Hi

I have played with Mandriva shorewall and did not prefer it to guarddog.

In my router billion 5102 it has only a few choices of firewall including ports 21 23 80 which I have disabled.

In my software firewall (guardog) I have DNS http https only.

At www.grc.com a quick check shows ports 21 23 80 as stealthed.

I am guessing it scans the router for its settings and can not probe any further?

BTW the router allows some kind of bridged mode but I can not use it as far as I can see as I need PPPoE settings to get DHCP address from my ISP in aussieland.

Questions if I may

I have read the manual of my router and I am none the wiser on the firewall test....how do I get stealthed for all ports that I want?

Any links for this question would be greatly appreciated.


PS I found a quick and dirty way of disabling my router from being ever seen I hope from the net.

I created a separate guarddog zone for the router address and disabled http which is what it uses for configs.

ok found this at the docs for firestarter

If you have a DSL or cable modem box that provides Network Address Translation services, it is possible that the scan does not reflect the status of Firestarter but that of the box.

from link http://www.fs-security.com/docs/faq.php

Do yourself a favor and forget you ever saw grc.com.

How do the other ports show up?

I'm not familiar with your router and its capabilities, but in theory you should be able to figure out what it can do. If you temporarily disable the internal firewall and do a *full* scan (as mentioned grc is definitely not comprehensive). Ideally scan from a remote machine using nmap, but if that's not an option you can try using several different online scanners like grc and find the consensus. Simulataneously running tcpdump on the inside should show what's getting through. If you are unsure, then I'd definitely recommend running the internal machines as if they were directly connected to the internet with a full firewall. May need to be carefull about blocking traffic from the router, like DHCP messages, etc. Personally I'd recommend setting it up that way regardless so that you don't have a single point of failure.

Captain

you were right and I should have taken the plunge after my last post to turn off my software firewall and retest the router.

tests were done at grc/pcflank/auditmypc

all tests looked exactly the same with internal turned off.

And that means other ports are still showing as CLOSED.


(2) I have yet to work out how to make my router look like the internal is directly connected and even it I did....one of my previous tests with a wrong router setting I had port 80 open and the scans were showing it up as open.

(3) but as its up to me to figure it out I will post a HCL entry if I do.

thanks for the tips so far.

well I never did figure it out...the best I could see is using the router in bridge mode but that appears to need 2 ethernet cards?

in re-looking at that grc site it reports
Checking a NAT Router's WAN Security

Residential broadband "NAT" routers which allow many computers to share a single Internet connection are becoming quite popular. We love them for the security they provide to the machines placed behind them since any NAT router functions as a natural and excellent hardware firewall.

However, the Internet or "WAN" (Wide Area Network) side connection of many NAT routers and DSL gateways is not as secure as it should be. Many routers ship with web, ftp, or Telnet management ports wide open! And many are still configured with their well-known default administrative passwords. Although the router may be protecting the machines behind it, it might not be protecting itself without your deliberate closing of remote "WAN" administration ports.

ShieldsUP! automatically tests your NAT router's WAN-side security because the router's WAN IP is the single public IP that connects your internal private network to the public Internet. When a test is initiated by any system behind a NAT router, we are testing the public-side security of the router itself and not the security of the individual machines which are located behind and protected by the router.


__________while the previous link reported ISPs may be blocking scans I am now more confident that the first scan result from grc and not auditmypc or pcflank.....was a scan of my router

I don't really understand what you are trying to accomplish. A scan from the internet will scan your router. You can scan your computer from another computer on the lan using nmap.

I have a Linksys NAT router connected to a cable modem. It has a gateway mode and a router mode. I am using gateway mode.
Routers tend to respond to the ident port.
Some older ftp sites will take 2 minutes and timeout without the ident port, but this is rare, and you usually have an option to close it. From your grc response, the routers ident port isn't open.

For the ports you use on the computer itself, make sure to secure services properly. Such as if you use ssh, disable root logins. Use an "AllowUsers" entry. Some people also disable password logins and change the port from port 22 to a higher port number to discourage script kiddie brute force attacts. This won't be an item if you don't forward port 22 in the router.

Are you running apache2 and a dns server?

If you have two network interfaces on your hosts, you can have an internet access zone and a less secure LAN zone. This would allow you to open up ports that samba uses without as much worry. Although the NAT router will provide protection, what happens after a power spike or if the router has an unknown vulnerability.

Be sure you disable uPNP on the router, if it exists. It is an evil Microsoft invention that allows ports on the router to be opened up automatically. Installing the wrong software on any of your computers could open up a port in the router without your knowing it.