On Monday 29 Jun 2015 10:01:50 Hans wrote: > On 29/06/15 03:40, Mick wrote: > > On Sunday 28 Jun 2015 16:07:30 Hans wrote:
> >> Bought last year a $300.-- FritzBox 7490. Returned the first one because > >> it did not sync with my ISP. Returned the replacement because GRC > >> Shieldsup (https://www.grc.com/x/ne.dll?bh0bkyd2) test showed 100's of > >> open ports. FritzBox Australia claimed this is "normal" and is not a > >> security risk. The supplier refunded the purchase price, Using now a > >> $78.-- TP-Link TD-VG3631 with Voip. Not as fancy. Just works and has no > >> open ports that can't be closed. > >> > >> Hans > > > > Are you sure it was actually showing "open" ports? It would show > > "closed" ports, rather than "stealth" if your firewall uses '-j REJECT' > > instead of '-j DROP' packets. > > The FritzBox firewall has no provisions to set REJECT or DROP. Yes, but essentially that's what the firewall does regardless of exposing this setting directly or not, to the user: - DROP makes GRC probes return "stealth" - REJECT makes GRC probes return "closed" - ACCEPT makes GRC probes return "open". The FritzBox should NOT return "open" for any ports that the user has not purposefully configured to forward incoming connections to a listening application on the LAN (e.g. a web server). Some routers have a "stealth" port setting, to implement DROP for incoming packets at the firewall, otherwise the firewall will return 'IMCP - Destination Unreachable' (RFC-792) and so REJECT the packet. GRC ShieldsUp will return "closed" in this case and warn you that this is not secure, which is a bit of FUD to be honest. There's nothing wrong with a firewall returning an ICMP packet to state that the intended destination was unreachable, quite the opposite really, this is the correct TCP/IP behaviour for non-listening ports. Now, if the firewall just DROPs the packet, the remote application will wait a number of seconds and then resend it until the threshold for retransmission is reached. A waste of everyone's time and bandwidth, because dedicated port scanners are unlikely to be using this method to deduce if a port is listening or not. Something worth noting is that if connection attempts exceed a certain number over a period of time, a clever firewall will start ignoring them and GRC will suddenly show "stealth" instead of "closed". This could give the impression of inconsistent firewall settings, but it is quite safe and is as it should be. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.