, I already conversed with the ISP owner and he liked my idea of modifying his iptables rules such that his blocked ports simply drop the packet requests rather than respond as being closed.

I don't blame him for blocking those infamous ports because most people on the web have no clue how the basic internet operates and such people tend to surf with their pants at their ankles. By blocking the ports at his gateway, he simply does not have to deal with the naive customers.

I also have noticed that he has configured his gateway such that he does not broadcast box names when other servers request IP address information. When I was at the grc.com site I noticed that immediately. The only information this guy provides through his gateway is the IP address. He's a good guy, smart, and seems to understand the business better than most people I have conversed with. Not that I am an expert, I'm not, but I still have a sense of privacy and basic security. I like him because he is local and not a representative of some legal fiction otherwise known as a corporation. Being local he will tend to be responsible and responsive.

Thanks to everybody who helped with this thread. New territories always means new knowledge and usually, many questions until a reasonable knowledge level is achieved.

Anyway, for future thread visitors, know that the grc.com port test results can be misleading if one does not understand how the ISP filters and forwards port requests.
 
Old 09-20-2006, 01:10 PM   #8
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
Woodsman - this is a very informnative thread and I'd encourage you to submit it as an LQ Answer. ShieldsUp is a reasonably well known utility, and any Linux newcomers who are familiar with it under Windows and who want to compare its performance under Linux could benefit from this info. Thanks for posting
 
Old 09-20-2006, 02:10 PM   #9
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Original Poster
Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
Quote:
Woodsman - this is a very informative thread and I'd encourage you to submit it as an LQ Answer. ShieldsUp is a reasonably well known utility, and any Linux newcomers who are familiar with it under Windows and who want to compare its performance under Linux could benefit from this info. Thanks for posting
I'm unfamiliar with posting at LQ Answers, but I easily could whip up a mini how-to for my web site and then add a link within this thread. I think that might be a more appropriate location because this particular problem is not GNU/Linux specific---I obtained the same "strange" results in both OSs.

The information certainly is enlightening to anybody who might experience this strange port test result. In hindsight, how my new ISP configures his gateways is the more prudent way to configure equipment. That this kind of problem rarely arises indicates that most ISPs provide completely open IP forwarding. I think that file and print sharing is a local network issue and that an ISP blocking those ports at the gateway should not impede anybody's internet performance. Of course, by blocking those ports there is no pass-through and such a simple strategy avoids many potential headaches for an ISP. For those handful of customers who actually might need pass-through on those ports, the ISP easily can create additional firewall rules to allow such access. Just my .

For those people reading this thread and maintaining servers providing gateway services, how my new ISP configures his gateway servers might be useful for those of you doing likewise. I include the many of us who maintain home and small office LANs too. Just block those infamous ports at the gateway and drop the packets (in grc.com parlance, those ports would be stealthed). Solves many potential problems. FYI, after conversing with the ISP owner, he blocks the following ports:

113, 135, 137 (UDP), 139, 445, 1025, 1413, 1434 (UDP), 2745, 5000. He might block other ports, but those are the ones he shared with me.
 
Old 09-20-2006, 03:17 PM   #10
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 292Reputation: 292Reputation: 292
I'd be pretty mad if my isp blocked 113 tbh. It's much faster for irc and I think some networks block access without it.
 
Old 09-20-2006, 04:45 PM   #11
shotwellj
Member
 
Registered: Jul 2005
Location: Tempe, AZ
Distribution: Slackware
Posts: 66

Rep: Reputation: 15
Quote:
Originally Posted by Woodsman
113, 135, 137 (UDP), 139, 445, 1025, 1413, 1434 (UDP), 2745, 5000. He might block other ports, but those are the ones he shared with me.
Many IRC servers require identd to be running on 113. At the very least, 113 should be rejecting packets rather than dropping them. Perhaps you don't care about IRC, but someone on this ISP probably does.

Also, some of these are seemingly random.

I would be very mad if my ISP did things like this.

Edit: I didn't notice the comment above mine, probably because I've been so busy with my work here at the Department of Redundancy Department.

Last edited by shotwellj; 09-20-2006 at 04:54 PM.
 
Old 09-20-2006, 06:02 PM   #12
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 292Reputation: 292Reputation: 292
Most of the low ones are windows dcom or netbios ports. Dunno about the others. Service ports are <=1024 I think so they might be trojan ports at a guess.
 
Old 09-20-2006, 09:22 PM   #13
J.W.
LQ Veteran
 
Registered: Mar 2003
Location: Milwaukee, WI
Distribution: Mint
Posts: 6,642

Rep: Reputation: 69
Quote:
Originally Posted by Woodsman
I'm unfamiliar with posting at LQ Answers, but I easily could whip up a mini how-to
Posting at LQ Answers isn't much different than posting anywhere else - the main difference is that unlike posts, which tend to fade as they age, LQ Answers are always visible, and more or less act as reference materials. There's no special format that needs to be followed, only that the information is presented in a logical, coherent way. A simple summary of your posts would be an excellent LQ Answer
 
Old 09-22-2006, 05:54 AM   #14
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Can we add an answer reminding people that Steve Gibson is the Internet's version of Chicken Little and anything he says or does should be examined with caution?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Successful install" results in "Boot device not found" slackr007 Fedora 2 06-21-2005 04:05 PM
"Successful install" results in "Boot device not found" slackr007 Linux - Newbie 2 05-31-2005 08:02 PM
"Test my firewall.com" question! Mega Man X Linux - Security 17 04-07-2005 02:17 PM
Stop showing my "machine name" on internet (like in Shields UP!) hendrixx Linux - Security 8 01-18-2004 09:07 AM
Quesiton about "FIREWALL setting" in "SETUP"--please help out yuzuohong Linux - Networking 1 05-14-2002 11:42 PM


All times are GMT -5. The time now is 01:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration