# Is it better to run with ports stealthed vs just closed??

## carlos123

I have been discussing some things on the mailing list of my hardware firewall (Smoothwall) and I was hoping to get some additional input from anyone on this forum that might know something about this stuff.  

First here is my setup.  I have two computers (one Linux, one Windows) hooked up through a hub which in turn is hooked up to a third computer dedicated to being a firewall.  With the Smoothwall firewall running on it.  The firewall is connected out to the Internet. 

It seems, from what others have told me, that it is impossible to get to my internal computers (behind my firewall) from the Internet since they have IP's of the 192.168.xxx.xxx kind.  And no Internet router anywhere is going to route packets destined to such an IP since this IP range is reserved for private networks.  

This much makes sense.  

I have also been told that in order to get to my computer an attacker would have to take over my firewall computer so as to enlist it's resources to reach out further into my local network.  

This too makes sense though it does imply that yes, an attacker could get to my computers by going through my firewall.  As to how difficult that would be I don't know.  Supposedly Smoothwall has never been breached or compromised.  

The Smoothwall firewall appears to be a real good one but one thing I noticed when running some tests on it is that it reports ports 113 IDENT and 5000 as being closed.  When I was running ZoneAlarm under Windows all ports were reported as being stealthed or undetectable from off the Internet.  

Aside from whether running a firewall in stealth mode is according to standards or not is there any real practical benefit to having all of one's ports be seen as stealthed??

I have heard some pros and cons to this and am still not completely certain whether running in stealth mode is worth the hassle of set up.  www.grc.com implies that all ports should be stealthed.  Some on the Smoothwall list call www.grc.com virtually useless and useful only to inexperienced persons  :Smile: .  I'm not sure I agree with that.  

Does anyone here have some intelligent reasons as to why one is better or no better than the other?  In terms of running a firewall with all ports in stealth mode or leaving some as closed?  

I am already aware of the idea that stealthed ports don't report themselves as being there to port scanners making it unlikely that anyone will focus on a computer that doesn't even appear to be there.  Whereas closed ports are detectable making it more likely that someone will start more intensely scanning or probing for holes.  

Any thoughts on any of this would be appreciated.  

Thanks.  

Carlos 

PS.  I found the Smoothwall list to get a bit defensive at even a question regarding it's operation so I thought I would ask in this forum where there is less likely to be someone with an emotional and vested interest in defending Smoothwall.

----------

## Johnywho

Don't worry about your smoothwall box, it is a fine firewall which will keep  intruders out of your network.

About the ports stealth or closed, probably stealth is better for most ports. An attacker would have much more difficulty to scan your ports with stealthed than closed, but all ports closed also means "no way in", so it is probably just as safe.

For port 113 grc.com explains why it is safe to have this one closed instead of stealth http://grc.com/faq-shieldsup.htm#IDENT

Port 5000 is the UPnP port which is a windows feature  :Smile:  and you should not be alarmed to see it closed on your linux box. 

If you keep your smoothwall box updated it is a pretty good firewall, which does its job of firewalling and routering.

As for the smoothwall mailinglist it is indeed not very supported, that is why a couple of years ago some started ipcop a smoothwall fork, which keeps developing under the GPL. If you want to tweak your box or just want more support you should take a look at it, http://www.ipcop.org

----------

## darktux

It's _impossible_ to get a port 100% stealth, there are always SYN scans, so just close them..

----------

## carlos123

Thanks to both of you!  Great tip on that ipcop site Johnywho.  

By the way darktux, I am dying of curiosity...is that your real picture on your Avatar??  You look awefully young.  Not that this makes your input any less valuable only a bit surprising coming from someone so young (if indeed that is you).  

Carlos

----------

## darktux

Yep, that's me!   :Wink:   (about 9 years younger)   :Rolling Eyes: 

I am now twenty   :Cool: 

----------

## carlos123

For a minute there darktux I thought you were one of those boy geniuses hanging around a Gentoo forum  :Smile: .  

Just a follow up on the link to ipcop.org that you gave me Johnywho.  Boy oh boy did that link ever lead me into a hornets nest!!  Between two open source projects duking it out.  I looked up a discussion on slashdot and then read through a bunch of newsgroup posts.  

While I may continue using Smoothwall for myself (too much of a hassle to reinstall a different firewall like IPCop) I will probably encourage customers to use IPCop in the future.  Thanks, doubly so, for having told me about IPCop!  

Carlos

----------

## Crg

 *darktux wrote:*   

> It's _impossible_ to get a port 100% stealth, there are always SYN scans, so just close them..

 

It is _possbile_ to get a port 100% stealth.

----------

## Crg

 *carlos123 wrote:*   

> 
> 
> The Smoothwall firewall appears to be a real good one but one thing I noticed when running some tests on it is that it reports ports 113 IDENT and 5000 as being closed.

 

In theory it would be better to have these ports stealthed as well, in reality though who cares  :Smile:   The security risk of having these ports reporting themselves as closed instead of not sending any replies back whatsoever is is extermely minimal, the only risk I can think of is that it enables someone to identify what firewall you are running easier.

----------

## elzbal

 *darktux wrote:*   

> It's _impossible_ to get a port 100% stealth, there are always SYN scans, so just close them..

 

I don't know much about the Smoothwall product in particular, but many firewalls support stateful inspection of packets. If Smoothwall does, you will be able to avoid SYN and FIN scans (2 popular scans to gather information from the other side of firewalls). Since the firewall does NAT, it is likely to support state-keeping.

If it was my firewall, I would prefer to have all ports return the same information (closed or dropped). Otherwise, an attacker may be able to identify the firewall by the port signature (i.e. 113 and 5000 closed, all else dropped). In the unlikely event that an exploit does come out for the Smoothwall product, I'm sure you would rather that people were unable to identify your firewall as a Smoothwall.

I would probably choose to have all packets dropped rather than closed, because it provides a bit more annoyance to any potential hacker - his full port  scans will take a lot longer because he will have to wait for the packet timeout on his own machine. On the other hand, if you drop all packets rather than return them as 'closed', a potential attacker will know that there is a firewall at that location, which may be more information than you want him to have.

----------

## Crg

 *elzbal wrote:*   

>  *darktux wrote:*   It's _impossible_ to get a port 100% stealth, there are always SYN scans, so just close them.. 
> 
> I don't know much about the Smoothwall product in particular, but many firewalls support stateful inspection of packets.

 

Smoothwall 1 uses linux kernel 2.2 (ipchains - nonstateful), Smoothwall 2 uses linux kernel 2.4 (iptables - stateful)

 *Quote:*   

> 
> 
>  If Smoothwall does, you will be able to avoid SYN and FIN scans (2 popular scans to gather information from the other side of firewalls).
> 
> 

 

You can configure both ipchains & iptables to drop all packets properly SYN/XMAS/NULL etc, doesn't have anythingto do being statefull or not..

 *Quote:*   

> 
> 
> On the other hand, if you drop all packets rather than return them as 'closed', a potential attacker will know that there is a firewall at that location, which may be more information than you want him to have.

 

If you are dropping all packets then it will look there is no machine using that ip.  He'll be able to deduce there is a firewall at that ip *if* he actually sees packets coming from that ip address, ie network sniffer, but isn't able to get a response himself.

Having some ports closed and some stealthed gives back information that there *is* a firewall somewhere, as some packets are returned for the closed ports, but filtered for others.  Also as mentioned earlier it gives one the ability to fingerprint the firewall/os at the ip more acurately.

----------

## darktux

There's no such thing as full stealthness.... RESISTENCE IS FUTILE

----------

## nikai

 *Crg wrote:*   

> If you are dropping all packets then it will look there is no machine using that ip. 

 

No, that's not true. Think about it. What would happen if there *really*  is noone with your IP?

Exactly. There would be a DNS error message going back that the IP does not exist.

No answer means someone is dropping packages.

"Stealth ports" is just a buzzword made up by people who want to sell products.

Here are some nice thoughts about "drop vs. reject": <http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject>

----------

## joycea

 *nikai wrote:*   

> 
> 
> Exactly. There would be a DNS error message going back that the IP does not exist.
> 
> No answer means someone is dropping packages.
> ...

 

I may not be an expert on this, but why would you get a DNS error.  Try punching in ping 10.3.2.4 (or any other unroutable address that you don't have locally).  You should find that there is no response, not a DNS error.  That does not even involve a DNS query...

Stealthing a port would give no indication that anything is there and there certainly should be no DNS errors.

You seem to be confusing IP addresses and DNS addresses.

----------

## Crg

 *nikai wrote:*   

>  *Crg wrote:*   If you are dropping all packets then it will look there is no machine using that ip.  
> 
> No, that's not true. Think about it. What would happen if there *really*  is noone with your IP?
> 
> 

 

I'm not the one that needs to think about this.  What would happen if noone really has an ip?  There would be no reply would there.

Now what would happen if a machine is setup to use that ip on its interface but drop all packets? There would be no reply either would there?

So the difference between no reply and no reply is?....

 *Quote:*   

> 
> 
> Exactly. There would be a DNS error message going back that the IP does not exist.
> 
> 

 

That is incorrect.  IP != DNS.

 *Quote:*   

> 
> 
> "Stealth ports" is just a buzzword made up by people who want to sell products.
> 
> 

 

Stealth ports is just another way of saying all packets to that port are dropped with no reply.

----------

## darktux

Well, then use iptables and REJECT with Icmp-port-unreachable, which does exactly what you're saying, then do a nmap -sS scan, and tell me what do you see....

LOOK MOM! PORTS!   :Twisted Evil: 

----------

## Crg

 *darktux wrote:*   

> Well, then use iptables and REJECT with Icmp-port-unreachable, which does exactly what you're saying, then do a nmap -sS scan, and tell me what do you see....
> 
> LOOK MOM! PORTS!  

 

Didn't see anyone who was talking about REJECT with icmp-port-unreachable or anything even similar.

----------

## darktux

 *Crg wrote:*   

>  *darktux wrote:*   Well, then use iptables and REJECT with Icmp-port-unreachable, which does exactly what you're saying, then do a nmap -sS scan, and tell me what do you see....
> 
> LOOK MOM! PORTS!   
> 
> Didn't see anyone who was talking about REJECT with icmp-port-unreachable or anything even similar.

 

Then tell me how do you achieve 'stealthness'. What do you think those iptables based firewalls do? MAGIC? jiz..

----------

## Crg

 *darktux wrote:*   

>  *Crg wrote:*    *darktux wrote:*   Well, then use iptables and REJECT with Icmp-port-unreachable, which does exactly what you're saying, then do a nmap -sS scan, and tell me what do you see....
> 
> LOOK MOM! PORTS!   
> 
> Didn't see anyone who was talking about REJECT with icmp-port-unreachable or anything even similar. 
> ...

 

sure:

```

# Drop all..

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

iptables -F

# Don't decriment TTL through firewall

iptables -A PREROUTING -t mangle -m ttl --ttl-lt 255 -j TTL --ttl-inc 1

# Add rules to allow traffic here to the FORWARD interface only.

# If you *must* use the REJECT target use "REJECT --fake-source x.x.x.x" 

# where x.x.x.x is the ip address of you upstream router.

iptables -A FORWARD ...

```

 *Quote:*   

> What do you think those iptables based firewalls do? MAGIC? jiz..

 

I think iptables based firewalls use the netfilter/iptables subsystem included in linux kernels 2.4/2.5 and adds the functionality to linux kernels to do stateless and stateful packet filtering, various forms of NAT, and packet mangling.

Let me quote from myself just a few post back as you must have missed it.

 *Quote:*   

> 
> 
> Stealth ports is just another way of saying all packets to that port are dropped with no reply.
> 
> 

 

DROP != REJECT.

----------

## Crg

 *Crg wrote:*   

>  *darktux wrote:*    *Crg wrote:*    *darktux wrote:*   Well, then use iptables and REJECT with Icmp-port-unreachable, which does exactly what you're saying, then do a nmap -sS scan, and tell me what do you see....
> 
> LOOK MOM! PORTS!   
> 
> Didn't see anyone who was talking about REJECT with icmp-port-unreachable or anything even similar. 
> ...

 

----------

## viperlin

i'm sorry but i just got the PS2 BB kit, i have net access but i need a little info

using smoothwall is there a way to specify a range of ports:

UDP  6000-6999

TCP   10070-10080

i can't seem to find the instructions of forwarding a range of ports, i think it may be only the corperate Smoothwall that does this.

Smoothwall GPL 1.0

----------

