"stealth" and "closed" a shown on grc / port 5001

"stealth" and "closed" a shown on grc / port 5001

Post by andre » Sat, 01 Jun 2002 06:58:07



I use firestarter on a linux machine which hooks up
to the internet via pppd on an adsl link, and I have a win98
laptop as a samba / login client into this, which can
also surf the net using firestarters port forwarding / DNS, etc.

When I finally got the whole thing set up right the first time (a year ago
or so) and went
to www.grc.com to get a security "check-up", all the ports
grc scanned came up very nicely as "stealth". Now however,
I'm not sure what I did (maybe manually messed around with
some of the firestarters/IP-tables type rules at some stage),
but grc now shows all ports as "closed", except for the netbios (137 or
139 ? ... I forget) port that samba affects ... which it shows as "open" !
although no information is available through it. if however, smbd is killed,
137 shows up as "closed", along with everything else.

It may seem safe enough, but my question is: is there any way to get the
clean "stealth bill of health" back again on grc's "test your shields" ?
Perhaps flushing all iptables rules and restarting firestarter ? How do
you do that ?

<added fact which may or may not be of interest: i could achieve
total "stealth" when the rh-linux version was 7 (or 7.1 i can't remember),
whilst i am now on 7.2, wherein all ports show up as "closed">

Also, could anyone advise me on this: assuming I wish to continue
using firestarter on the linux router/gateway to the internet, how can
I open port 5001 on this machine in order to be able to use yahoo
messenger with a * on the client win98 machine ?

is this another case of combining iptables and firestarter in some
fashion ? because frankly, i don't see any way of opening port
5001 using firestarter ! Otherwise, I have no complaints:
Firestarter successfully forwards absolutely ALL packets
to the win98 client (icq, yahoo messenger, email, ftp, etc) - all
I need to be able to do now is use a * !

thanks for any tips.

Andrei

 
 
 

"stealth" and "closed" a shown on grc / port 5001

Post by Andreas Thala » Sat, 01 Jun 2002 18:59:41



>I use firestarter on a linux machine which hooks up
>to the internet via pppd on an adsl link, and I have a win98
>laptop as a samba / login client into this, which can
>also surf the net using firestarters port forwarding / DNS, etc.

I dont know firestarter so I cant say much about it, but...

[...]

Quote:>but grc now shows all ports as "closed", except for the netbios (137 or
>139 ? ... I forget) port that samba affects ... which it shows as "open" !
>although no information is available through it. if however, smbd is killed,
>137 shows up as "closed", along with everything else.

If smb/nmb is open to the world you should either:

- configure smb/nmbd to listen only to your internal NIC
- drop/reject tcp+udp 137-139 comming from the internet

Quote:>It may seem safe enough, but my question is: is there any way to get the
>clean "stealth bill of health" back again on grc's "test your shields" ?
>Perhaps flushing all iptables rules and restarting firestarter ? How do
>you do that ?

AFAIK "grc.com" reports a port/service as "stealth" if your FW
denies/drops the packet and "closed" if it is rejected by the firewall
or no service is running on that port and your gateway sends back the
proper icmp packet.

[...]

HTH
Andreas