Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[spudgun]

Just got my new  VMG8324-B10A setup and thought i'd test it using shields up (https://www.grc.com/).

I was a bit surprised to see that it listed ports 135-139 (inclusive) as being closed rather than stealthed and wondered what steps I could take to remedy this?

I only have port forwarding setup for 1 port to one device and it isn't anywhere near this range.

Any ideas as to what I can do to stealth these ports?

[Chrysalis]

closed is still just as secure, the stealth thing is to aid to pretend the ip is dead.  The main difference is if someone tries to access the port and gets a closed response then its immediate with no delay, whilst stealth it would be waiting for a timeout.

Although I agree its preferable on a home router to get a stealth response.

[PhilipD]

Hi

Those ports are related to Windows RPC and NetBIOS and they shouldn't be visible to the outside world at all.  The big difference between 'stealth' and closed is that closed means they could be opened, and that is the concern I would have.

Are you using NAT, or do you have static IP addresses?  If using NAT then this implies some software on a computer on your network has used UPnP to open those ports, it is unlikely the software has done that for good intentions.  Have you a computer set in the DMZ under Network Settings - NAT, that would cause it.

You could add a Firewall rule to block it, often as good practice a rule is added for these common ports.

Just to add, on my VMG8924 those ports are 'stealth'.

To block this traffic try add a Firewall Rule:

From the Web UI, goto Security -> Firewall, then the Access Control tab, click Add New ACL Rule.

Filter name: NetBIOS  (can be anything really)
Order is: 1
Select source device: No selection leave at Specific IP, you could select each entry in turn to find out the PC/Computer that is leaking this information.
Source IP Address: Leave blank so it means all
Destination: Leave blank
IP Type: IPv4
Select Service: Specific Service
Protocol: TCP/UDP
Custom source port: Leave empty
Custom Destination port: 135:139
Check boxes, leave all unchecked
Policy: DROP
Direction: WAN to LAN
Enable Rate Limit: unchecked
No schedule selection

Click Apply then test again.

Regards

Phil

[spudgun]

Thanks for the replies and help guys, I really appreciate it.

I'm using the V100AAKL7C0.bin firmware if that is of any additional help.

I have 6 devices (1 PC, 2 Android Devices, 1 Media Streamer, 1 Xbox360 and 1 Printer) that are allocated static IP addresses in the 192.168.1.* range and the rest are done via DHCP.

There are no entries in the DMZ

There is nothing in the UPnP list in the router config pages - so I don't think it is something that has been opened by a device on the network.

Will try the firewall settings suggested when I get home from work, but must say that I am a little concerned with this. I was using a 8800NL for a few weeks prior to this and a HG612 + router for several months prior to this that both showed all ports as being stealthed, so I suspect that this is something on the router or this version of the firmware.

[broadstairs]

On my 8924 using the same firmware I do not see any service ports marked other than stealth. I have not added any firewall rules so it is running as standard. So my guess is that something you are using has changed the port settings. I remember doing the same check when using my 8324 (actually an F1000) with the exact same results. I would try turning off UPNP and re-testing. I do have that turned off.

Stuart

[PhilipD]

Hi

As per Stuart all ports are stealthed here except for ones I've now opened.

It is possible it is the media streamer if you have asked it to stream over the public Internet.

Regards

Phil

[kitz]

Another confirmation here that on my VMG8324 all my ports are stealthed - bar one that I opened.

[spudgun]

Thanks again guys,

The media streamer is my WDTV-Live and that is set to share information with a specific PC on my network and not the wider world and no other device on my network can stream to it and all of the options for it to stream outside of my LAN are turned off.

Think I might reset this to factory defaults later and then add devices 1 by 1 to see if I can identify the culprit, but I've added nothing new to the network in the last week and the setup is identical to the 8800nl and HG612/router setup so I am a little perplexed

[tma20]

Spudgun,

Before you rip apart your home network and send yourself loopy, I'd suggest that this is the ISP blocking these ports externally to your connection, on their border gateways, for the protection of their general user base (worms, trojans, data thieves etc).

I know Zen do this on my connection (I was similarly concerned when I first fired it up) and I imagine other ISPs do too.

Alex

[spudgun]

Spudgun,

Before you rip apart your home network and send yourself loopy, I'd suggest that this is the ISP blocking these ports externally to your connection, on their border gateways, for the protection of their general user base (worms, trojans, data thieves etc).

I know Zen do this on my connection (I was similarly concerned when I first fired it up) and I imagine other ISPs do too.

Alex

Ahhhh!!! I didn't see the above before disconnecting everything and resetting the router firmware to factory defaults!

You are, of course, absolutely spot on and it is my ISP (Zen) who are dropping these requests and hence they are shown as closed rather than stealth - see this thread for more info https://forum.zen.co.uk/forums/4/44441/ShowThread.aspx

[kitz]

Glad you found out what it was

[Chrysalis]

regarding the comment saying closed can be changed to open, that is true, but its no different from stealth in that regard, stealth/close are just two different ways to block traffic.

[broadstairs]

Playing Devil's advocate for a minute here ....
One thing that concerns me is that suppose someone wants to actually use that port (or any port which is being blocked) how would they go about it? If ports are being blocked by ISPs how would one go about finding out what is being blocked? Fine if they close it one cold see it on GRC but if they do it stealthily you would not know. Do ISPs who do this publicise this information or do you have to hunt for it.

Stuart

[Chrysalis]

I think the majority of isps publish they blocking ports for security, usually in a technical document somewhere.

netbios ports its pretty standard now days for consumer isp's to block.

Some may also block port 25 to prevent email servers.

[spudgun]

I think the majority of isps publish they blocking ports for security, usually in a technical document somewhere.

netbios ports its pretty standard now days for consumer isp's to block.

Some may also block port 25 to prevent email servers.

Here is what Zen have to say about this; - taken from https://support.zen.co.uk/kb/Knowledgebase/Do-Zen-block-any-ports

Do Zen block any ports?
Zen only block the ports between 135-139 on UDP and TCP, at the outside of our ADSL gateways.  This means traffic on these ports between our ADSL gateways, other Zen servers and the global Internet, would be blocked.

This block is in place because Microsoft Software uses these ports to broadcast packets of information.  If they were not blocked they could potentially add a large number of un-necessary packets to our network, which are intended for use on a private network.

The ports also present a potential security risk to customers - from viruses which might seek access to a system through these ports (for example, Blaster and Welchia) to a malicious Internet user who could use the information made public by these ports in an attempt to gain access or control of other computers.  The block operated by Zen should NOT be considered an alternative to running your own firewall software or hardware.

If you require these ports for an application - e.g. a Microsoft service running between two sites - you are advised to configure VPN access between the sites.  This will allow traffic on ports 135-139 to be carried over the VPN tunnel.