help me block FTP port and 12345 port as well!

Discussion in 'LnS English Forum' started by manuangi, Jan 29, 2003.

Thread Status:
Not open for further replies.
  1. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    I run the pcflank test.
    Ok, I've read all the discussions begun by darksky, I know sometimes those tests are buggy.
    Yet, it's that I set a rule to make LnS download my AV (eTrust EZ Antivirus) signatures; without that, LnS wouldn't allow it.
    Here I'm attaching what comes out on PCFlank site.
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi manuangi,

    Welcome at Wilders. :)

    Forgive me if this is a stupid question, but I cannot find this info in your question.
    Did you scan your computer for trojans to check if that is not actually causing it?

    Regards,

    Pieter
     
  3. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    other infos

    As for trojans, none on my machine, Tauscan says...

    Attached here is the rule I created.

    I run the test on GRC as well, and it says that port 21 (FTP) is closed but not stealth.

    As you can see, it's activated only when "AutoDownload" starts.
    The fact is, it clearly opens the FTP port to get the updates.
    Then...well, it stays closed, ok, but i'd like it to get back to a "stealth" state.
    How can I achieve this? It's not possible to say, through LnS, to deactivate the rule once "AutoDownload" is not running anylonger?

    (by the way, I guess this should be one of the next feature of LnS, what do you say? The possibility to deactivate a rule once the app for which it was activated, finished its job, so our machine doesn't need that rule running as long as we don't call the same app again...)

    And what about port 12345?
    I guess no app should use that port, right?

    How can I block that port, by a rule?
    I'm no expert at all creating them!

    The one you see, well, a friend of mine did it!

    Thanx, mates!
     

    Attached Files:

  4. Klaude

    Klaude Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    17
    I use eTrust EZ Antivirus too. To download the updates, I just uncheck "Internet filtering enabled". Don't forget to check the white square again after, hmmm ? i don't need a rule as you see.

    Port 12345 visible ?
    MAYBE you're infected by a Trojan horse.
    With Look 'n' Stop, in "Application Filtering", nothing suspicious listed there ? Which programs want to access the Internet ?

    If you want to block the port 12345... >
     

    Attached Files:

  5. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    is it normal that...

    ...when I click on "equal my @", I don't have 0.0.0.0 below, but - automatically - 192.168.0.2 (which is the starting IP address of the DHCP server - I have a router used as a Gateway)?
    or should I make it to be 0.0.0.0?

    and what about port 21 (FTP)? why do you think it's visible, though closed? it still is if I run the test with eTrustEZ rule deactivated...

    I'm not infected by any trojan horse, and on the ApplicationFiltering I have nothing strange...

    what do you think?
     

    Attached Files:

  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:is it normal that...

    Just to confirm, are you behind a rourter/gateway?

    If so, it will be the router/gateway being tested at the scan sites, not your system and LnS.

    Regards,
    CrazyM
     
  7. Klaude

    Klaude Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    17
    Leave it as it is, I hide my IP, that's why you see 0.0.0.0 ;)

    I don't know about port 21. Like someone told me, you cannot use the "FTP passive mode" with EZ antivirus. So we need to create a rule to allow the connection, but I prefer not. Why is it closed instead of stealth ? Someone else will tell you.
    If you're not infected by any Trojan, well, try the Advanced port scanner at PC Flank, and just scan one port ---> 12345
    And try here too if you wish:
    http://www.blackcode.com/scan/

    http://scan.sygatetech.com/

    Same result ? :)
     
  8. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    Re:is it normal that...

    Yes, I'm behind a Netgear DG814 router - internet gateway.
    You say it's the router/gateway being tested, not my systen nor Lns...
    WHAT DOES IT MEAN?
    It's good, bad, none of those...Can you please explain me?

    Now, I did the tests WITHOUT LnS and...
    THE RESULTS ARE THE SAME...all ports STEALTHED!!!

    Does it mean that I could as well deactivate LnS because my router does the job?!

    Another thing: when I run GRC's IP Agent, it sends me (after asking LnS to go), to this page:
    http://grc.com/x/ne.dll?rh1bi2l2=r4zgi3p4

    I don't understand much of what my router does, actually...can you (or anyone reading here) explain it to me, please?

    Thanx a lot!!
     
  9. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    You can, mate, you can indeed!! ;)
    Use an app like FlashFXP, and connect to:
    f*p://213.35.101.4 (I wrote "*" instead of "t" of course not to make it become an active link...btw, how to avoid this when writing here?)
    USE PASSIVE MODE!
    then browse to:
    pub/myetrust/sigs/

    All you need is there! Really!
    So no rule's needed, you're right...just I'm too lazy to call FlashFXP every time I want to search for updates...
    But well, when the autodownload feature fails, FlashFXP will do the job! :D

    Well, as for sygate and dslreports (done before you adviced me about the first of these), the results are attached: I'm SAFE!

    But...am I really?
    And what do you think about the router stuff? (read my first post above)
     

    Attached Files:

  10. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    http://www.blackcode.com/scan/

    tutto ok, sembrerebbe...
     

    Attached Files:

  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Re:is it normal that...

    The router/gateway will have the public (WAN) IP address assigned by your ISP that the Internet will see and use. The router/gateway will use NAT (Network Address Translation) to process valid traffic from the LAN (Local Area Network - systems connected to it) and the Internet allowing you to share one broadband connection/public (WAN) IP address.

    When it comes to running scans, these will be seen by the router/gateway first which will recognize them as not being part of a valid connection/unsolicited and drop them. This traffic will not be passed to LAN systems behind the router/gateway.

    Because the router/gateway is what is actually seeing and blocking this unsolicited inbound traffic first, you will have to check it's configuration options to determine what settings may need changing to obtain stealth if that is what you after.

    Having a router/gateway is a good thing. It allows you to share your connection as well as providing a level of protection in that by the nature of how it works, it will drop/block all unsolicited inbound traffic and the LAN systems behind the router/gateway will never see it.

    As expected and explained above. The router/gateway is blocking this unsolicited traffic before it gets to the LAN - your system.

    You would still want to consider running a software firewall on systems behind a router/gateway if you wanted control over applications wanting to access the Internet.

    Regards,
    CrazyM
     
  12. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    CrazyM, thanx A LOT for the answer!

    You took off the veil I had before my eyes...You've been so clear, thanx again! :)

    Now, I'm going to keep LnS, because, as you say, it allows me to decide what apps to let out on the web, where the config settings on the router don't permit to be so specific.

    Now, you think that no rules will be good, through LnS, to get FTP and 12345 ports completely stealthed? That I should do that by the router settings?

    Another question: one rule, of LnS, that often works (I see that on the log screen), is
    ICMP : All ICMP types (nukes, ...)
    When I see under "Address/Application", I see those attempts are coming almost always from my ISP.
    That's normal, isn't it?
    Should I let LnS block them, right?

    Thanx again, my friend! :-*
     
  13. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    half the problem solved...

    just to let you know that the problem with port 21 (FTP) was due to my router, a Netgear DG814!
    I just upgraded it, installing the new v4.6 firmware...
    Now FTP port's well STEALTHED! :D

    So, I'm sure this is what happens to all owners of DG814. Upgrade the firmware, folks!

    BUT... :doubt:

    the problem with 12345 port visible, though closed, is always there...that pcflank's test knows of...

    I created a rule on LnS...but it's never called on the log...well, that's good as it means no apps want to get out through 12345 port...

    so why that appears to be not stealthed? o_O
    can anyone give me any hint on that?

    thx!
     
  14. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    One suggestion is that someone else between your PC and PCFlank is responding to the 12345 packets.
    It could be your provider, your router,...

    Frederic.
     
  15. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Another PFW user with another firewall encounters the same kind of issue:
    http://www.wilderssecurity.com/showthread.php?t=7386

    and it is the provider that is responsible.

    Frederic
     
  16. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    Thanx a lot, mate!

    Actually, I had come to such a conclusion as well, searching on PCFlank's Forum...

    Many people had this trouble with 12345 port, but nowhere had I found a good solution.

    My ISP! :eek:
    Well, at least now I'm sure my system's well stealthed!

    Ciao! ;) :-*
     
Thread Status:
Not open for further replies.