LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stealthing Open Router Ports (https://www.linuxquestions.org/questions/linux-security-4/stealthing-open-router-ports-147571/)

ghight 02-18-2004 08:55 AM
Stealthing Open Router Ports
 
This isn't a Linux question, but a Cayman Router question. I have an SBC supplied Cayman router and ran the 6.4.0R2 firmware update. Before, if I was on everything except ClearSailing, I couldn't use the Pinholes or IPMaps. In Clearsailing, I could forward port 25 for my SMTP mail server, but it was still stealthed when using ShieldsUp!. With the the new firmware update, I can use my pinholes and IPMaps on DeadReckoning, but no matter what I have the firewall set on, it no longer stealths my open ports.

Anybody have an idea why this is happening. This seems like a step back to me.

chort 02-18-2004 10:38 AM
Could you start by explaining what the heck these are?
ClearSailing
Pinholes
IPMaps
DeadReckoning

By the way, read the many previous posts on why it is not possible to "stealth" open ports. If you search for "stealth open possible" you should find my other posts about it, I think. Unles you're narrowing access down to certain IPs, there's no way it will ever look "stealthed".

By the way, could everyone please stop using the phrase "stealth"? No security expert says "my firewall is stealthed!" Instead, they would say "my firewall is setup to default drop". If you say "stealth" in front of real security people, they will probably give you a funny look or perhaps snicker. All thanks to that stupid ShieldsUp! site every newbie is running around saying "stealth this" and "stealth that". It's looney.

ghight 02-18-2004 11:14 AM
Quote:
Originally posted by chort
Could you start by explaining what the heck these are?
ClearSailing
Pinholes
IPMaps
DeadReckoning
I'm no security expert so I guess "stealth" is still okay to use for the average joe, correct? :) My words were selected because I was referring directly about ShieldsUp!. Sorry.

The Cayman has 3 or 4 default firewall rules that you can use, ClearSailing (everything is open, using NAT as a "firewall"), SilentRunning (all incoming traffic is blocked automatically), DeadReckoning (same as SilentRunning, only allowing IPMaps and Pinholes), and LANdLocked (totally blocked in and out). A pinhole is a forwarded port. An IPMap is IP forwarding to a specific host. Again, these are terms regarding the Cayman only. If you don't have one, you probably won't know what the heck is going on.

As we have discussed before, my old PIX and my original Cayman firmware would drop packets when scanned even on port 25 which was forwarded to our mail server behind the firewall. Now even though I can bump up to "deadReckoning" which drops everything except the traffic to port 25, scan show it as open. I'm certain the PIX would drop everything after a certain about of scanning traffic (portsentry style) and it appeared that the original firmware did the same. Somehow the new firmware doesn't do this. Just curious why the 1 step forward, 2 steps back approach to Cayman firmware and I'm checking to see if everyone else has experienced the same problem.

unSpawn 02-18-2004 03:29 PM
I thought Chort, CC and me put up all sorts of text over time to show everyone "stealthing" isn't a security necessity and could hamper std ops as well?

ghight 02-18-2004 03:34 PM
You have. I'm reading the sticky as we speak. As with anything new, with the proper guidance, it's all comes together eventually. I'm on my way.

Thanks.

unSpawn 02-18-2004 03:52 PM
Np, np.

ghight 02-19-2004 09:24 AM
Hey, since I've got you guys here, got another question for you. This damn Cayman is bugging the crap out of me. About every 36 hours or so, the darn thing slows to a crawl! I don't think it is related, but the logs show this:

Thu Feb 19 14:24:31 2004(UTC) L2 PPP: (pppoe/vcc1) sending c021 LCP_ECHO_REQUEST, id 1
Thu Feb 19 14:24:31 2004(UTC) L2 PPP: (pppoe/vcc1) received c021 LCP_ECHO_REPLY packet, id 1
Thu Feb 19 14:25:26 2004(UTC) L2 FFS: (SRD) File underrun, partial read 'CRASHDUMP'
Thu Feb 19 14:25:31 2004(UTC) L2 PPP: (pppoe/vcc1) sending c021 LCP_ECHO_REQUEST, id 2
Thu Feb 19 14:25:31 2004(UTC) L2 PPP: (pppoe/vcc1) received c021 LCP_ECHO_REPLY packet, id 2
Thu Feb 19 14:26:31 2004(UTC) L2 PPP: (pppoe/vcc1) sending c021 LCP_ECHO_REQUEST, id 3


It looks like the router is pinging something every 45 to 60 seconds. Is this normal for DSL or whats up? I never noticed this before the firmware upgrade either.

chort 02-19-2004 09:57 AM
I'd be more worried about the "CRASHDUMP". Better check your manual (if you were lucky enough to get one) and/or call techsupport. The interesting thing is it looks like that is built on OpenBSD. FFS is OpenBSD's file system.

ghight 02-19-2004 10:05 AM
Well crap. The website doesn't say anything about it, and the tech support goes through SBC. We all know how that gets handled.

Those CRASHDUMPs happen every 5 to 15 minutes.


All times are GMT -5. The time now is 10:06 AM.