Stealthing Port 4444 With NPF 2003

Discussion in 'other firewalls' started by Graystoke, Oct 28, 2002.

Thread Status:
Not open for further replies.
  1. Graystoke

    Graystoke Guest

    Hi. I installed the trial version of NPF 2003. I'm running Ad-Subtract Pro, Win98SE.

    I ran a Port 4444 scan for Ad-Subtract Pro at PC Flank. Port 4444 showed open instead of stealth. When I run the full port scan all ports on the list are stealth.

    I am running NPF 2003 in default mode. The default rule for Ad-Subtract Pro is...........

    ADSUB.EXE

    Permit, Direction: In/Out, Computer: Any, Communications: Any, Protocol: TCP and UDP.

    How do I get port 4444 to show stealth at PC Flank?
     
  2. marti

    marti Registered Member

    Joined:
    Mar 25, 2002
    Posts:
    646
    Location:
    Houston, Texas, USA
    See this thread on the Trojan Hunter forum:

    http://www.misec.net/cgi-bin/yabb/YaBB.cgi?board=TrojanHunter&action=display&num=1029175095
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The reason it is showing as open is because you have permitted traffic Inbound in your rule. Anytime you permit Inbound that specified service/port will show as open to the Internet. Not something you really want to do unless you are actually running a server (Web, Email, FTP, etc.)

    I am not familiar with AdSubtract, but it should only need Outbound in you NIS rules. The rule you have for it should be similar to a rule for browsers.

    Permit
    Direction: Outbound
    Protocol: TCP
    Computer: Any
    Remote Service/Port: 80, 8080

    As it is acting as a local proxy it will need inbound on your system/localhost, but the loopback rules should allow this. Try this change and let us know.

    You might want to take a look at the recent posts on customizing firewall rules for ideas as well.

    CrazyM
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    This just came up a few days ago, and I've been trying to chase down what the bottom line is, but it would seem with add/subtract pro, you need to allow loopback but not for port 4444. That is what leaves it open.
    As CrazyM says, I do not think you want to allow traffic in.
    If I have it figured out correctly, A/S uses local port 4444 out on tcp to port 80 or 8080 remote. You need to allow loopback for all ports except 4444, as that seems to open up your firewall for an exploit. I have not been able to find substanciation of this ever happening, but it seems to be accepted by many as being true. I have heard it has been demonstrated.
    In any event, better safe than sorry, so please set up your loopback rules to exclude port 4444. I f you do that and A/S doesn't work, let me know.
     
  5. Graystoke

    Graystoke Guest

    Thanks CrazyM. I will give that a try and post back here with the results.

    If I remember right from reading about rules creating, allowing incoming is basically allowing the app to act as a server. I wish I would have remembered that before I started this thread. I have been using ZA for a long time and had no need to think about things like that. I was just bored and thought I would try a different firewall. I like NAV so I thought I would give NPF a try.

    Regards,
    Hobnob
     
  6. Judgedredd

    Judgedredd Guest

    Hobnob.

    Create a block inbound TCP/UDP rule for ASP in NPF's rules and place that rule, under the allow ASP outbound TCP rule. That should block incoming connections. I have used that type of rule when i was using NPF a few years back. The block inbound rule, will stop ASP having server rights. Which ASP really does not really reqiure.

    I hope this helps.
     
  7. ZZZ7

    ZZZ7 Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    72
    Just change ADSUBTRACT'S port to 4446.......easy!
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Not quite so easy. All that would do is change the port ASP is listening on, it would now just be listening on port 4446. You would still need to block inbound traffic from the Internet to ASP in order for the selected port to show as closed/stealth to the outside.

    Regards
    CrazyM
     
  9. snowy

    snowy Guest

    Please excuse my butting in.......the advice offered by CrasyM should have resolved the problem.......but I don't see any comment as to it having done so....an noticed that Hobnob appears to be new at rule based firewalls..........so......if that is the case......Hobnob please advise ..........an the folks here can hopefully offer help.


    snowman
     
  10. Graystoke

    Graystoke Guest

    Hello.

    First I want to say thank you to everyone who tried to help me out with this. Unfortunately, things didn't work out. The 15 day trial period end yesterday. I could never get rules set up properly. The outbound rule didn't work, and the inbound block rule made me lose connection to the internet. I didn't spend as much time on it as I should have and couldn't get back here to the forum because I was gone for a few days. I'm sure I was doing something wrong. Snowy is right, I am new to rules based firewalls. I probably should give it up.

    I'm not too sure I would have purchased NPF anyway. I wasn't very comfortable with it. I am back to using ZA and thinking I might give Outpost a try. Maybe it will be a little easier for me to handle.

    Thanks again for all the help. Sorry that I wasted your time.

    Regards,
    Hobnob
     
  11. snowy

    snowy Guest

    HOBNOB

    Greetings......wishing you well........an no my new friend you have not wasted anyone's time......this forum is all about sharing..caring....and helping.....no time limitations.

    Please reconsider......once members realize that you need instruction on rule based firewalls you may find more than useful help that will make the job as easy as eating apple pie.............

    once you begin to learn about rules..suddenly a light will shine....an you will find it easier than you may now think

    snowman
     
  12. Graystoke

    Graystoke Guest

    Thanks for the words of encouragement snowy. I appreciate that :) Maybe I should have tried something easier to start with. I've heard that NPF can be difficult to set up if you don't know what you are doing. Not sure what I am going to do yet. Like I said I might give Outpost a try.
     
  13. snowy

    snowy Guest

    HOBNOB

    GREAT!!! You can do this ! an if you care to try a freeware rule based firewall...there are several....Outpost is not a bad choice.........I never suggest any particular firewall because its such a personal decision......but may comment on one on occassion.........Outpost does have a forum where you will find much help.....Root can offer you more information perhaps............

    just remember.........any rule based firewall that is not set-up correctly wont offer full protection.......so go slow......most of these firewalls come with a fairly good out-of-the-box rule set.........an can be tweaked as the user learns.

    snowman
     
  14. snowy

    snowy Guest

    HOBNOB

    the offered link is intended ONLY to give you an idea about rules.......I am not suggesting a particular firewall.....just giving you an impression of rules


    http://bellsouthpwp.net/i/k/ikpe/index.html
     
  15. snowy

    snowy Guest

    HOBNOB

    see also:


    http://itsec.commontology.de/firewalls/lns/lns-rules.html
     
  16. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hobnob, since you are interested, why not try Outpost? We offer excellent support at the Outpost Forum, and technical support from Agnitum if needed.
    It's not hard to set up.
    RISC OS developed a website for new user information on Outpost and it is a wealth of information. You might want to look there before installing, as it will answer most questions you may initially have.RISC OS site.
     
  17. Graystoke

    Graystoke Guest

    Thanks snowy. I will check out those sites and give it some thought. :)
     
  18. Graystoke

    Graystoke Guest

    Root. Thanks for the information also. Your post wasn't there yet when I replied to snowy. :) I will do some studying and try to decide what to do.
     
  19. snowy

    snowy Guest

    HOBNOB

    You are always most welcome. on a more personal note.......ROOT is one of the very rare person's who's advice I would follow.......if he uses OUTPOST...an he does...its for a very good reason.........he knows the business of firewalls.........an RISC OS is another person who's knowledge I have respected for years........HOBNOB you will be getting the very best of help.

    HOBNOB you really CAN do this !!!!!
     
  20. Graystoke

    Graystoke Guest

    Thanks again snowy. You are a great person to have around in this forum. :)

    Regards,
    Hobnob
     
Loading...
Thread Status:
Not open for further replies.