How to pass the trick from GRC shield Test

Under the 1056 ports scan, GRC test site provided a trick, by klick a death link of the page, than you retry the test, and the firewall should fail this time.

Does anyone knows how to pass this trick?

 

No idea what you mean.


Please clarify and link.

 

Sorry for my bad english.

here is the link:
https://www.grc.com/x/ne.dll?bh0bkyd2

go to proceed,

http://www.grc.com/x/ne.dll?rh1dkyd2

than go to all service ports,

https://www.grc.com/x/ne.dll?rh1dkyd2

after the test has finished, scrolldown the page, if you have a good firewall, you will receive a trustealth passed, but than more down in the page, under Service Ports Scan Application Guide, there are four steps describt, to fool your firewall.

i tried it with many firewalls, comodo, online armor, ...all failed. how can i make the firewall pass this one?

 

The procedures described under Service Ports Scan Application Guide are merely tools to determine efficacy of your ISP and/or router (if applicable) with respect to blocking/stealthing ports vs. your software firewall alone.
If you set your software firewall to allow ShieldsUp's probe IP [4.79.142.206], any ports closed/stealthed are due to blocking by your ISP or router.
Merely remove ShieldsUp's probe IP [4.79.142.206] as trusted, and your firewall should stealth all ports.

 

Adaptive ident handling. I'm behind a router so I can't test it.

 

My router failed, oh well

 

If you have the firewall function on your router, read the manual or box, where it shows you the features, when you find it, type your ip in your browser, and configure your router.

 

I've just done a test by disabling my router firewall and uninstalling a software firewall I was testing (Online Armor). All 1,056 ports are still showing as stealthed so it would appear the ISP is blocking them. I wouldn't have thought they blocked all of them though. It's very good if that's the case.

 

With ref to port 113:

This on routers is left as closed for a reason.

http://www.grc.com/port_113.htm

 

I would think that you had windows firewall active. This can stealth all ports (if no application as been allowed inbound)
I have not known an ISP then will stealth all ports, as this will block numerous application (P2P/ chat etc) from taking unsolicited inbound.
It also as security issues for user of applications (AV etc) that have an option for alerts (where the vendor sends alerts to the application)

 

Ok, this all is too advanced to me, can someone explain if this is some kind of risk, is it a flaw in the firewall that could be used in attacks?

 

With ref to port 113,

I have always had personal problems with adaptive firewall rules, but, saying that, such problems/compromise on port 113 I have not seen or found.
If in any doubt just close that port, end of any concern. (I actually see no need for this now (port 113/ident), but of course this is only on my checks,.. please do advise if this is needed anywhere, by anyone)

Basically, if you have reports from an external scan to show ports closed, then all ok,(as I have mentioned before). Only if ports show as open should concern be made.

 

If your router has a DMZ, then you may have to put your machine's ip address on it, then try the scan, because even though you disable your router's firewall, the router's connection is still probably being scanned and not your machine.

 

Thank you wat0114, I had actually missed that point, I was thinking the router had been removed.

 

You're welcome

 

So what would you suggest where a firewall will open inbound ports due to outbound> as with such as mentioned?

With respect from me of course, I am looking for personal view/comment on such

Comments/ feedback from all,.. please.

 

Hi Stem,

I'm not sure about your question Do you mean with the router's firewall disabled? I only mentioned the possibility of having to place the machine's ip on the router's DMZ because disabling the firewall on it, depending on the model, may not necessarily have the desired effect of allowing inbound scans a free-for-all access t ohis machine. This is because on my old DI-624 I actually have to create an allow all inbound rules (as seen in ss) to disable the firewall from blocking all ports, as its block all rule is hard-coded into the device.

Sorry, I'm not nearly on the same technical level as you are when it comes to networking and network security, but I do try to learn on a continual basis

 

Stem, maybe I have the answer, but please correct me if i'm wrong I placed my machine's ip on the router's DMZ and activated the router's "Allow all" rule just for good measure to make sure my software firewall (Jetico 2 in this case) would get the scan. It passed the "trick" easily because of a key "Block all not processed protocol packets" block rule, as seen in the screenshot. Yes, I followed the steps accurately and J2 still passes (all stealthed) on the re-scans. This "Block" rule in J2 needs to be placed a bit further down in the table list, as opposed to my other block rules, otherwise all network access will be blocked.

I believe J2 passes because even though a solicited connection was made to that ip address immediately before the re-scan, the connection is not maintained so it does not meet the requirements of the SPI rules above that "Block all not processed protocol packets" block rule, so the connection attempt is passed further down the list until it reaches that block rule and, of course, it fails, so all the ports are stealthed.

Does this make sense?

 

I'll try that and report back at a later stage. By IP address, do you mean the WAN IP?

Windows firewall wasn't enabled so this seems more likely to be the situation.

 

No, you will want to choose the ip address that your computer uses, on the LAN side of the router. This will probably something like: 192.168.1.xx or 192.168.0.xx...or along those lines.

If you use Win XP you can find it in: Control Panel-> Network Connections-> Local Area connections-> Support-> IP address.

 

Hello,
I have noticed that most Windows firewalls stealth port 113; On NIX systems, the port is usually left "only" closed, probably an ancient legacy. But I have not noticed any problems with or without stealthing the port ...
Mrk

 

True enough, it does not really matter if the port is closed instead of stealthed. In both cases it's secure. Also, some of the early posts in this thread puzzle me, with remarks such as: "my firewall fails" or: "my router fails", having lead me to believe that it was more than only port 113 that was closed instead or stealthed. If it was only 113 that reverted to closed, then this is clearly a trivial matter.

 

Rather than mess with DMZ settings, I re-tried the scan with no router connection whatsoever, no software firewall installed and no Win XP firewall running.

The result is all ports are closed except two: ports 135 & 139 are open. Port 0 is stealthed, but this doesn't seem to serve any legitimate purpose.

Screenshot attached.

 

@TonyW: This is the scan result you get with OA Free installed?

 

That scan result is with NO firewall installed, including OA.