Stealthing Port 4444 With NPF 2003

Hi. I installed the trial version of NPF 2003. I'm running Ad-Subtract Pro, Win98SE.

I ran a Port 4444 scan for Ad-Subtract Pro at PC Flank. Port 4444 showed open instead of stealth. When I run the full port scan all ports on the list are stealth.

I am running NPF 2003 in default mode. The default rule for Ad-Subtract Pro is...........

ADSUB.EXE

Permit, Direction: In/Out, Computer: Any, Communications: Any, Protocol: TCP and UDP.

How do I get port 4444 to show stealth at PC Flank?

 

See this thread on the Trojan Hunter forum:

http://www.misec.net/cgi-bin/yabb/YaBB.cgi?board=TrojanHunter&action=display&num=1029175095

 

The reason it is showing as open is because you have permitted traffic Inbound in your rule. Anytime you permit Inbound that specified service/port will show as open to the Internet. Not something you really want to do unless you are actually running a server (Web, Email, FTP, etc.)

I am not familiar with AdSubtract, but it should only need Outbound in you NIS rules. The rule you have for it should be similar to a rule for browsers.

Permit
Direction: Outbound
Protocol: TCP
Computer: Any
Remote Service/Port: 80, 8080

As it is acting as a local proxy it will need inbound on your system/localhost, but the loopback rules should allow this. Try this change and let us know.

You might want to take a look at the recent posts on customizing firewall rules for ideas as well.

CrazyM

 

This just came up a few days ago, and I've been trying to chase down what the bottom line is, but it would seem with add/subtract pro, you need to allow loopback but not for port 4444. That is what leaves it open.
As CrazyM says, I do not think you want to allow traffic in.
If I have it figured out correctly, A/S uses local port 4444 out on tcp to port 80 or 8080 remote. You need to allow loopback for all ports except 4444, as that seems to open up your firewall for an exploit. I have not been able to find substanciation of this ever happening, but it seems to be accepted by many as being true. I have heard it has been demonstrated.
In any event, better safe than sorry, so please set up your loopback rules to exclude port 4444. I f you do that and A/S doesn't work, let me know.

 

Thanks CrazyM. I will give that a try and post back here with the results.

If I remember right from reading about rules creating, allowing incoming is basically allowing the app to act as a server. I wish I would have remembered that before I started this thread. I have been using ZA for a long time and had no need to think about things like that. I was just bored and thought I would try a different firewall. I like NAV so I thought I would give NPF a try.

Regards,
Hobnob

 

Hobnob.

Create a block inbound TCP/UDP rule for ASP in NPF's rules and place that rule, under the allow ASP outbound TCP rule. That should block incoming connections. I have used that type of rule when i was using NPF a few years back. The block inbound rule, will stop ASP having server rights. Which ASP really does not really reqiure.

I hope this helps.

 

Just change ADSUBTRACT'S port to 4446.......easy!

 

Not quite so easy. All that would do is change the port ASP is listening on, it would now just be listening on port 4446. You would still need to block inbound traffic from the Internet to ASP in order for the selected port to show as closed/stealth to the outside.

Regards
CrazyM

 

Please excuse my butting in.......the advice offered by CrasyM should have resolved the problem.......but I don't see any comment as to it having done so....an noticed that Hobnob appears to be new at rule based firewalls..........so......if that is the case......Hobnob please advise ..........an the folks here can hopefully offer help.


snowman

 

Hello.

First I want to say thank you to everyone who tried to help me out with this. Unfortunately, things didn't work out. The 15 day trial period end yesterday. I could never get rules set up properly. The outbound rule didn't work, and the inbound block rule made me lose connection to the internet. I didn't spend as much time on it as I should have and couldn't get back here to the forum because I was gone for a few days. I'm sure I was doing something wrong. Snowy is right, I am new to rules based firewalls. I probably should give it up.

I'm not too sure I would have purchased NPF anyway. I wasn't very comfortable with it. I am back to using ZA and thinking I might give Outpost a try. Maybe it will be a little easier for me to handle.

Thanks again for all the help. Sorry that I wasted your time.

Regards,
Hobnob

 

HOBNOB

Greetings......wishing you well........an no my new friend you have not wasted anyone's time......this forum is all about sharing..caring....and helping.....no time limitations.

Please reconsider......once members realize that you need instruction on rule based firewalls you may find more than useful help that will make the job as easy as eating apple pie.............

once you begin to learn about rules..suddenly a light will shine....an you will find it easier than you may now think

snowman

 

Thanks for the words of encouragement snowy. I appreciate that Maybe I should have tried something easier to start with. I've heard that NPF can be difficult to set up if you don't know what you are doing. Not sure what I am going to do yet. Like I said I might give Outpost a try.

 

HOBNOB

GREAT!!! You can do this ! an if you care to try a freeware rule based firewall...there are several....Outpost is not a bad choice.........I never suggest any particular firewall because its such a personal decision......but may comment on one on occassion.........Outpost does have a forum where you will find much help.....Root can offer you more information perhaps............

just remember.........any rule based firewall that is not set-up correctly wont offer full protection.......so go slow......most of these firewalls come with a fairly good out-of-the-box rule set.........an can be tweaked as the user learns.

snowman

 

HOBNOB

the offered link is intended ONLY to give you an idea about rules.......I am not suggesting a particular firewall.....just giving you an impression of rules


http://bellsouthpwp.net/i/k/ikpe/index.html

 

HOBNOB

see also:


http://itsec.commontology.de/firewalls/lns/lns-rules.html

 

Hobnob, since you are interested, why not try Outpost? We offer excellent support at the Outpost Forum, and technical support from Agnitum if needed.
It's not hard to set up.
RISC OS developed a website for new user information on Outpost and it is a wealth of information. You might want to look there before installing, as it will answer most questions you may initially have.RISC OS site.

 

Thanks snowy. I will check out those sites and give it some thought.

 

Root. Thanks for the information also. Your post wasn't there yet when I replied to snowy. I will do some studying and try to decide what to do.

 

HOBNOB

You are always most welcome. on a more personal note.......ROOT is one of the very rare person's who's advice I would follow.......if he uses OUTPOST...an he does...its for a very good reason.........he knows the business of firewalls.........an RISC OS is another person who's knowledge I have respected for years........HOBNOB you will be getting the very best of help.

HOBNOB you really CAN do this !!!!!

 

Thanks again snowy. You are a great person to have around in this forum.

Regards,
Hobnob