[ale] How to test your public internet connection for open ports

Pat Regan thehead at patshead.com
Fri Feb 11 04:42:42 EST 2011


On Fri, 11 Feb 2011 02:56:00 -0500
Ron Frazier <atllinuxenthinfo at c3energy.com> wrote:

> Now, you guys are telling me, that if the bot randomly scans my
> public IP address, 76.97.???.???, and if my ports are stealthed and I
> don't send ANY response, and if I don't respond to ICMP pings and
> such, that the bot is still going to know I'm there?  Come on!  I'm
> not buying that for 5 seconds unless someone explains exactly how
> that will occur.

I don't know precisely what everyone else is saying.

I would tell you that blocking echo requests and making sure your ports
are "stealthed" is about as worthwhile as disabling SSID broadcast on
your wireless network.  If you have no open ports then there is nothing
to attack from the outside.

> I believed last week, and I still believe this week, that my home 
> network is safer by operating with a stealth firewall at the edge,
> even if the benefit is not tremendous over that of a non stealth
> firewall.

You can do whatever you want with your network.  Everyone here is
pointing out that Steve Gibson is recommending settings that don't
increase your security and have the potential to cause problems.  

> As a home user, I've been blocking outside pings for years, as long
> as I've had broadband.  It's all part of being invisible.  I can't
> speak to whether the router is blocking other ICMP.  I've never had
> any ill affects that I know of.  There is absolutely no reason anyone
> outside my house needs to ping me, and I have serious doubts as to
> whether I need to receive any other ICMP traffic.  Blocking ping, and
> ICMP, may break certain things enterprise networks expect.  I don't
> have a problem with that.  I don't have an enterprise network.  I
> have a home network that I want to be as safe as possible and one
> that does what I need it to do by giving me access to the internet.

It has nothing to do with whether or not you have an "enterprise
network."  If you are currently ignoring all ICMP traffic then you are
breaking path mtu discovery.  You may have run into this in the past
and you might not have known it.  You still might run into it.

> I really don't care if that violates RFC 1122.  Also, the internet
> was "designed to work" in the 60's when the types of security issues
> we face today, with millions of automated viruses roaming around,
> hadn't even been dreamed of.  So, maybe the way it was designed to
> work, isn't the safest way to have it work, in the modern era.

Most malware isn't arriving through bots scanning for insecure
firewalls.  The vast majority of malware is delivered through bugs in
your web browsers and email clients.  You can put as many locks on the
door as you want, it is still easier to put a brick through the window.

> Maybe the average smart consumer.  They have to know enough to know
> they need to seek out advice on security and listen to the podcast.
> Also, many of his listeners, such as myself, are more advanced.  This
> is a slightly more advanced technique.  Perhaps he should mention
> that they need to set the DHCP server not to distribute LAN addresses
> in this range.  That's what I've done.  My DHCP server distributes
> xxx.xxx.xxx.2 
> - 200 on the LAN.  If I want to forward something to a black hole, I 
> send it to 250 or something.  That address will NEVER be allocated.  
> Steve likes to give lots of technical detail.  Some listeners will be 
> able to absorb it, and some won't.  This might be another thing that 
> could be suggested on the feedback page.

Why would you ever need to forward a port to an unused address on your
local subnet?  Why wouldn't you just leave the port closed?

> The consumer is going to go look at the store shelf and see "NAT
> Router" on the box.  Steve has to use terminology that they'll
> understand.  The consumer NAT router has NAT, firewall, and routing
> functionality, so it is a security device, whether NAT is providing
> the security or not.  I think one of the Michael's said that part of
> doing NAT involves stateful packet inspection, so it seems to me that
> all this is pretty intertwined anyway.  The consumer thinks, "If I
> have a NAT router, I have some security." - which is true.

I doubt many consumers have ever seen the term NAT.  

> By the way, as long as we're discussing NAT, since the cable / dsl
> modem ONLY provides 1 IP on it's ethernet LAN port, as far as I know,
> then, without NAT, the customer could only put 1 PC on the LAN and
> connect to the internet.  That would be unfeasible for most of us.

I've seen this repeated so many times during these discussions the last
few days.  It is very simple.  If you want to secure your network you
use a firewall.  If you have more clients that need to access the
internet than you have IP addresses then you use NAT.  The only
relation between the two is that at home they nearly always live on the
same device.

No one has said not to use NAT.  Most of us are impatiently waiting for
the day we don't need NAT anymore.

> If you had listened to the last 5 years of his weekly podcast, as I 
> have, you'd find that he's all about education.  Everything you 
> mentioned has been covered numerous numerous times, usually in great 
> detail.  There is far more content there than on his website.  I just 
> chose to point out ShieldsUp because of the discussion about
> routers. Why else would he devote 4 hours a week (3 hours prep, 1
> hour talk) to making a podcast for over 250 weeks, all for free?
> He's the most dedicated person I know of in terms of protecting the
> consumer.  He also pays his staff to transcribe each podcast so we
> can have better access to it and search it.

Isn't there advertising on his podcasts like all the other twit
podcasts?

> Here's a challenge.  I've heard over 250+ of his podcasts.  I've
> found them useful, enlightening, and interesting.  I have implemented
> many of his suggestions in my own home network.  So, perhaps some of
> you chiding me could listen to 10% of that, say 25 podcasts, then
> report back.  At least you'll have a better basis for discussion.

The only major piece of work from Steve Gibson that I know anything
about is Spinrite.  His idea of "exercising" the drive seems like a
sound idea.  Unfortunately there is absolutely no proof anywhere that
this actually makes any real world difference.  There is no study to
back this up.  "Exercising" the drive is the only feature of spinrite
that isn't implemented in open source software.

The Spinrite website makes this claim:

"Since NO OTHER UTILITY analyzes the surface of a drive WHILE IT
CONTAINS DATA, NO OTHER UTILITY can warn its user of imminent drive
failure."

I can't believe they'd make such a horribly false statement.

The other thing I know about him is that he apparently encourages
people to break PMTU :)

I'm not planning on listening to his podcasts.  It has nothing to do
with my opinion of the gentleman.  I listen to FLOSS Weekly whenever
the project being discussed is interesting (and sometimes when it is
less interesting).  I also listed to this week in tech if I'm bored and
I notice they have someone like Jerry Pournelle on.

> My only motive in making these posts is to help other people.  It 
> doesn't do me any good in any other way, to sit in this chair with a 
> sore back, to spend dozens of hours typing this.  So, hopefully, it
> will be helpful.  I do appreciate the dialog, by the way.

I'm happy to respond with whatever knowledge I may have in my head.  I
am curious about something, though.

A few messages back you stated that you had a reason to require three
layers of NAT on your home network but I didn't see why in the
message.  I was hoping you could explain.

At a company I used to work for I had to run a VPN over two layers of
consumer grade NAT for about 2 months...

One of our clients was renting extra warehouse space for the Christmas
shopping season.  We needed to install one of our networked hand
scanning time clocks in the warehouse.  The permanent occupants of the
warehouse had a DSL line with a plain old home router.  

Our client plugged their own home router into the other company's
router.  I ended up plugging one our little wrtg54gl routers into
our client's network.  Our router was configured to connect back to us
using openvpn.  Thank god for OpenVPN.  It'll run over damn near
anything.

Pat


More information about the Ale mailing list