[ale] How to test your public internet connection for open ports

Michael B. Trausch mike at trausch.us
Fri Feb 11 11:55:11 EST 2011 

I lied.  *this* is my last post on this thread.

On Fri, 2011-02-11 at 03:21 -0500, Ron Frazier wrote:
> That's partly incorrect.  The default settings generally do silently 
> drop, or stealth, unsolicited packets, which is exactly what Steve is 
> recommending.  However, there are usually other defaults which must
> be 
> checked and sometimes changed.
> 
> * They usually have no active wireless encryption.  That definitely 
> needs to be on.

This is setup with configuration wizards on all devices that I've
purchased and installed for people in the last year.

> * They usually have a stupid well published default password.  That 
> definitely needs to be changed.

Only accessible on the LAN, unless explicitly enabled by the user on the
WAN side.  If the workstations on the network are secure, this makes
absolustely zero difference whatsoever.

> * They frequently have UPNP on.  That should be turned off.

uPnP is used by consumer hardware in order to facilitate better user
experiences by automating NAT traversal.  It probably shouldn't be
enabled on workstation computers.  Gaming systems and media streaming
applications, as well as BitTorrent, can take advantage of uPnP,
however, for the purposes of good.

> * They sometimes have remote internet side administration on.  That 
> should be turned off.

I've never, ever encountered this in a COTS consumer-grade appliance.
Ever.

> * The NAT and firewall settings should be on.  I've seen at least one 
> example where they weren't.

And that would be?  Because I've never seen such a thing in COTS
consumer-grade appliances.

> * It may be appropriate to change the SSID and DHCP settings.

The SSID is configured as part of the setup wizard.

There is no reason to change the DHCP settings unless the user is an
advanced user such as myself, utilizing multiple subnetworks in
different ranges.  For example, I have three routed networks that are
tied together using a virtual network built over top of the Internet,
all in RFC 1918 space.  I'm phasing that out, however.  It's getting
replaced with public IPv6 addresses and the use of IPsec to secure
communications between those networks.  Two of those networks do that
right now.  The third will happen in the next month.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/7720664b/attachment.bin

More information about the Ale mailing list