Firewall (Something I would like to see)

Hi MakoFusion

As you can see from some of the discussion the context in which these terms are used can mean different things to different people. Also noted is that terms will vary between software firewall vendors and testing sites.

Some firewall logs will make no reference to action taken and at the other end of the spectrum you have something like the current version of NIS/NPF where you will see the terms Blocked, Dropped and Stealth in the different logs. Knowing how your firewall is configured and how it responds to unsolicited traffic is how most will interpret what ever caption is used in the log.

There are not many traditional software firewalls left, and as they evolve to include things like IDS, you are seeing multiple logs and the possibility of more terminology being introduced. The likelihood of uniformity between vendors is probably not that great.

If you are sticking with ZA and it is something you would like to see, you could alway fire off a note to them with your suggestion.

Regards,

CrazyM

 

Hi Phant0m,

When it can be beneficial answering CLOSED is when you inherit an IP where formerly ran a server, PCAnywhere, a P2P, etc... : as long as you are stealth no way for other machines to know the service is no more available at this IP and they go on sending packet to you. Once they know the service is over, they stop sending to you.

Rgds,

 

I dont agree

 

You are right Jack, it's sometimes needed to say closed instead of stealth (P2P yea )

But i know at least one case where to be stealth is very annoying for the hacker, even if it know your IP and that you have a firewall : Nmap scanner.
It will take more than one hour, sometimes 2 hours, when it wouldn't take more than only 10/15mn
Because of the timeout, Nmap wait for responses.

So have the possibility to use these features on a personal firewall could be usefull i think, just with a small checkboxe 'stealth' checked or not (let's use only one word! )
Of course it's to firewall vendors to do that it have to do, because a closed port return his associated closed answer, that is not always TCP RST, but to the end user, this should be user friendly with just the checkbox

regards,

gkweb.

 

When you inherit IP that was formerly running Services, and you are STEALTH the other Machines will know the service is no longer available when they cannot connect to it, period!

Do you sit there constantly re-loading a 400Page?


Sorry i disagree that it's useful in any manner...

 

Rgds,

 

Hi gkweb,

Unfortunately I don't know any Windows FW with this checkbox on a port basis. It's all or nothing and you need to go in advanced settings or modify the rule each time or have different config files saved and switch according to your needs, not just one click ;(

Rgds,

 

Key word "Time Out"

 

IRC for an Example; you connect to the IRC server and your ISP disconnects you, do you think you stay known permanently? No server Times your Out the same way as “Direct Connect” times you out from the hubs & that’s including the hubs server List and likewise for any p2p servers.

Yes I do agree that Clients will make Connection attempts simultaneously for about few tries if the Client doesn’t receive a response of some sort and then “Times Out”. When this occurs first thing arises through average heads is the server no longer exists, so constantly attempting to re-connect would be effortless and time consuming for the most part…

So I still don’t see the benefits with Software Firewall vendors implementing unstealthed capabilities… I only see major disadvantages on;

#1. System
#2. Bandwidth

Usages…

You want to know why most prefers seeking for “Closed” Ports on Firewalled users. Because it's the next best thing to "Open" ports when in Reference to Flood Attacks, because the unstealthed responses will lead to the user’s destruction much earlier in the process then that who is properly Firewalled… I’ve been around many Hackers many Hax0rs and just plain numb headed folks for many years who all I considered friends. I know what they think, I know what they do, and I know there capabilities.

 

@Phant0m

you're not alone!

and as i said stealth it the worst for hackers, but it exist a very few cases where stealth instead of just closed make the system crashing!
I don't know any example on windows, but a least on Linux i know two (if it's not crashes at least it's system instability) with NFS sharing and X Window, both are about outbound attempt that you have to closed and not drop.

So close a port could be in very few cases absolutly needed.

Now, about inbound attack, and all other legitimate traffic, it's true that we can stealth all without system errors, and with the max security for a home user (i don't talk about firm...)

I think that both Jack and Phant0m are true

regards,

gkweb.

 

Finally! We agree that packet Firewalls implementing unstealthed capabilities for Inbounds are unbeneficial!
However I see benefits in this technology upon Outbound Connection Attempts, as long as we are in understanding…

 

Hi Phant0m,

I am in stealth mode and the same IP for about 30 hours and don't run Edonkey/Emule. In my firewall log : 7 Inbound connections on :4662 from the same IP the last half hour. Other probes on the same port from different IPs earlier and even from the same with an interval of some hours.

That tends to prove they go on sending packets to my IP because they don't know I don't run Edonkey. If I answer CLOSED for some minuts, no more probes on this P2P port.

Same with Kazaa when I inherit a former Kazaa user IP.

Of course most of the time I am in stealth mode, just Closed for a short time to stop hammering from P2P and back to stealth.

As for pagers, I don't experience anything for I always run them through proxysocks which I often change

Rgds,

 

Hmmm well that’s one crappy p2p service then, can someone confirm that this Edonkey/Emule server doesn’t Time-Out it’s users after the users experienced some type of Disconnection anomaly?

As for Kazaa I definitely know it’s servers Times-Out users who experiences some type of Disconnection anomaly.

Again! I see no benefits in having Software Firewalls generate unstealth capabilities for Inbound Connection attempts; I only see major disadvantages…

 

From that i read on eMule forum, other P2P client stops hammering you between 20-30min.
No more details.
I supposed that it is in the case where the port is closed.

(pls use closed instead of drop, because drop on itself is stealth, closed isn't stealth, pls )

So, if the port is stealth instead of closed, it will take longer for they stop asking you sources, how many longer i don't know.
This about P2P discussion.

Now about "CLOSED feature" on personal firewall :
there is a way to have this CLOSED port capabilitie
If the port is really unused, P2P client down for instance, you can simply temporarly accept traffic toward the port which will say itself that it is closed
This way is less secured, of course !

regards,

gkweb.

 

I studied network at school, i do it on hobbies too, i do only this, so when you say what you say, it's a little bit exagerated!
However i can do mistakes of course, but say what in this case.

In addition what you are saying to me is sensless.
If a packet that reach a closed port (without any firewall) would be dropped, this would meaning that without firewall by default all closed port are stealth !! i want to know which OS you have !

Of course may be you are playing with words or reading documentation without thinking where they said the packet is dropped... the packet is dropped, if you want, AND a closed answer is send, it's not me that don't know what he is saying, it's you.

If you do symantec test without firewall, all port tested but without any services up and running on your side will have the state CLOSED, because the port send a closed answer, they won't be STEALTH.

gkweb.

 

i agree, that doesn't prevent the TCP/Ip stack to do his job :

Nmap documentation :

and the most important :

That's what i said about closed ports, nothing more.

gkweb.

 

other example :

about classical connection attempt.

gkweb.

 

glad to know your award, you don't know mine! and i prefer don't write it because i'm not here to hurt you, but to have constructive answer.

and where in what you are saying you give me wrong ?
all that i said is that a not firewalled port closed return a closed answer, i didn't said anything else.

After that you said that the packet is dropped, again confusing because for some people including me a dropped packet is a firewall feature, but of course in network reality, the OS drop the packet (that i said on my last post!) AND return closed answer, it's not me that said this to you, it's a network functionality !
(use on some Nmap scan).
So just say that the packet is Dropped mean that the port is stealth, even without firewall, that is wrong.

gkweb.

 

You 2 are being so silly.

 

I apologize MakoFusion.

 

ok.

Phant0m don't want to see network basis, and in addition make me say things that i never said (that can ideed be considered as silly).
That i say is true, that firewall vendors say it's true, but say one thing _partially_ make it wrong, if you only talking about dropping (wo! like firewall vendors said!!) but don't say the follow (no follow if firewalled and stealth, but closed response if port closed and unfirewalled) that's wrong, and you play on words to laugh at me.

So i ended here with all what i said, it's a sume up, silly sume up if i believe MakoFusion :


1 - STEALTH and UNSTEALTH (CLOSED) are two different state
2 - a not firewalled closed port answer a closed reponse


I said this, nothing less, nothing more.

Now, you want to play on words, to make me said amazing things, to make me appears like a kid that have zero knowledge, it has nothing to do with network, it's a silly behaviour like said MakoFusion.

So, i finally fed up, and i repeat what i said :


1 - STEALTH and UNSTEALTH (CLOSED) are two different state
2 - a not firewalled closed port answer a closed reponse


Now i go away from this board, thanks to all constructive posts, and not thanks to people who can't be wrong.

 

"Do you know any of today’s Software Firewall which provides this Feature now?"
_

VisNetic.

 

Ohhh yea, LOL obviously i know that one does...

 

There is no need to agree to disagree; I totally agree with gkweb that using the term Dropped packets isn’t the most appropriate to use under such circumstances.