Port 113 Stealthing and Belkin 4-port DSL router

Archived from groups: comp.security.firewalls (More info?)

Hi,

I just bought a Belkin 4-port DSL router for our network to share DSL to
several computers. I noticed that after installing it, connecting to
one of my web site's FTP servers (hosted remotely) causes a delay of 10
seconds, then connects and runs fine.

I figured out eventually that the FTP server is sending back an IDENT
packet on port 113, which is stealthed by the router (yeah), but the FTP
server waits (i.e. "times out") until it receives a response of some
sort, thus the delay (boo).

I tried the "workaround" posted in several newsgroups where you use the
router config screen to set up port 113 forwarding and forward it to a
non-existent IP on the internal network (like 192.168.1.254 or something
like that), but it doesn't work. The FTP delay still occurs. BUT, if I
set up port 113 to forward to MY pc's IP address, the FTP connection is
instantaneous. If i set it up this way, the grc.com port scan shows 113
as visible, but "closed".

So, does anyone know of any way I can configure this router to truly
"stealth" port 113 so it won't appear to the outside world at all, but
still respond to the FTP server so it won't wait for a timeout? I'm
guessing this is something Belkin would have to add support for in their
firmware.

Thanks,
-- Vinnie
8 answers Last reply
More about port stealthing belkin port router
  1. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 08 May 2004 16:41:17 GMT, Vinnie Murdico spoketh


    >
    >I tried the "workaround" posted in several newsgroups where you use the
    >router config screen to set up port 113 forwarding and forward it to a
    >non-existent IP on the internal network (like 192.168.1.254 or something
    >like that), but it doesn't work. The FTP delay still occurs. BUT, if I
    >set up port 113 to forward to MY pc's IP address, the FTP connection is
    >instantaneous. If i set it up this way, the grc.com port scan shows 113
    >as visible, but "closed".
    >
    >So, does anyone know of any way I can configure this router to truly
    >"stealth" port 113 so it won't appear to the outside world at all, but
    >still respond to the FTP server so it won't wait for a timeout? I'm
    >guessing this is something Belkin would have to add support for in their
    >firmware.
    >

    No, you cannot eat your cake and have it too. If you want "stealth",
    then you'll have to live with the oddities that comes with it. "Closed"
    is just as secure as "stealth", so there's no security issue here...


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  2. Archived from groups: comp.security.firewalls (More info?)

    This worked for my BEFSR41 ver 3, firmware 1.05.00:

    go to the linksys setup screen, for me http://192.168.1.1

    applications & gaming

    fill in the top line as follows;
    application > leave blank
    start > 113
    end > 113
    protocol > both
    ip address blank > 99
    enable > check the block

    save the settings and close

    when I went to www.grc.com, all ports were shown as stealth



    On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
    <invalid@invalid.com> wrote:

    >Hi,
    >
    >I just bought a Belkin 4-port DSL router for our network to share DSL to
    >several computers. I noticed that after installing it, connecting to
    >one of my web site's FTP servers (hosted remotely) causes a delay of 10
    >seconds, then connects and runs fine.
    >
    >I figured out eventually that the FTP server is sending back an IDENT
    >packet on port 113, which is stealthed by the router (yeah), but the FTP
    >server waits (i.e. "times out") until it receives a response of some
    >sort, thus the delay (boo).
    >
    >I tried the "workaround" posted in several newsgroups where you use the
    >router config screen to set up port 113 forwarding and forward it to a
    >non-existent IP on the internal network (like 192.168.1.254 or something
    >like that), but it doesn't work. The FTP delay still occurs. BUT, if I
    >set up port 113 to forward to MY pc's IP address, the FTP connection is
    >instantaneous. If i set it up this way, the grc.com port scan shows 113
    >as visible, but "closed".
    >
    >So, does anyone know of any way I can configure this router to truly
    >"stealth" port 113 so it won't appear to the outside world at all, but
    >still respond to the FTP server so it won't wait for a timeout? I'm
    >guessing this is something Belkin would have to add support for in their
    >firmware.
    >
    >Thanks,
    >-- Vinnie
    >
  3. Archived from groups: comp.security.firewalls (More info?)

    Sorry, I can't read. I was debating between a Belkin and Linksys
    router, and forgot I bought a Linksys.


    On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
    <invalid@invalid.com> wrote:

    >Hi,
    >
    >I just bought a Belkin 4-port DSL router for our network to share DSL to
    >several computers. I noticed that after installing it, connecting to
    >one of my web site's FTP servers (hosted remotely) causes a delay of 10
    >seconds, then connects and runs fine.
    >
    >I figured out eventually that the FTP server is sending back an IDENT
    >packet on port 113, which is stealthed by the router (yeah), but the FTP
    >server waits (i.e. "times out") until it receives a response of some
    >sort, thus the delay (boo).
    >
    >I tried the "workaround" posted in several newsgroups where you use the
    >router config screen to set up port 113 forwarding and forward it to a
    >non-existent IP on the internal network (like 192.168.1.254 or something
    >like that), but it doesn't work. The FTP delay still occurs. BUT, if I
    >set up port 113 to forward to MY pc's IP address, the FTP connection is
    >instantaneous. If i set it up this way, the grc.com port scan shows 113
    >as visible, but "closed".
    >
    >So, does anyone know of any way I can configure this router to truly
    >"stealth" port 113 so it won't appear to the outside world at all, but
    >still respond to the FTP server so it won't wait for a timeout? I'm
    >guessing this is something Belkin would have to add support for in their
    >firmware.
    >
    >Thanks,
    >-- Vinnie
    >
  4. Archived from groups: comp.security.firewalls (More info?)

    Hi Vinnie -

    On Sat, 08 May 2004 16:41:17 GMT, "Vinnie Murdico"
    <invalid@invalid.com> wrote:

    >So, does anyone know of any way I can configure this router to truly
    >"stealth" port 113 so it won't appear to the outside world at all, but
    >still respond to the FTP server so it won't wait for a timeout? I'm
    >guessing this is something Belkin would have to add support for in their
    >firmware.

    I'm not familiar with Belkin routers, but can you configure rules such
    that you could forward port 113 just for the IP addresses of the FTP
    servers and not for other IP addresses?

    If not, just forward it all, it's not that big of a deal.

    --
    Ken
    http://www.ke9nr.net/
  5. Archived from groups: comp.security.firewalls (More info?)

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Vinnie Murdico" <invalid@invalid.com> writes:

    >So, does anyone know of any way I can configure this router to truly
    >"stealth" port 113 so it won't appear to the outside world at all, but
    >still respond to the FTP server so it won't wait for a timeout? I'm
    >guessing this is something Belkin would have to add support for in their
    >firmware.

    Those two requirements are mutually contradictory.

    I guess, in principle, one could have the router send a RST for a
    port 113 packet when there is an existing connection to the source IP
    of that packet, and otherwise drop it. But I don't know of any
    system that implements such a strategy.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (SunOS)

    iD8DBQFAnQ7DvmGe70vHPUMRAsbCAKDHjj9TlP1IP59QMuy5+6nQ0qA17gCg2D8Q
    QWJwwH1Y5KX8j0kCOv1SGXk=
    =QKyV
    -----END PGP SIGNATURE-----
  6. Archived from groups: comp.security.firewalls (More info?)

    "Vinnie Murdico" <invalid@invalid.com> wrote in news:N48nc.97079$G_.24372
    @nwrddc02.gnilink.net:

    > Hi,
    >
    > I just bought a Belkin 4-port DSL router for our network to share DSL
    to
    > several computers. I noticed that after installing it, connecting to
    > one of my web site's FTP servers (hosted remotely) causes a delay of 10
    > seconds, then connects and runs fine.
    >
    > I figured out eventually that the FTP server is sending back an IDENT
    > packet on port 113, which is stealthed by the router (yeah), but the
    FTP
    > server waits (i.e. "times out") until it receives a response of some
    > sort, thus the delay (boo).
    >
    > I tried the "workaround" posted in several newsgroups where you use the
    > router config screen to set up port 113 forwarding and forward it to a
    > non-existent IP on the internal network (like 192.168.1.254 or
    something
    > like that), but it doesn't work. The FTP delay still occurs. BUT, if
    I
    > set up port 113 to forward to MY pc's IP address, the FTP connection is
    > instantaneous. If i set it up this way, the grc.com port scan shows
    113
    > as visible, but "closed".
    >
    > So, does anyone know of any way I can configure this router to truly
    > "stealth" port 113 so it won't appear to the outside world at all, but
    > still respond to the FTP server so it won't wait for a timeout? I'm
    > guessing this is something Belkin would have to add support for in
    their
    > firmware.
    >
    > Thanks,
    > -- Vinnie
    >
    >

    The port is *closed* be happy with it.

    Duane :)
  7. Archived from groups: comp.security.firewalls (More info?)

    Bob wrote:
    > This worked for my BEFSR41 ver 3, firmware 1.05.00:
    >
    > go to the linksys setup screen, for me http://192.168.1.1
    >
    > applications & gaming
    >
    > fill in the top line as follows;
    > application > leave blank
    > start > 113
    > end > 113
    > protocol > both
    > ip address blank > 99
    > enable > check the block
    >
    > save the settings and close
    >
    > when I went to www.grc.com, all ports were shown as stealth

    This is essentially the solution discussed on grc.com that I was
    referring to in my original post -- that is, forwarding incoming traffic
    on port 113 to a non-existent IP address within your LAN. The problem I
    had with this solution wasn't about port 113 being stealthed, the
    problem I was asking about was that this solution doesn't resolve the
    FTP connection timeout while the FTP server waits for an IDENT response,
    which the non-existent PC can't give.

    So, my original post was really asking: Can I configure my router to
    have the port truly stealthed to outside scans, and yet still have the
    FTP server get its response so it can continue quickly. The answer, in
    short, is that you can't have both. If the port doesn't appear to the
    outside world, the FTP server can't very well get a response from it.
    If you make the port visible (but closed), it makes my IP visible to any
    port scans (although not necessarily at high risk because the port *is*
    closed).

    I actually gave up my Linksys router for a new Belkin because the
    Linksys was experiencing a repetitive lockup problem that, as it turns
    out, has recently been experienced by many Linksys router users as per a
    discussion on the dslreports.com forum.
  8. Archived from groups: comp.security.firewalls (More info?)

    >
    > So, my original post was really asking: Can I configure my router to
    > have the port truly stealthed to outside scans, and yet still have the
    > FTP server get its response so it can continue quickly. The answer, in
    > short, is that you can't have both. If the port doesn't appear to the
    > outside world, the FTP server can't very well get a response from it.
    > If you make the port visible (but closed), it makes my IP visible to any
    > port scans (although not necessarily at high risk because the port *is*
    > closed).

    What IP are you talking about here? It's the modem that gets the public IP
    issued by the ISP. The router doesn't get the IP nor does any machine
    behind the router get the public IP.

    So how can the public IP that is issued by the ISP and is assigned to the
    modem that must be known for any Internet traffic to even reach your
    network not be known? How can it not be scanned by anything that is doing
    port scans?

    If Port 113 is not being port forwarded to a valid private side IP/machine
    behind the router which opens port 113 to the public Internet, then how is
    port 113 an issue?

    If the FTP server is expecting traffic on port 113, then it will instruct
    the router to open port 113 to the solicited inbound traffic and
    close/block port 113 to all unsolicited inbound traffic.

    The router is setting there blocking all unsolicted inbound traffic to the
    router and the network on the ports for all ports that are not being port
    forwarded.

    So what's the problem here?

    I suggest you try some other scans.

    Duane :)
Ask a new question

Read More

Firewalls Routers DSL Belkin Servers Networking