Firewall (Something I would like to see)

Discussion in 'other firewalls' started by MakoFusion, Jun 25, 2003.

Thread Status:
Not open for further replies.
  1. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    It would be nice if firewalls logged whenever a packet is ignored instead of blocked.

    Online scans that tests firewalls usually show three settings on any given scanned port.

    Port is Open
    Port is Closed
    Port is Stealthed

    The firewall accepted, blocked, or ignored the test packets sent. On my current firewall it shows everything as blocked or accepted. Is there any firewall which logs when a packet has been ignored? I think future releases of firewalls should show exactly what it did with the packet sent for inbound traffic instead of combining block to mean block and ignored.

    If I set my Zone Alarm to Medium security and run Steve Gibson's port tester it shows all my ports are closed.
    Zone Alarm records blocked for those packets.
    If I set my Zone Alarm to High security and run this same test it shows all my ports are stealthed.
    Again Zone Alarm records these packets blocked.
    See where I'm going with this?
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Check out Outpost version 2 and see what you think of the logging.
    http://agnitum.com/download/

    It is still being debugged for some people having some issues with it, but I believe it works well for most. It uses the MMC snap in for logging and is quite extensive.
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Blocked = stealth = neglected, dropped = NO explicit respons from the firewall
    Closed = deny = explicit respons from the firewall

    Rgds,
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Actually response from the System not a response from the Firewall unless you in reference to old Software like NukeNabber and perhaps PortWatchers… ;)
     
  5. gkweb

    gkweb Guest

    I disagree Jacks,

    Open = port open and response from it

    Closed = port closed (no app listening on it) and response from it

    Blocked = port closed or open, but firewall drop the SYN packet. But the port could be visible by sending it a TCP packet with special flags (such as ACK) the port respond whit a packet (RST flag), so the port is blocked but visible by other ways.

    Stealth = the port is open or closed, but the firewall drop all kind of traffic toward it, not only SYN (connection), so, the port never respond to any traffic.

    "Blocked" not equal to "Stealth"

    regards,

    gkweb.
     
  6. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    Yeah something like this...

    June 26, 2003
    xxx.xxx.xxx.xxx / TCP / Incoming / Connected
    xxx.xxx.xxx.xxx / UPD / Incoming / Closed
    xxx.xxx.xxx.xxx / UDP / Incoming / Blocked
    xxx.xxx.xxx.xxx / UDP / Incoming / Dropped (Stealth)
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Specifically in Reference to web-scans STEALTH & BLOCK concepts are one of the same. And even though I don’t agree with a lot of these web-scans giving the STEALTH status when done half-open (TCP SYN) Scans, I won’t start get technical so less knowledgeable folks gets highly confused and frustrated… ;)
     
  8. gkweb

    gkweb Guest

    no, it's different.

    i can block ports on my linux firewall without make them stealth, but believe what you want.
    In addition, you definition are wrong, "closed = port exists..." all ports exist, from 1 to 65535, some are assigned to program listening, other not.
    A blocked port can be open but blocked by firewall, it's not "twist", it's detail, but nothing to add, i'm wrong of course...
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    One of the problems trying to precisely clarify these points is that different firewalls use slightly different terminology for these things. I've seen terms like: block, drop, reject and deny and they don't always do the exact same thing in these different firewalls. What's important is knowing the specific syntax and termonology required on a particular firewall to get it to do exactly what you want from a results perspective.
     
  10. gkweb

    gkweb Guest

    a block port can respond, but i will not try to explain how and why, and i will not try to explain what you can do with iptables on linux, it's a powerfull tool which by far is better that only block and stealth, you want to believe website ? believe what you want, me i will return here next week.

    I'm start to be ...... up.
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yeah, I agree with LWM that there is differing interpretations by various vendors on what their implementation of "stealth" but if you are looking at any non-vendor-specific definition it equates to no packet return for unallowed traffic. RFCs specify that if a host recieves an ACK without any prefatory SYN then the target host should send a FIN so any so-called stealth implementation should suppress the FIN in these instances. Likewise, a FIN without previous traffic is frequently reponded to by a FIN and thus should also be suppressed by a "stealth" implementation.

    If you do a search for "stealth vs blocked" you will find many discussions of this. You may want to go through the nmap manpage for a good summary

    http://www.insecure.org/nmap/data/nmap_manpage.html

    Dan
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    phantom''

    "Block" implementations are almost *never* the same as stealth implementations alng the lines outlined in my previous post, but, again it depends on the FW vendor
     
  13. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Phant0m,

    You are right of course ;) No respons from the System due to the FW rules.

    Due to my bad English : I meant allowed by the FW or through the FW.

    Sorry
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Jack

    Naa I know what you meant, I was just teasing :)
     
  15. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello gkweb,

    A slight misunderstanding here : not so far ago, Windows FWs did not allowed to be in stealth mode just because they did not permit to drop packets but only forcefully deny.
    LINUX FW allows it from the beginning.

    You cannot on a LINUX box block a port (drop the inbound packets) and give a respons CLOSED when a probe on the port is done from the outside.
    All ports exists from 0 to 65535 What Phanth0m meant is not that the port exists or not but that you know it exists as you get the answer CLOSED and you don't know it exists when it's BLOCKED as you get no answer proving the adress in existing
    (enfin you may know it as a non respons is also a kind of respons ;)) if you know the IP is valid.

    Yes, as you say, your are wrong ;)

    Rgds,
     
  16. gkweb

    gkweb Guest

    @ JAck

    I'm sorry but you can...

    ## RULE 1 : STEALTH PORT 21 (FTP)##
    iptables -A INPUT -i ppp0 -p tcp --syn --dport 21 -j DROP

    http://perso.wanadoo.fr/jugesoftware/test1.jpg


    ## RULE 2 : CLOSED PORT 21 (FTP)##
    iptables -A INPUT -i ppp0 -p tcp --syn --dport 21 -j REJECT --reject-with tcp-reset

    http://perso.wanadoo.fr/jugesoftware/test2.jpg



    This rules will DROP the packet and then send the closed answer.
    Why iptables allow us to do this ? because there is cases where if we just DROP the packet, a system services (like NFS, share daemon on linux if i remember right) could crash on outgoing packet DROP.

    So, linux allow us to do BLOCKED ports, or STEALTH port.

    So i'm not wrong...

    gkweb.
     
  17. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello gkweb,
    I don't quite catch your point ?

    What I see from your pics : it allows to appear blocked (= stealth) if you drop the packets or closed if you reject the packet .

    As I told you : if you rule is drop you get an answer STEALTH (Blocked)
    If you rule is reject you get an answer CLOSED
    But you don't get an answer STEALTH when you rule is reject.

    I often swich from BLOCKED to CLOSED purposely to give an answer when I inherit an IP from P2P user for instance to stop hammering on the dedicated P2P ports.

    Rgds,
     
  18. gkweb

    gkweb Guest

    that you say don't make that i show wrong.

    may be you missed a point :

    from start i say that STEALTH different of BLOCKED
    and for me (BLOCKED = CLOSED)!= STEALTH

    may be anyone here use his own words, and obviously it couldn't lead to anything good.

    so with
    (BLOCKED = CLOSED) != STEALTH

    +

    my pics

    i'm not wrong, the two state STEALTH and UNSTEALTH (but both blocked) are different states, that we can even use on linux machine.

    gkweb.
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I don’t know of many Software Firewalls for Windows which provides unstealthed packet capabilities, and I can’t much say I care as I surely don’t see any benefits in this. Making yourself visible rather then stealth just provides a vulnerability to malicious activity…
     
  20. gkweb

    gkweb Guest

    The fact that you want it or doesn't want it doesn't change that the two state are different, that is the only unique point that i wanted to say.

    After, usefull or not, each have his point of view. Like said on symantec website, it's not a security hole to be visible, at worst, ports have to be closed, you are right on this point.

    Me i prefer to be stealth, but it's just a security preference ;)

    regards,

    gkweb.
     
  21. gkweb

    gkweb Guest

    @Phant0m

    i don't talk to you about that websites think, but about real different state (that some confused!)

    Open
    Closed
    Stealth

    and that Closed != Stealth
    and (to Jack) that a Closed port can be done on Linux.

    After that, sites can say what they want. Notice that use the word "Block" is confusing, because in both CLOSED and STEALTH packets are blocked, or if you prefer the connection is blocked.
    This is why i don't use "Block" as a state to avoid misunderstanding.

    After you said that _for this websites scan_ this is sometimes the same, it's true. But me FROM START i put all my effort to said that STEALTH and UNSTEALTH (but blocked) are two different state, different than OPEN of course.

    I think that considering BLOCKED ports while testing is a mistake, because as i said, in STEALTH and CLOSED conenctions are blocked.

    regards,

    gkweb.
     
  22. gkweb

    gkweb Guest

    there is too much between JACK, ME, and YOU talking about :

    OPEN
    BLOCKED
    CLOSED
    STEALTH
    DROP
    REJECT

    the only difference is that me i explain why i use words and not other.
    and about you, where i said you were wrong o_O
    I essentialy replied to JAck posts (as you can see about linux).

    regards,

    gkweb.

    EDIT : if you are annoying because i said to you that STEALTH != BLOCKED, see below my definition (BLOCKED = CLOSED != STEALTH).
    Now you understand why i prefer to speak symantec talking : CLosed and Stealth, or at worst my own : stealth or unstealth (but blocked).
     
  23. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Phant0m``

    I am not aware of any Windows software firewalls either that provide the level functionality as demonstrated by gkweb's example using iptables. However, having that functionality and control over the firewall would be beneficial. To get this type of control now for Windows users means using a hardware firewall. This level of control may not be something everyone would want, but it is something I would like to see.

    Stealth may be your preference, but having the ability to configure a software firewall for stealth or closed would provide better functionality and the choice. Stealth or closed = secure/no access.

    Regards,

    CrazyM
     
  24. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    @ gkweb,

    Of course the connections are technically blocked in both states ;)

    It just a bit confusing terminology from different scanners.

    In the beginning of online scans, the only respons you got was Blocked (when stealth or closed) and open. (There are still some using this).

    St. Gibson introduced "stealth"and closed. Most online scanners now use this terms, some like Sygates I think use the word Blocked instead of stealth. (rhetorically incorrect but not my fault ;)) You have other interesting possibilities on LINUX, redirect some incoming packets somewhere else for instance.

    @ Phant0m,

    As to know whether stealth or closed is more secure, it's an old discussion : they are partisans for both.
    ASFM, réponse de Normand, sometime better, sometime worse to be stealth : depends on circumstances

    Being stealth you will escape ports scan on a IP range by scriptkiddies for instance but you will give valuable information to a hacker which already knows your IP.

    Rgds,
     
  25. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    For those who knows an Machine exists on IP and Machines stealthed, the information that should be going through an Hacker or Hax0r’s mind is this person is Firewalled, they going to possibly need to spend quite a bit of time and efforts. If this Machine runs servers or the Software Firewall that’s not properly configured then you can expect it to possibly be a disadvantage. No difference as your being specifically targeted and your Firewall generates unstealthed packets, the Hacker or Hax0r who wants to revenge or get thrills are going to thorough Scan you anyways.

    And they finally come to the conclusion you’re not penetrable then you going to have to expect Flood Attacks, and if your Software Firewall is spending time generating unstealthed packets, responding back wasting valuable System Resources not to mention the valuable bandwidth in the process then that’s totally not what I consider beneficial…
     
Loading...
Thread Status:
Not open for further replies.