SPF won't stealth ports

 CastleCops -> Sunbelt KerioPF
Author: MasterTBLocation: Argentina PostPosted: Thu Oct 04, 2007 11:36 am    Post subject: SPF won't stealth ports
Hi, I'm Using SPF and It's been a while since I test it but I have a tendency to go back to ol habits Wink Yesterday I took a ride at Shields Up to see if my machine was well hidden behind SPF and to my surprise, even when I had closed all the programs allowed to recieve connections from the net -warcraft and eMule- SPF had trouble letting go and the ports opened didnĄt show stealth, in fact they showed OPEN for a long time and then after that just CLOSED. What's most disturbing is that even adding a rule to the packet filtesr to avoid all ICMP, it kept answering all those nasty ping echo replies!!!
Any one has a solution to that??
Author: TeknophyleLocation: Australia PostPosted: Mon Oct 08, 2007 4:48 pm    Post subject: re: SPF won't stealth ports
Make sure your router is not blocking ping requests. My router does not have an option to forward these requests to my machine. But my router does have the "Discard Ping To WAN Interface" option, which I enable and now all my ports are stealthed.

With eMule and other incoming requests, check your router for any rules with port forwarding these requests. You might want to try using UPNP in your router if it is supported.
Author: MasterTB PostPosted: Mon Oct 08, 2007 5:12 pm    Post subject:
Thanks for the advice but is not the router that I'm testing, I put the firewall on the router's DMZ for the tests and run a Shield's up scan for ports I usually open with eMule. First the test was running with eMule open, then with it closed.
The firewall could not let go of eMule's status and kept showing the ports as open even 15 minutes after eMule was closed. I had to reboot to get the stealth status again.
Author: IP: 85.210.*.* PostPosted: Mon Oct 08, 2007 10:16 pm    Post subject:
The GRC shields up isnt really accurate of how secure you are, you could be fully stealthed but be terribly insecure. There is nothing wrong with allowing pings, it helps diagnose line faults etc. Don't read too much into GRC and its stealth report nonsence (plenty of articles available if you want to check on google) Smile
Author: TeknophyleLocation: Australia PostPosted: Tue Oct 09, 2007 10:19 am    Post subject: SPF won't stealth ports
True. GRC does not test many other known exploits, but it does show if your ports are being stealthed or not, especially ping (ICMP Echo).

MasterTB, you can also check your stealth status at: http://www.pcflank.com/scanner1s.htm. I also tested my machine within the DMZ of my router, but no matter what I tried, my router will always reply to ping requests sent to my current external IP address. The only way for me to stealth that port was to make the router ignore the ping packets via "Discard Ping To WAN Interface" option in the Firewall/Intrusion settings. Check your router manual to see if you have a similar option or try creating a firewall rule to forward the ping to an unused internal IP address.

As for eMule (I use MorphXT ver 10.3) , I checked if my ports where stealthed and they are. I have UPNP enabled on the router, in windows and in eMule, and then use a static internal IP address to set the field "Bindaddr emule to interface" in eMule MorphXT Extended Options. This allows me to have a very HighID and be stealthed aswell.

----My System----
Antivirus: NOD32 version: 2.70.39 Cool
Firewall: Customized Kerio based on version: 4.2.2 Twisted Evil
System Service: 4.2.2
User Interface: 4.2.2
Driver: 4.3.182
KFE API: 4.3.179
HIPS Driver: 4.3.182
BSODhook Status: Passed successfully! Surprised
Author: TeknophyleLocation: Australia PostPosted: Tue Oct 09, 2007 11:11 am    Post subject: SPF won't stealth ports
Update!!. Just checked my uTorrent port (which is randomized each time) and the port was shown to be open using GRC. I think this is normal if you want incoming torrent connections. When I shutdown uTorrent the port was stealthed instantly and my machine is still in the DMZ of my router, so Kerio is doing something right Wink.

Also checked my eMule and have found the TCP port (which is also randomized) to be open when eMule is running (i think this needed if you want a high ID). The UDP ports are always stealthed for some reason. Rolling Eyes This time the port was instantly closed (not stealthed) when eMule was shutdown. Shocked

Looks like I will have to check what Comodo does with P2P ports sometime soon. Confused
Author: MasterTBLocation: Argentina PostPosted: Tue Oct 09, 2007 11:42 am    Post subject: Re: SPF won't stealth ports
Teknophyle wrote:
Update!!. Just checked my uTorrent port (which is randomized each time) and the port was shown to be open using GRC. I think this is normal if you want incoming torrent connections. When I shutdown uTorrent the port was stealthed instantly and my machine is still in the DMZ of my router, so Kerio is doing something right Wink.

Also checked my eMule and have found the TCP port (which is also randomized) to be open when eMule is running (i think this needed if you want a high ID). The UDP ports are always stealthed for some reason. Rolling Eyes This time the port was instantly closed (not stealthed) when eMule was shutdown. Shocked

Looks like I will have to check what Comodo does with P2P ports sometime soon. Confused


Well that "closed" status you see is until Kerio sees that eMule is closed, then it stealthes the port. as for UDP I also see them stealth no mater what, still I get a High ID so no worries there.
Comodo does a good job with ports. But you have to understand that comodo uses an application set of rules and a network set of rules so: you have to grant emule acces as an application and then open the ports on the networkfor it to work. Comodo will show TCP ports open when eMule is running and stealth when it's not, even when it is open in the network, BUT if any program -with internet acces to accept connections on any port- tryes to use the ports open for eMule, then comodo will let it because they are open on the network side, something to remember there. UDP ports are allways shown stealth.
Author: IP: 85.210.*.* PostPosted: Tue Oct 09, 2007 7:27 pm    Post subject:
Most of these online tests have one critical failure, and that is they are not accurate. At the end of the day whichever firewall you have installed, you are probably going to pass its test, and if you dont pass it, then the test is probably useless anyway (such as GRC).

1) if it didn't pass the firewall company would be releasing an update ASAP, and 2) the tests are very basic. I wouldn't read too much into any of them.. Whether your ports and stealthed or closed it makes little difference in the real world..
Author: IP: 69.72.*.* PostPosted: Thu Dec 13, 2007 8:21 pm    Post subject: How do I stealth the ports that are open
I have the latest version of SPF and did a test with GRC and another site and the results were not good.

Results from GRC:

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.


Port 1028
Host
OPEN!
One or more unspecified Distributed COM (DCOM) services are opened by Windows. The exact port(s) opened can change, since queries to port 135 are used to determine which services are operating where. As is the rule for all exposed Internet services, you should arrange to close this port to external access so that potential current and future security or privacy exploits can not succeed against your system.


1026
Host
Closed
Your computer has responded that this port exists but is currently closed to connections.


Port 1026
Closed

Port 1028
Open

Port 1031 Closed

Port 1033 Open

Port 1043 Closed

HOW DO I STEALTH THESE PORTS USING SUNBELT PERSONAL FIREWALL?
SHOULD I ADD rules and if so which ones?
Author: Graham1 PostPosted: Mon Dec 17, 2007 4:27 pm    Post subject: Re: How do I stealth the ports that are open
Anonymous wrote:
HOW DO I STEALTH THESE PORTS USING SUNBELT PERSONAL FIREWALL?
SHOULD I ADD rules and if so which ones?


I'm having a wild guess here but I would say that you might have allowed access to KPF4's GUI (when prompted).

To test, delete any application or packet filter rules you might have for KPF4 and re-run the scan. When prompted, deny these connections and hopefully, you've passed Very Happy.

Smile
Author: Spy_SentinelLocation: USA PostPosted: Mon Dec 17, 2007 8:34 pm    Post subject:
Thanks Captain, you actually answered my question to, I was having the same problem as the GUest. I allowed access to the Kerio GUI, I set them all to Allow Internet and Trusted. Thanks! And GUest, I hope this helps you too.
Author: Graham1 PostPosted: Mon Dec 17, 2007 8:50 pm    Post subject:
Spy_Sentinel wrote:
Thanks Captain, you actually answered my question to, I was having the same problem as the GUest. I allowed access to the Kerio GUI, I set them all to Allow Internet and Trusted. Thanks! And GUest, I hope this helps you too.


Your welcome Very Happy. It's also safe to block traffic to/from SPF4's GUI as any communication required by SPF is hard coded into the firewall.

Smile
Author: Spy_SentinelLocation: USA PostPosted: Tue Dec 18, 2007 12:48 am    Post subject:
I actually d to uninstall Sunbelt because it was slowing my system down. I installed ZoneAlarm. But Thanks for your help!
CastleCops -> Sunbelt KerioPF

All times are GMT

Page 1 of 1


Powered by phpBB © 2001 phpBB Group