firewall test... reason for worries?

Piet Roorda

5 Mar 2002 5 Mar '02

21:55

I have installed suse firewall 1&2 (suse 7.3) with masquerading other computer was shut off, and did a firewall test at www.grc.com my user name (they think), computername & workgroupname traceble the port testing result: port 113 ident: closed port 5000 Upnp: closed should this be avoided, and if yes, How? piet roorda

Show replies by date

jaakko tamminen

5 Mar 5 Mar

21:49

New subject: [SLE] firewall test... reason for worries?

Hi No worries... I have found that in my servers the default settings of SuSEfirewall are quite good. The main thing is to follow news that if there is some security issues with services that You have open to outside (ftp, http, ssh, pop, smtp etc..). If You don't use them, then disable those from inetd.conf and other places. Don't keep any unconfigured services! Others may disagree with me, but SuSEfirewall is "good enough" protection in the beginning.. Later on when You get more into Linux, You can write Your own iptables-script, and have everything as You like them to be. Jaska. Viestissä Tiistai 05 Maaliskuu 2002 23:55, Piet Roorda kirjoitti:

...

I have installed suse firewall 1&2 (suse 7.3) with masquerading other computer was shut off, and did a firewall test at www.grc.com my user name (they think), computername & workgroupname traceble the port testing result: port 113 ident: closed port 5000 Upnp: closed

should this be avoided, and if yes, How?

piet roorda

zentara

23:08

New subject: [SLE] firewall test... reason for worries?

On Tue, 05 Mar 2002 22:55:05 +0100 Piet Roorda wrote:

...

I have installed suse firewall 1&2 (suse 7.3) with masquerading other computer was shut off, and did a firewall test at www.grc.com my user name (they think), computername & workgroupname traceble the port testing result: port 113 ident: closed port 5000 Upnp: closed

You are closed up, so no problems. It's just that those ports are having their packets "returned" instead of "dropped" into oblivion. The only way the scanner can tell you are "closed on a port" is if the firewall returns the packet. If the firewall drops the packet, the scanner dosn't know if you are online or not, it just waits forever for a response. If you read the /sbin/SuSEFirewall2 script, it explains that port 113 is used as identification for some email servers and instead of "dropping" the packets, it's preferrable to "return" them, so they at least know your ip address is online. You can comment those lines out if you wish, and your port 113 will be "stealth"....not responding. Most dialup users can do this. For port 5000, edit the /etc/rc.config.d/firewall2.rc.config file. Set the following: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp" Then go back and run the test at grc.com -- $|=1;while(1){print pack("h*",'75861647f302d4560275f6272797f3');sleep(1); for(1..16){for(8,32,8,7){print chr($_);}select(undef,undef,undef,.05);}}

Piet Roorda

6 Mar 6 Mar

03:50

New subject: [SLE] firewall test... reason for worries?

zentara wrote:

...

On Tue, 05 Mar 2002 22:55:05 +0100 Piet Roorda wrote:

...
I have installed suse firewall 1&2 (suse 7.3) with masquerading other computer was shut off, and did a firewall test at www.grc.com my user name (they think), computername & workgroupname traceble the port testing result: port 113 ident: closed port 5000 Upnp: closed

You are closed up, so no problems. It's just that those ports are having their packets "returned" instead of "dropped" into oblivion. The only way the scanner can tell you are "closed on a port" is if the firewall returns the packet. If the firewall drops the packet, the scanner dosn't know if you are online or not, it just waits forever for a response.

If you read the /sbin/SuSEFirewall2 script, it explains that port 113 is used as identification for some email servers and instead of "dropping" the packets, it's preferrable to "return" them, so they at least know your ip address is online. You can comment those lines out if you wish, and your port 113 will be "stealth"....not responding. Most dialup users can do this.

For port 5000, edit the /etc/rc.config.d/firewall2.rc.config file. Set the following: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp"

Then go back and run the test at grc.com

thanks for the explanation, can you expand a bit on how the're being able to retreive workgroup and computername? should I considder this a woe or a blessing? piet

Anders Johansson

04:15

New subject: [SLE] firewall test... reason for worries?

On Wednesday 06 March 2002 04.50, Piet Roorda wrote:

...

thanks for the explanation, can you expand a bit on how the're being able to retreive workgroup and computername? should I considder this a woe or a blessing?

How did you surf into their site? Could they be getting that info from the browser perhaps? //Anders

Piet Roorda

04:20

New subject: [SLE] firewall test... reason for worries?

Anders Johansson wrote:

...

On Wednesday 06 March 2002 04.50, Piet Roorda wrote:

...
thanks for the explanation, can you expand a bit on how the're being able to retreive workgroup and computername? should I considder this a woe or a blessing?

How did you surf into their site? Could they be getting that info from the browser perhaps?

//Anders

My browser is mozilla 0.94 piet

Anders Johansson

04:30

New subject: [SLE] firewall test... reason for worries?

On Wednesday 06 March 2002 05.20, Piet Roorda wrote:

...

Anders Johansson wrote:

...
On Wednesday 06 March 2002 04.50, Piet Roorda wrote:

...
thanks for the explanation, can you expand a bit on how the're being able to retreive workgroup and computername? should I considder this a woe or a blessing?

How did you surf into their site? Could they be getting that info from the browser perhaps?

//Anders

My browser is mozilla 0.94

piet

OK, I assume you're running either windows or samba, since otherwise "workgroup" means nothing. And if ports 137, 138 and 139 are blocked in the firewall, the browser is the only thing that could possibly give them that information. I strongly doubt it gives any samba related info on a linux box, but I don't know what it does on windows. //Anders

Piet Roorda

04:48

New subject: [SLE] firewall test... reason for worries?

Anders Johansson wrote:

...

On Wednesday 06 March 2002 05.20, Piet Roorda wrote:

...
Anders Johansson wrote:

...
On Wednesday 06 March 2002 04.50, Piet Roorda wrote:

...
thanks for the explanation, can you expand a bit on how the're being able to retreive workgroup and computername? should I considder this a woe or a blessing?

How did you surf into their site? Could they be getting that info from the browser perhaps?

//Anders

My browser is mozilla 0.94

piet

OK, I assume you're running either windows or samba, since otherwise "workgroup" means nothing. And if ports 137, 138 and 139 are blocked in the firewall, the browser is the only thing that could possibly give them that information. I strongly doubt it gives any samba related info on a linux box, but I don't know what it does on windows.

//Anders

yep Samba is running with Suse 7.3 (pro), I'll have to check whitther one of these ports are in use by Samba Maybe I should give it another try with Konquerer? piet

Anders Johansson

04:54

New subject: [SLE] firewall test... reason for worries?

On Wednesday 06 March 2002 05.48, Piet Roorda wrote:

...

yep Samba is running with Suse 7.3 (pro), I'll have to check whitther one of these ports are in use by Samba

More to the point, check that they are blocked in the firewall.

...

Maybe I should give it another try with Konquerer?

Sure, why not. Or perhaps lynx. That's guaranteed not to give any samba related info :) //Anders

Piet Roorda

05:05

New subject: [SLE] firewall test... reason for worries?

Anders Johansson wrote:

...

On Wednesday 06 March 2002 05.48, Piet Roorda wrote:

...
yep Samba is running with Suse 7.3 (pro), I'll have to check whitther one of these ports are in use by Samba

More to the point, check that they are blocked in the firewall.

...
Maybe I should give it another try with Konquerer?

Sure, why not. Or perhaps lynx. That's guaranteed not to give any samba related info :)

//Anders

... even with lynx

8093

Age (days ago)

8094

Last active (days ago)

List overview

Download

9 comments

4 participants

participants (4)

Anders Johansson
jaakko tamminen
Piet Roorda
zentara