"Sean E. Covel" wrote:
> I've been conversing with the "Expert Team" at PC Flank
> (http://www.pcflank.com./) about their scanner. So far they have asked
> for additional information about my firewall, but have not defended the
> results.
>
> So.... How can I verify that a certain port is/is not open? The report
> I got noted port 3128 (which Firewall Forensics says is "squid") was
> "open". Later in the report it said all the trojan ports were open
> (27374, 12345, 1243, 31337, 12348) (I doubt it!) How can I be sure?
>
> As far as the "spoofing" and why they would want to do it... Anyone
> running portsentry? Ever gone up against "Shields Up" or "DSL Reports"
> tests? What happens? After a few scans from the same IP, they end up
> in hosts.deny and a firewall rule is added, both automatically. Once
> that is done, further scanning is moot. My first run against PcFlank
> noted more ports open than what I listed above, so I checked out my
> network.conf. The variables EXTERN_UDP_PORTS and EXTERN_TCP_PORT had
> some ports listed (_domain _ntp _bootpc)(_smtp). I cleaned those up
> (had to leave _bootpc(?) for dnsclient) and the next scan listed fewer
> ports. Neither "Shields Up" or "DSL Reports" got far enough along in
> their scans before portsentry kicked in to see those other ports!
>
> So, once again, how do I tell for sure if the above listed ports are
> open/visible/stealth?
Eiger has ports > 1024 open to the outside. This allows some things to work
without changing the firewall rules. It is reasonably secure because there
is NOTHING running on the router that is listening to these ports and they
are NOT being forwarded to some internal machine unless you make such a
rule. Some services on internal boxes that run masq modules like ICQ, IRC,
real audio and quake can use inbound connections higher than 1024. The
connections are likely initiated from your masq network - not from unknown
outsider.
It sounds to me like this outfit is expecting to test personal firewalls on
a Windows box, where the firewall and applications are on the same machine.
Psentry is useful to lock out scanners on a protected port - makes an
ipchains rule that DENYs them immediately. The rule stays in place until
you do "svi network ipfilter reload" to get rid of the accumulated rules.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
