my ISP's NAT firewall dosent work, fails port scans!! what do i do?

Hi All,

heres my problem. i have Zap pro 5.5 and 3 days ago i changed my ISP, so instead of a cable modem {copper wire} with a speed of 128 kbps, i now have an optical fibre connection with speed of 128 to 512 kbps.

now the wierd thing is that when i go to www.grc.com and do the "shields up" test, it tells me of 7-8 ports that are open, the rest are closed{blue} and like 8 are stealth{green}

i didnt understand this , because i had put all the tabs at the highest alert, and for ex. the ad blocking, activex blocking, program control, etc. all were working, except the firewall!! or so i thought.

then i wondered maybe this isint a ZAP issue, because i have XP-SP2, and even when i turn off zap and turn on xp firewall, the same result comes up!

in fact, neither firewall seemed to do any difference, wether it was on or off, the results i was getting were the same. even when both firewalls are off, i was still getting the same 8 ports in stealth mode!

also, i realised i was getting like nill incomming connections, incomming pings in my pc, i checked in the logs and like there were only outgoing ones from my pc to the parent network of my isp, and of course they were blocked by ZAP.

also i realised the ip address that all the other ip tracing sites showed me, and my ip as shown in the system tray, in the local area connection is different, but i am not using any proxy.

so i was thinking , do i have a dummy ip address is that why these problems are happening? and which is the true one, the one told by grc.com and others of the one i am seeing in my LAC connection icon?
even my hijackthis log dosent show my correct ip address.

its only then that i figured out that my isp must be using NAT router{static or dynamic}, and that

"Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks, or between your internal network and the Internet. NAT only allows connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.
The best way to protect yourself on the consumer level is with a NAT router. Generally you buy one to share a cable or dsl connection between computers, but purely as a biproduct of how they work, they provide a NEARLY impenetrable firewall. NAT stands for Network Address Translation. Every computer on the internet needs an address - IP address. But if you have cable or dsl, it is often more expensive to get multiple IP addresses for multiple computers. So what a NAT router does is it gives the individual computers IP addresses that are only valid inside their network, but invalid for use on the internet. Then it figures out which computer to send individual packets of data to as it recieves them from the internet. The end result is that all a hacker sees is the router. Since the computers behind the router don't have real IP addresses, they are difficult to access directly through the internet."

so thats why i was getting those results , because the external modems ip address was being tested, not of my individual computer.

anyway, here are the results of a scan.

Service

Ports

Status

Additional Information
FTP DATA

20

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FTP

21

OPEN

File Transfer Protocol is used to transfer files between computers. A misconfigured FTP server can allow an attacker to transfer files, Trojan horses, and virus programs at will.
SSH

22

OPEN

Secure Shell, a encrypted type of Telnet. If misconfigured it can allow for brute-force attacks on your administration account.
TELNET

23

OPEN

Telnet is used to remotely create a shell (dos prompt), this can allow an attacker to control your system as if he was sitting in front of it.
SMTP

25

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
DNS

53

OPEN

Domain Name Services are used to resolve host names to IP addresses.
DCC

59

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
FINGER

79

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
WEB

80

OPEN

HTTP web services publish web pages. A misconfigured web server can not only offer an attacker needed information about his target, but it can allow for various security breaches.
POP3

110

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
IDENT

113

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
Location Service

135

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.
NetBIOS

139

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.
HTTPS

443

OPEN

Secure Web Servers are often used by banks and online vendors.
Server Message Block

445

BLOCKED

This port has not responded to any of our probes. It appears to be completely stealthed.
SOCKS PROXY

1080

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
UPnP

5000

CLOSED

This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
WEB PROXY

8080

OPEN

HTTP Web Proxy allows other people to bounce their web browser off of your computer to fake their real IP address to web servers.
--------------------------------------------------------------------------

i mean, this is only the quick scan from sygate!!!!!!!!

now heres my question, i have a software firewall, ZAP 5.5, and i think its an industrial strength firewall, i have KAV personal, and i browse with Firefox and my OS os is windows XP-SP2

so even if someone gets thru the nat router firewall, i order to hack into my pc , he still has to crack my password protected firewall, right?

please help me with my doubts!!!!

 

Birkhauer,

If your ISP is using NAT then any online scans will be of its router and not your PC or firewall. If you wish to test your PC, the easiest method would be to use a dialup connection to connect to the Internet for the duration of the test (this should avoid NAT).

For more information, I would suggest checking the Outpost forum FAQ Online Scans - What to do with Open and Closed Ports - this provides background information that applies regardless of what firewall you use.

 

hi paranoid2000,
actually i have had a lot of time to properly configure and test my firewall , since my previous ISP connection was one with a modem{though it wasnt dialup} and i would pass all the firewall tests perfectly , all ports were stealth , and thats the way i like it.

i dont doubt that my firewall is working, because periodically i will get incomming pings , but they are all from my isp's local network, it has the same ip address as mine except the last 2 digits, and i think that is a routine check or something that they do.

so you are right those scan results are of the router not my individual addy.

so i mean if these ports are open then there may be intrusions already!
i am thinking of sending them a mail with a copy of the scan results.

that should act as a good wake up call IMO.

 

ISPs have to leave ports open since they need to accept incoming connections. If you run a web server, you must have ports 80 and 443 open, if you offer email you must open ports 25 and 110 (and possibly others). So these results are of no relevance to your ISP - online scans should only be used as a check for personal computers that are not running as servers.

 

oh i see paranoid2000, thanks for that clarification!
of course, it had to be so, they cant be so careless about these things.

guess I am the paranoid one !

 

Hi Birkhauer

Is your new modem/router configurable?

Regards,

CrazyM

 

Hi CrazyM,
sorry for the delay!
actually there is just a optical fibre connection directly from my ISP centre which is like 800 meters away{so pretty close}, and i dont have any modem/router at my end.
its just the blue cable that is plugged in directly in my cpu.

i dont know what modem/router they use, should i ask them if they use Linkysys or some other?

 

Yes, I agree with you. But let us assume as is in my case that a dialup connection is not with in physical distance of the PC. Would a good second option be using the logs in your software firewall (and Blocked Intrutions panel on Overview Status like on my ZAP) as another option or does this leave to many unanswered questions about potential holes?

 

With NAT in effect, the scan would not even reach your PC so there would be no entries in the firewall logs. If you are using a router which does NAT, then you can try disabling this to give your PC a direct connection to the Internet (e.g. it should get a public IP address rather than a private one like 192.168.*.*) - on some routers this is referred to as creating a DMZ (DeMilitarised Zone).

If the NAT is done by your ISP then there is no way around it, short of them changing your network setup or you changing ISP.

 

Thanks for the info. Paranoid. Looks like the last of your post is my situation. But thats o.k. I think I got a really long line that will make it to a phone jack about 25 feet. I forgot about it. Thanks.