Firewall (Something I would like to see)

It would be nice if firewalls logged whenever a packet is ignored instead of blocked.

Online scans that tests firewalls usually show three settings on any given scanned port.

Port is Open
Port is Closed
Port is Stealthed

The firewall accepted, blocked, or ignored the test packets sent. On my current firewall it shows everything as blocked or accepted. Is there any firewall which logs when a packet has been ignored? I think future releases of firewalls should show exactly what it did with the packet sent for inbound traffic instead of combining block to mean block and ignored.

If I set my Zone Alarm to Medium security and run Steve Gibson's port tester it shows all my ports are closed.
Zone Alarm records blocked for those packets.
If I set my Zone Alarm to High security and run this same test it shows all my ports are stealthed.
Again Zone Alarm records these packets blocked.
See where I'm going with this?

 

Check out Outpost version 2 and see what you think of the logging.
http://agnitum.com/download/

It is still being debugged for some people having some issues with it, but I believe it works well for most. It uses the MMC snap in for logging and is quite extensive.

 

Hello,

Blocked = stealth = neglected, dropped = NO explicit respons from the firewall
Closed = deny = explicit respons from the firewall

Rgds,

 

Actually response from the System not a response from the Firewall unless you in reference to old Software like NukeNabber and perhaps PortWatchers…

 

I disagree Jacks,

Open = port open and response from it

Closed = port closed (no app listening on it) and response from it

Blocked = port closed or open, but firewall drop the SYN packet. But the port could be visible by sending it a TCP packet with special flags (such as ACK) the port respond whit a packet (RST flag), so the port is blocked but visible by other ways.

Stealth = the port is open or closed, but the firewall drop all kind of traffic toward it, not only SYN (connection), so, the port never respond to any traffic.

"Blocked" not equal to "Stealth"

regards,

gkweb.

 

Yeah something like this...

June 26, 2003
xxx.xxx.xxx.xxx / TCP / Incoming / Connected
xxx.xxx.xxx.xxx / UPD / Incoming / Closed
xxx.xxx.xxx.xxx / UDP / Incoming / Blocked
xxx.xxx.xxx.xxx / UDP / Incoming / Dropped (Stealth)

 

Specifically in Reference to web-scans STEALTH & BLOCK concepts are one of the same. And even though I don’t agree with a lot of these web-scans giving the STEALTH status when done half-open (TCP SYN) Scans, I won’t start get technical so less knowledgeable folks gets highly confused and frustrated…

 

no, it's different.

i can block ports on my linux firewall without make them stealth, but believe what you want.
In addition, you definition are wrong, "closed = port exists..." all ports exist, from 1 to 65535, some are assigned to program listening, other not.
A blocked port can be open but blocked by firewall, it's not "twist", it's detail, but nothing to add, i'm wrong of course...

 

a block port can respond, but i will not try to explain how and why, and i will not try to explain what you can do with iptables on linux, it's a powerfull tool which by far is better that only block and stealth, you want to believe website ? believe what you want, me i will return here next week.

I'm start to be ...... up.

 

Yeah, I agree with LWM that there is differing interpretations by various vendors on what their implementation of "stealth" but if you are looking at any non-vendor-specific definition it equates to no packet return for unallowed traffic. RFCs specify that if a host recieves an ACK without any prefatory SYN then the target host should send a FIN so any so-called stealth implementation should suppress the FIN in these instances. Likewise, a FIN without previous traffic is frequently reponded to by a FIN and thus should also be suppressed by a "stealth" implementation.

If you do a search for "stealth vs blocked" you will find many discussions of this. You may want to go through the nmap manpage for a good summary

http://www.insecure.org/nmap/data/nmap_manpage.html

Dan

 

phantom''

"Block" implementations are almost *never* the same as stealth implementations alng the lines outlined in my previous post, but, again it depends on the FW vendor

 

Hi Phant0m,

You are right of course No respons from the System due to the FW rules.

Due to my bad English : I meant allowed by the FW or through the FW.

Sorry

 

Hey Jack

Naa I know what you meant, I was just teasing

 

Hello gkweb,

A slight misunderstanding here : not so far ago, Windows FWs did not allowed to be in stealth mode just because they did not permit to drop packets but only forcefully deny.
LINUX FW allows it from the beginning.

You cannot on a LINUX box block a port (drop the inbound packets) and give a respons CLOSED when a probe on the port is done from the outside.
All ports exists from 0 to 65535 What Phanth0m meant is not that the port exists or not but that you know it exists as you get the answer CLOSED and you don't know it exists when it's BLOCKED as you get no answer proving the adress in existing
(enfin you may know it as a non respons is also a kind of respons ) if you know the IP is valid.

Yes, as you say, your are wrong

Rgds,

 

@ JAck

I'm sorry but you can...

## RULE 1 : STEALTH PORT 21 (FTP)##
iptables -A INPUT -i ppp0 -p tcp --syn --dport 21 -j DROP

http://perso.wanadoo.fr/jugesoftware/test1.jpg


## RULE 2 : CLOSED PORT 21 (FTP)##
iptables -A INPUT -i ppp0 -p tcp --syn --dport 21 -j REJECT --reject-with tcp-reset

http://perso.wanadoo.fr/jugesoftware/test2.jpg



This rules will DROP the packet and then send the closed answer.
Why iptables allow us to do this ? because there is cases where if we just DROP the packet, a system services (like NFS, share daemon on linux if i remember right) could crash on outgoing packet DROP.

So, linux allow us to do BLOCKED ports, or STEALTH port.

So i'm not wrong...

gkweb.

 

Hello gkweb,
I don't quite catch your point ?

What I see from your pics : it allows to appear blocked (= stealth) if you drop the packets or closed if you reject the packet .

As I told you : if you rule is drop you get an answer STEALTH (Blocked)
If you rule is reject you get an answer CLOSED
But you don't get an answer STEALTH when you rule is reject.

I often swich from BLOCKED to CLOSED purposely to give an answer when I inherit an IP from P2P user for instance to stop hammering on the dedicated P2P ports.

Rgds,

 

that you say don't make that i show wrong.

may be you missed a point :

from start i say that STEALTH different of BLOCKED
and for me (BLOCKED = CLOSED)!= STEALTH

may be anyone here use his own words, and obviously it couldn't lead to anything good.

so with
(BLOCKED = CLOSED) != STEALTH

+

my pics

i'm not wrong, the two state STEALTH and UNSTEALTH (but both blocked) are different states, that we can even use on linux machine.

gkweb.

 

I don’t know of many Software Firewalls for Windows which provides unstealthed packet capabilities, and I can’t much say I care as I surely don’t see any benefits in this. Making yourself visible rather then stealth just provides a vulnerability to malicious activity…

 

The fact that you want it or doesn't want it doesn't change that the two state are different, that is the only unique point that i wanted to say.

After, usefull or not, each have his point of view. Like said on symantec website, it's not a security hole to be visible, at worst, ports have to be closed, you are right on this point.

Me i prefer to be stealth, but it's just a security preference

regards,

gkweb.

 

@Phant0m

i don't talk to you about that websites think, but about real different state (that some confused!)

Open
Closed
Stealth

and that Closed != Stealth
and (to Jack) that a Closed port can be done on Linux.

After that, sites can say what they want. Notice that use the word "Block" is confusing, because in both CLOSED and STEALTH packets are blocked, or if you prefer the connection is blocked.
This is why i don't use "Block" as a state to avoid misunderstanding.

After you said that _for this websites scan_ this is sometimes the same, it's true. But me FROM START i put all my effort to said that STEALTH and UNSTEALTH (but blocked) are two different state, different than OPEN of course.

I think that considering BLOCKED ports while testing is a mistake, because as i said, in STEALTH and CLOSED conenctions are blocked.

regards,

gkweb.

 

there is too much between JACK, ME, and YOU talking about :

OPEN
BLOCKED
CLOSED
STEALTH
DROP
REJECT

the only difference is that me i explain why i use words and not other.
and about you, where i said you were wrong
I essentialy replied to JAck posts (as you can see about linux).

regards,

gkweb.

EDIT : if you are annoying because i said to you that STEALTH != BLOCKED, see below my definition (BLOCKED = CLOSED != STEALTH).
Now you understand why i prefer to speak symantec talking : CLosed and Stealth, or at worst my own : stealth or unstealth (but blocked).

 

Hi Phant0m``

I am not aware of any Windows software firewalls either that provide the level functionality as demonstrated by gkweb's example using iptables. However, having that functionality and control over the firewall would be beneficial. To get this type of control now for Windows users means using a hardware firewall. This level of control may not be something everyone would want, but it is something I would like to see.

Stealth may be your preference, but having the ability to configure a software firewall for stealth or closed would provide better functionality and the choice. Stealth or closed = secure/no access.

Regards,

CrazyM

 

@ gkweb,

Of course the connections are technically blocked in both states

It just a bit confusing terminology from different scanners.

In the beginning of online scans, the only respons you got was Blocked (when stealth or closed) and open. (There are still some using this).

St. Gibson introduced "stealth"and closed. Most online scanners now use this terms, some like Sygates I think use the word Blocked instead of stealth. (rhetorically incorrect but not my fault ) You have other interesting possibilities on LINUX, redirect some incoming packets somewhere else for instance.

@ Phant0m,

As to know whether stealth or closed is more secure, it's an old discussion : they are partisans for both.
ASFM, réponse de Normand, sometime better, sometime worse to be stealth : depends on circumstances

Being stealth you will escape ports scan on a IP range by scriptkiddies for instance but you will give valuable information to a hacker which already knows your IP.

Rgds,

 

For those who knows an Machine exists on IP and Machines stealthed, the information that should be going through an Hacker or Hax0r’s mind is this person is Firewalled, they going to possibly need to spend quite a bit of time and efforts. If this Machine runs servers or the Software Firewall that’s not properly configured then you can expect it to possibly be a disadvantage. No difference as your being specifically targeted and your Firewall generates unstealthed packets, the Hacker or Hax0r who wants to revenge or get thrills are going to thorough Scan you anyways.

And they finally come to the conclusion you’re not penetrable then you going to have to expect Flood Attacks, and if your Software Firewall is spending time generating unstealthed packets, responding back wasting valuable System Resources not to mention the valuable bandwidth in the process then that’s totally not what I consider beneficial…