[ale] How to test your public internet connection for open ports

Michael H. Warfield mhw at WittsEnd.com
Fri Feb 11 11:03:32 EST 2011


On Fri, 2011-02-11 at 10:51 -0500, Michael H. Warfield wrote: 
> On Fri, 2011-02-11 at 03:21 -0500, Ron Frazier wrote: 
> > Hi Michael T,
> > 
> > See my reply to David, which covers most of this.  Other replies in 
> > line.  I've snipped out the parts I want.
> > 
> > On 02/11/2011 02:13 AM, Michael B. Trausch wrote:
> > 
> > 
> > >
> > > The average consumer doesn't configure _anything_ manually.  At least,
> > > not in my own personal experience.  Hell, they don't even set passwords,
> > > or if they do, they're taped to the keyboard or the monitor.  Hardly
> > > shining beacons of security, humans.
> > >
> > >    
> > 
> > You're right.  But the context of our discussion was those average or 
> > above average consumers who listen to Mr. Gibson's podcast, so they're 
> > already in tune to the need for security.
> > 
> > >
> > > The default configuration of any NAT appliance is going to be absolutely
> > > all that the average consumer requires.  By default, all consumer
> > > devices that I am aware of do not forward incoming connections on any
> > > port to any system on the LAN side of the device, thereby raising the
> > > bar sufficiently high enough that your typical script kiddie isn't going
> > > to bother with it.  IOW, unsolicited connections aren't allowed.
> > >
> > >    
> 
> > That's partly incorrect.  The default settings generally do silently 
> > drop, or stealth, unsolicited packets, which is exactly what Steve is 
> > recommending.  However, there are usually other defaults which must be 
> > checked and sometimes changed.
> 
> Excuse me?  I have experience with a variety of wireless routers and DSL
> modems and all.  Can you quote some specific models.  I've worked with
> Linksys, Netgear, Motorola, D-Link, and a number of others.  Their
> default is NOT to drop packets.  Their default is to return ICMP errors.
> If you try to connect to a port on one of those routers, it's going to
> return an ICMP UNREACH and then some subcode that tells you more.  I
> haven't run into a single router that, out of the box, drops packets by
> default.  There may be some.  But you will have to be specific.

> Simple test.  Forget SG and his toys for the moment.  You know the
> public address of your router.  From outside that router telnet to it on
> some bogus port like this:

> telnet {router ip} 12345

> See what happens.  If it hangs for 30-60 seconds, then you are right,
> the router dropped the packet.  If it immediately comes back to you and
> reports "connection refused" then you are wrong.  It sent back an ICMP
> error message saying nothing was there.  Try it.

Tell you what.  Here's another test to try.  Telnet to one of my
machines from behind your NAT device like this:

telnet www.wittsend.com 12345

If it hangs for 30-60 seconds, then you are right and you are dropping
all ICMP (a bad thing).  If it comes back immediately and says
"connection refused" then you may think you are dropping all ICMP but
you are not.  Which probably explains why you don't seem more problems
than you do. 

> > The best we can hope for from the afore mentioned consumers is to have a 
> > passing knowledge of security, and they probably won't have the money to 
> > pay us for it.
> 
> 
> > Sincerely,
> 
> > Ron
> 
> > -- 
> > 
> > (PS - If you email me and don't get a quick response, you might want to
> > call on the phone.  I get about 300 emails per day from alternate energy
> > mailing lists and such.  I don't always see new messages very quickly.)
> > 
> > Ron Frazier
> > 
> > 770-205-9422 (O)   Leave a message.
> > linuxdude AT c3energy.com
> 
> Regards,
> Mike

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/76e4c10b/attachment.bin 


More information about the Ale mailing list