ZA Pro and closed ports

Discussion in 'other firewalls' started by sir_carew, Feb 4, 2004.

Thread Status:
Not open for further replies.
  1. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hello,
    Today I realized a test in sygate and grc, both showed all of my ports stealth except ports: HTTP, POP3, SMTP. I connect via cable modem, I've no routers, proxies, or any servers, etc in these ports.
    Is possible that my ISP is now making some thing in those ports?
    Thanks.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Just to clarify, you have ZAP set to High security for the Internet Zone, and have no servers running or allowed in it. Also, you haven't set any expert rules or made custom settings in ZAP regarding TCP ports: 80, 110, and 25 - right? And inspite of all this, you are showing "closed" ports at the online tests, not "stealth"...

    Well, ZAP can and does easily stealth all these ports provided you haven't changed and settings, so it has to be something else. Certainly your ISP could be interfering with the packets coming in because they probably have rules saying you can't run any servers (in this case webservers and email servers). You need to find out if these packets are even reaching your system during the tests.

    There are lots of ways of doing this. Running a port listener on your system and giving it server rights in ZAP is one way. Then re-run the tests and see if you get "open" responses, which should also log activity in the port listener software when it sees the probes come in. (TDS has built-in port listen I believe, but there are freebies available, too. Port Explorer if you have that could watch the ports, too. Sniffer software would be very useful here.)

    Edit: Oh, also make sure your cable modem is just a modem and doesn't have any filtering capability itself, whereby it is closing these ports on you. Unlikely, but you never know these days. Some ISP provided connection devices combine extra functionality sometimes.
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I'm testing with port explorer of diamond and when I do the test, it show the port 1188 as established connection and later it disappear. It appear in TCP log.
    Thanks.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, that could be anything. Where does it establish it's connection to and what program is opening the port? That's not likely to be related to the above issue.

    You'll really have to see if you can force the port scanners to see an open port, by listening on one of those ports while testing. It's the only way to determine if the port scanner is actually hitting your system or is being blocked somewhere before it (such as at your ISP).
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    How can I do that using Port explorer?
    Thanks.
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi sir_carew

    Does Port Explorer or a simple Netstat show anything listening on those port/services?

    Regards,

    CrazyM
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi, only MSN messenger use 80 as listening, however if I quit msn the problem persist.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well normally it should not be listening on port 80.
    Can you clarify if that entry in Port Explorer is local port 80 or remote port 80? (makes a big difference)

    Regards,

    CrazyM
     
  9. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    Remote port.
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    That would indicate an outbound connection, which is OK.

    From your checking Port Explorer, you do not seem to have anything listening on those ports/services not showing as stealth.

    You could try contacting your ISP to determine if they do any filtering on inbound traffic which could explain your test results.

    Or, as LWM mentioned, you could test to see if those specific inbound scans ever reach your system.

    - You could run Ethereal (free) while running the online scan to see what packets are in fact reaching your system.

    - You could run PortPeeker (free) and configure it to listen on one of those local service/ports. Allow it server rights in ZA and then do the test scan and see if anything shows up in PortPeeker for the configured service.

    If nothing shows up, and your results are still closed, it is likely something is being done upstream of your system.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.