I''ve installed this fine software on my home network and am very pleased with the ease of installation and especially the documentation. My firewall box masq''s a private net via dialup modem. Configuration is almost exactly as described in the two-interface example. My question regards the result of a "internet test scan" that I found via google search...when I run the "Stealth Scan" at: http://scan.sygate.com/stealthscan.html ...it reports ports 80,110,113,139,443,445,1080,8080 as being "closed, but not stealthed, and therefore possibly vulnerable to a TCP/IP stack vulnerability, even though no service is running on the port" (I''m paraphrasing the actual message) This is a redhat linux 8.0 box, kept up2date. Just out of curiosity, should these ports be showing up stealthed or not? If so, any ideas on how I can figure out what''s going on? I''m thinking I''d like to stealth these remaining ports. Thanks, john
On Tue, 7 Jan 2003, John McBride wrote:> Just out of curiosity, should these ports be showing up stealthed or > not? If so, any ideas on how I can figure out what''s going on? I''m > thinking I''d like to stealth these remaining ports.Depends on your policy/rules. REJECT gets you non-stealth. DROP gets you stealth. Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com
Hi John, Recently I requested much the same info. Perhaps this will help. Cheers. *********************************************************************************** I have shorewall up and running on my system. (GNU-Linux Mandrake 9) When I tested my firewall at grc.com, Shields-Up informs me that ports 113 and 135 are closed and not ''stealthed'' When reading the faq on the Shorewall site I saw that shorewall rejects rather than denys connection requests on ''TCP ports 113, 135, 137 and 139 as well as UDP ports 137-139''. The file /etc/shorewall/common.def advises me not to edit the file but rather to create a new one. Can anyone give me an idea on how to do this so that the above ports deny request attempts. I guess this must be a fairly common question on the list, but a search yielded nothing at the mailing list archive. Thanks for any help. Mark Cheney. *********************************************************************************** Reply from Vincent Bernat: You mean "drop" ? Depending of your policy, I think an empty file will just do the trick. ************************************************************************************ Reply from Tom Eastep: a) create the new /etc/shorewall/common file. b) copy the relevant rules from common.def to common c) change the target in the rules from ''reject'' to DROP d) make the last line in the file ". /etc/shorewall/common.def" Make a note to yourself to not come whining to the list when you can''t connect to many FTP sites. ************************************************************************************ So far I''ve had no connection troubles, and all ports appear to be ''stealthed''. Good Luck. Mark Cheney.
OoO En cette aube naissante du mercredi 08 janvier 2003, vers 07:05, John McBride <jmcbride@ccis.com> disait:> http://scan.sygate.com/stealthscan.html> ...it reports ports 80,110,113,139,443,445,1080,8080 as being "closed, > but not stealthed, and therefore possibly vulnerable to a TCP/IP stack > vulnerability, even though no service is running on the port" (I''m > paraphrasing the actual message)When stealthed, packets are just dropped and so don''t get into the TCP/IP stack. One of the advantages of such thing is that the attacker has to wait for a timeout: port scans is then much slower. When closed, a TCP RST or an ICMP port unreachable is sent. This is the normal behavior to state that no service is available on this port. It is the "clean" way but port scans are then very fast. With Linux, I don''t think that we could choose between the two approaches against an IP stack vulnerability (this is improbable). I prefer the second approach because you don''t reveal you have a firewall. You just say "I have no service running" and the possible hacker just tries another machine. If ports are stealthed, I say "I have something to hide and a firewall to protect it", the hacker may continue to try to enter in my machine. Moreover, I see stealthed port as security by obscurity. But there are many arguments to prefer the first approach too (slow port scan, adding a layer of obscurity is not bad, saying to the attacker that I have a firewall may dissuade him if he is interested in a "hop" machine, etc). This is a common question with no universal answer. :) -- BOFH excuse #204: Just pick up the phone and give modem connect sounds. "Well you said we should get more lines so we don''t have voice lines."
Instead of editing common.def, just add to your rules file something
like this:
DROP net fw tcp 135,137,139
DROP net fw udp 137:139
Tom recommends leaving 113 (auth) as reject, so I believe him. See
the faq#4 at http://www.shorewall.net/FAQ.htm#faq4. Online scanners
like you refer to will list ports set to "REJECT" as
"Closed", and
ports set to "DROP" as "Stealth".
Sincerely,
Jim Hubbard
.--.
|o_o |
|:_/ |
// \ \
(| | )
/''\_ _/`\
\___)=(___/
Rockingham County Linux Users Group
www.rock.lug.net
____________________________________
> -----Original Message-----
> From: shorewall-users-bounces@shorewall.net
> [mailto:shorewall-users-bounces@shorewall.net]On Behalf Of
> Mark Cheney
> Sent: Thursday, January 09, 2003 12:16 AM
> To: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] some ports not stealthed?
>
>
> Hi John,
>
> Recently I requested much the same info.
>
> Perhaps this will help.
>
> Cheers.
>
> ************************************************************
> ***********************
> I have shorewall up and running on my system. (GNU-Linux Mandrake 9)
>
> When I tested my firewall at grc.com, Shields-Up informs me
> that ports 113 and
> 135 are closed and not ''stealthed''
>
> When reading the faq on the Shorewall site I saw that
> shorewall rejects rather
> than denys connection requests on ''TCP ports 113, 135, 137 and 139
> as well as UDP ports 137-139''.
>
> The file /etc/shorewall/common.def advises me not to edit
> the file but rather
> to create a new one.
>
> Can anyone give me an idea on how to do this so that the
> above ports deny
> request attempts.
>
> I guess this must be a fairly common question on the list,
> but a search
> yielded nothing at the mailing list archive.
>
> Thanks for any help.
>
> Mark Cheney.
> ************************************************************
> ***********************
> Reply from Vincent Bernat:
>
> You mean "drop" ? Depending of your policy, I think an
> empty file will
> just do the trick.
> ************************************************************
> ************************
> Reply from Tom Eastep:
>
> a) create the new /etc/shorewall/common file.
> b) copy the relevant rules from common.def to common
> c) change the target in the rules from ''reject'' to DROP
> d) make the last line in the file ". /etc/shorewall/common.def"
>
> Make a note to yourself to not come whining to the list
> when you can''t
> connect to many FTP sites.
> ************************************************************
> ************************
>
> So far I''ve had no connection troubles, and all ports appear to be
> ''stealthed''.
>
> Good Luck.
>
> Mark Cheney.
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
>