2.1 Failing the GRC firewall test

kejianshi

I actually believe those results could be true.

Post an IP.  I can scan it from here.  I'm sure a few of us could confirm if the results are good or not.

Harvy66

@kejianshi:

My thoughts exactly.  uPNP may be forwarding  (opening) ports you have not thought about.

This is why I put int an explicit block on ports 1-1023. I don't want any pesky uPNP trying to do strange things.

The biggest issue isn't uPNP, it's that I need to use NAT in the first place. Many games need to listen on ports, but because you can't have multiple clients all using the same ports, you can't know which ports will be used ahead of time. If port opening needs to be dynamically controlled by the client, how else does one handle this?

My main concern isn't what my clients are trying to do, it's what the public Internet is trying to do to my clients. As long as standard service ports are not opened, I'm content. Home install, I'm not a network admin.

johnpoz

No the issue is how UPnP is implemented without any security/auth that allows something to be opened, and ease of control of what that device can open, etc.  Most home routers give you no control at all.

Not sure what your blocking - but inbound from the wan has all ports block out of the gate.  Where are you creating this 1-1023 block?

While its true many ports need to listen on port - they sure shouldn't be < than 1023..  Where in the list of ports are there any games that have these ports registered?

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

I don't see any games?  No game that I could think of should be listening on a PRIVILEGED port that is for sure..

There is a SHIT load of ports to be used - how many games are you running that it should ever overlap, and people that design a game that is played over the internet and don't take into account the ability to control which ports are used are just not thinking if you ask me!!

I have never ran into such a game.  All the issues go away soon with NAT you can hope as IPv6 is here - With lots of IPs to play with that removes the need of nat completely.  These games still do not need to listen on ports < 1023..  So from his listing 416 to 557 are OPEN..  Why would something open such a big range privileged..  If we look up those ports.

example
nnsp                433        tcp    NNSP

This is port used for bulk transfers of NNTP between servers..  Why would some GAME use that port?  And since its under 1023 should require elveated permissions to even listen on that port, etc.

If I ran across a scan showing such results - the first thing I would do is run the scan again while sniffing on wan and validate for starters that scan is actually hitting my IP and that responses are leaving my interface because its so out there it is highly unlikely there is anything actually listening on all those ports to have it show "OPEN"

kejianshi

When you put in your block rules, are you rejecting with some message or dropping packets silently?

Harvy66

@kejianshi:

When you put in your block rules, are you rejecting with some message or dropping packets silently?

Always drop, not reject.

kejianshi

Yep - Thats why I'm asking.

Supermule

80.197.155.13

@kejianshi:

I actually believe those results could be true.

Post an IP.  I can scan it from here.  I'm sure a few of us could confirm if the results are good or not.

Harvy66

@johnpoz:

No the issue is how UPnP is implemented without any security/auth that allows something to be opened, and ease of control of what that device can open, etc.  Most home routers give you no control at all.

Not sure what your blocking - but inbound from the wan has all ports block out of the gate.  Where are you creating this 1-1023 block?

While its true many ports need to listen on port - they sure shouldn't be < than 1023..  Where in the list of ports are there any games that have these ports registered?

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

I don't see any games?  No game that I could think of should be listening on a PRIVILEGED port that is for sure..

There is a SHIT load of ports to be used - how many games are you running that it should ever overlap, and people that design a game that is played over the internet and don't take into account the ability to control which ports are used are just not thinking if you ask me!!

I have never ran into such a game.  All the issues go away soon with NAT you can hope as IPv6 is here - With lots of IPs to play with that removes the need of nat completely.  These games still do not need to listen on ports < 1023..  So from his listing 416 to 557 are OPEN..  Why would something open such a big range privileged..  If we look up those ports.

example
nnsp                433        tcp    NNSP

This is port used for bulk transfers of NNTP between servers..  Why would some GAME use that port?  And since its under 1023 should require elveated permissions to even listen on that port, etc.

If I ran across a scan showing such results - the first thing I would do is run the scan again while sniffing on wan and validate for starters that scan is actually hitting my IP and that responses are leaving my interface because its so out there it is highly unlikely there is anything actually listening on all those ports to have it show "OPEN"

"Where are you creating this 1-1023 block?"
On the WAN interface. I assume the firewall rules take precedence over the uPNP, but I could be wrong. If I am wrong, then uPNP could effectively bypass the firewall in an uncontrollable way.

"I don't see any games?"
I never said any games use those ports. Me blocking service ports only has to do with being paranoid about uPNP, assuming the block actually works against uPNP.

"There is a SHIT load of ports to be used - how many games are you running that it should ever overlap"
Running the same game on two different computers will run you into trouble if the game requires a specific port to be forwarded. How can you forward the same port to two different computers, especially if the same two computers are trying to communicate with the same servers? You can't. Many of these games require uPNP in order to use non-standard ports. Not to mention micromanaging port forwarding and messing with game configurations when you friends come over is a huge headache. Assuming the games even give you the option to manually change your ports. Most dynamically choose a port at run time, and if that port isn't being forwarded, you can't play.

kejianshi

Supermule - Running a scan - Although, seems more likely thats your server…

Its abit slow.  Taking its time.

Supermule

:D Its my homenetwork guarded by pfSense and some other gimmicks :D

Supermule

Is 77.66.122.109 your IP?

@kejianshi:

Supermule - Running a scan - Although, seems more likely thats your server…

Its abit slow.  Taking its time.

kejianshi

Yeah - I'm into your porn now…  (kidding)
Still running.  I'll post the results, although I'm sure the results will be next to nothing.

Supermule

Are you located in Copenhagen or just hooking up on some VPN??

IP address: 77.66.122.109
Reverse DNS: No Reverse DNS found
Reverse DNS Authenticity: Unknown
ISP: Netgroup A/s
Country: Denmark Denmark
CountryCode: DK
Region: Hovedstaden
City: Copenhagen
Private IP: No

kejianshi

I'm in Manilla…
That VM is running on a machine is in a rack in Copenhagen. 
I did use a VPN to access the desktop and kick off the scan, but I'm not in the desktop right now.
Looks like it will take about another 20 minutes.  Abit like watching paint dry.
I'll check it again in 20.

kejianshi

All scanned port filtered.  Also doesn't respond to ping.

In other words, less than nothing.

I only scanned 2000 ports.

Supermule

Thanks dude. :)

Derelict

2.1.5 Cox Las Vegas.

–--------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2014-10-20 at 18:41:47

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: FAILED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------

johnpoz

"Most dynamically choose a port at run time, and if that port isn't being forwarded, you can't play."

What game is this - that is moronic way to do it..

"How can you forward the same port to two different computers,"

I never said you could, that is why game on computer A uses port X, game on computer B uses port Y, etc.  You seem to completely miss the point, as to your block on WAN??  There is already a BLOCK for ANY, unless you allow it its block.. Putting in another block is pointless!!  And yes UPnP would create an allow rule – which is the issue with it in the first place!

stephenw10

Hmm, this is unclear to me. Adding a block rule is not the same as there being no allow rule.
Where, logically, in the chain of rules does the upnp added rule appear?

Steve

Texnet

Hi All,

Thanks for your replies.  I have checked the rules i have in place and these are just TCP only not UDP.  There are no rules set for the ports that state open the GRC test states there is 640 Ports Open i know i do not have rules for these.  I have disabled UDP on the BT business hub as an extra measure and run the test again but this made no difference.  I have attached our current rules applied.  I am wondering if it is in fact the BT business hub that is responding not the firewall as if i turn on the firewall on the business hub we get true stealth?

Thanks