Cannot put box into stealth mode

[griptypethyne]

I am running MDK10.1, iptables 1.2.9 and guarddog 2.4.0.

 

I can confirm that guardog is running by clearing the DNS check box and attempting to load a web page, which of course fails. When I tick the box I can connect.

 

In the "local serves internet " zone I leave all boxes cleared. This means that all incoming requests for connections should be dropped rather than rejected. However, Steve Gibson's ShieldsUp test detects all ports and says that they are closed, rather than saying that they do not exist. Thinking I may have become a little bit confused I put an X in a box and re-ran the test. No change.

 

I am not too concerned about this as ipchains is refusing connections, but it would be better if I could make my box invisible. I am probably overlooking something obvious - can anyone suggest a reason why I cannot put my box into stealth mode?

[griptypethyne]

I carried out some more tests but am even more confused (-;

 

I have a DSL-303G modem on eth0.

 

I ran dmesg and looked at the last few messages (unfortunately not

time-stamped). I then ran the ShieldsUp test and confirmed that additional

messages had been added to the log. Most messages were of the form

 

DROPPED IN= OUT=eth0 SRC=10.1.1.3 DST=10.255.255.255 L..................

 

with a few

 

ABORTED IN=eth0 OUT= MAC=00:40:f.............................

 

All DROPPED messages were for OUT packets rather than IN. There were no REJECT

packets, although ShieldUP can detect the ports.

 

I am beginning to wonder if my modem is the culprit. However, AFAIK the

DSL-302G is a basic modem with NAT but no built in firewall functionality.

[griptypethyne]

Problem probably solved :D

 

I booted XP [1] and ran ShieldsUp. The test failed.

 

I then set up a dial-up connection and repeated the test. My box was completely invisible!

 

The remaining question is this - is my DSL modem returning the connection closed packet or is it a problem with local/internet zones in guarddog? With a dial-up connection iptables deals with the real internet address and so can (presumably) distinguish between local and internet. With the DSL modem I have a simple local network with addresses 10.1.1.3 (PC) and 10.1.1.32 (modem) - maybe iptables sees both of theses as local?

 

[1] Easier than installing the win modem driver and running the test under Linux.

[griptypethyne]

Sorry to keep replying to my own question but it helps me think. Also, now that I have raised this issue it is important (IMHO) that I give the solution when I find it.

 

I extended the tests described above. Here is a summary of the results:

 

Booted XP (so I could use dial-up).

 

Zone Alarm on.

Ran ShieldsUp test.

DSL -ports 0 & 135 (RPC) are stealth; rest are closed.

Dial-up - all ports are stealth.

 

Turned off Zone Alarm.

Ran ShieldsUp test.

Using DSL – ports 0 & 135 (RPC) are stealth; rest are closed. (1)

Dial up – The two stealth ports (in 1 above) change to open; other ports remain closed.

 

This suggests that the modem is doing more than just passing packets through. The DSL-302G has NAT so I searched on "NAT router" and found the following two paragraphs:

 

"Security: Basic NAT is not a real firewall?

Basic NAT devices are not real firewalls, but they are usually considered ‘good enough’ for most home networks. By not forwarding requests or probes that originate from the internet to your LAN, a NAT device blocks most mischief. A simple NAT device can not keep hackers from running DOS (Denial Of Service) attacks on you, but individuals rarely get attacked like that. It will keep out people looking for file shares, rogue mail servers and web servers, and most port based exploits. Most also protect against SMURF and WinNuke atatcks. With a NAT device and a good anti-virus program, you should be safe from the most common kinds of internet attacks."

 

"What If I want to host a server?

Most NAT devices allow you to create maps between the internet and your computer network - this is called port forwarding. Example: A request on port 80 from the Internet (looking for a web server on your IP address) would normally be turned away by a NAT device. A special mapping can be set up to send that request from the internet to a specific computer on your network."

 

This explains the behaviour I have observed. It follows that under Linux if I connect to the internet only via the DSL-302G I do not need iptables. If I use dial-up then I must install iptables. Under XP ZoneAlarm is desirable at all times because it can drop outgoing packets based on program.

 

There is one matter still to be resolved but I am not in a hurry to solve it - unless someone can post the answer. From the tests I carried out it seems that some ports are closed by the OS. How?