>> PROJECT HOMEPAGE
Port Security for Newbies
Part I
"Click here to see if your computer is secure..."
Information returned by websites that portscan your computer can be very misleading. Below, I review various snipets of information from such websites and give unbias explanations on what they really mean. Our first site is: http://scan.sygate.com/
This port has responded to our probes. This means that you are not running any application on this port, but it is still possible for someone to crash your computer through known TCP/IP stack vulnerabilities.
This information looks like it was copied from grc.com. As per Internet standards the firewall does respond to connection attempts with a special icmp packet indicating that the service to which a host is connecting is not available. This certainly does not imply that the system is vulnerable to attack. More on this further down. Here is more misinformation:
You are not fully protected:
We have detected that some of our probes connected with your computer.
I find this very irritating. They are trying to scare you, the Dumb Microsoft Windows user, into buying their firewall product by providing misleading information to make you believe that your computer is insecure.
_________________________
Here is another example from: http://www.firewallcheck.com/securitycheck.html
Your system has 20 closed ports. A closed port is one that is visible but not open to attack. When closed ports are probed the computer acknowledges the query with a message stating that the port exists but is closed. This is generally safe, however a hidden port is more desirable.
This statement is phrased to make it sound like your system is going out of its way to do something insecure. In reality it is doing exactly what it should be doing, rejecting connections to ports that do not have services available.
Your system has 0 hidden ports. This is the safest response -- no response at all. There's no indication that the port even exists, which means that you are virtually invisible to hackers scanning the Internet for potential targets. A hidden port generally indicates that a firewall is protecting your computer.
This page was written for the fresh-out-of-the-box newbie. All computers have ports. Whether the software decides to respond to connections or not is a whole different question. Additionally this particular website has a very clear agenda. They want you to click on their "top choice" firewalls, "top choice" being the site that pay the highest clickthrough value. Did you even notice the owner of the website? WebInfoSearch, LLC, famed "Internet mall" purveyor.
_________________________
The last on our list is the grc.com ShieldsUP firewall test. Unlike the others, this is actually a highly reputable site, but the firewall information clearly targets the average Windows user (From the website: "NanoProbe Technology Internet Security Testing for Windows Users"). Here is what they have to say about "Closed" ports.
"Closed" is the best you can hope for without a stealth firewall in place.
Hot damn did we ever fake you out. We are running a firewall and you didn't even know it. Course we are running Linux now aren't we....
Anyone scanning past your IP address will immediately detect your PC, but "closed" ports will quickly refuse connection attempts. Your computer might still be crashed or compromised through a number of known TCP/IP stack vulnerabilities. Also, since it's much faster for a scanner to re-scan a machine that's known to exist, the presence of your machine might be logged for further scrutiny at a later time, for example, when a new TCP/IP stack vulnerability is discovered.
It is true that true broadcast scans will see that a host exists at your address, but it is going to look like one pretty boring system. And when was the last TCP/IP stack vulnerability discovered... for Linux? I cannot find any evidence that there has ever been a remotely exploitable TCP/IP stack vulnerability in Linux (there was a TCP/IP stack vulnerability in Linux 2.0.38 back in 1999 (here) but it required local access and an suid root 'ping' program to exploit.) Not that it matters either way. Read on....
You should stay current with updates from your operating system vendor since new "exploits" are being continually discovered and they are first applied upon known-to-exist machines . . . like this one!
Again the assumptions that: 1.) We are running Windows. 2.) We are not running a firewall. 3.) The very act of not responding to connecting hosts can somehow make a system more secure.
Part II
Ports Security Demystified
By default our firewall configures your machine to behave ``correctly'' on the information superhighway by responding to ICMP-ECHO-REQUEST packets (pings) as well as sending ICMP-PORT-UNREACH packets when a host tries to connect to a service that either does not exist or is blocked by the firewall (without differentiating between the two). It is very important to note that it is the firewall that is generating fake ICMP-PORT-UNREACH packets not the underlying operating system. (Well, this isn't completely true since netfilter is part of the Linux kernel, but it is not the same part of the kernel that normally generates ICMP-PORT-UNREACH packets.) As shown above, this behavior can even convince others that you are not running a firewall at all, and simply have a machine that is extremely boring.
Remember that if you are using a software firewall, then inbound packets are still accepted by your network card, travel through your pci bus, ram, cpu, etc. to have its fate decided by the computer SOFTWARE. The fact that a system does or does not respond to the packet has no bearing on what has happened to the inbound packet up until this point. Provided that the connecting hosts knows you really are there, (and if you are signed onto IRC, then obviously you really are there!) then the only thing that refusing to send responses does is show that you are running a firewall, which is more information than they would otherwise have learned.
If you are on a managed network, then not responding to pings and such is likely to annoy your network administrator. If you are behind a corporate firewall and still have your desktop firewall configured to not respond to pings then you are really pushing your luck with the powers that be.
_________________________
In the end the choice in how your computer behaves on the Internet is left up to you. If you disable the RFC_1122_COMPLIANT option in the advanced configuration section of rc.firewall, then your machine will reply to neither pings nor connection attempts to a port through which a service is not available to the connecting host. The name of this option comes from Request for Comment (RFC) number 1122 which states the following:
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.
A host should generate Destination Unreachable messages with code "Port Unreachable" when the designated transport protocol (e.g. UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.
| 
![[ Viewable with any browser ]](anybrowser3.gif "Viewable with any browser")
![[ Valid HTML 4.01 ]](valid-html401.png "Valid HTML 4.01")
![[ Written in vi ]](vi-anim.gif "Written in vi")