A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

DG814 and Ports 54321 and 12345



 
 
Thread Tools Display Modes
  #1  
Old August 13th 03, 09:07 AM posted to uk.telecom.broadband
Les Desser
external usenet poster
 
Posts: 55
Default DG814 and Ports 54321 and 12345

I have found what seems to be a problem with the DG814 and wonder if
other users could check it out to see if it is a general problem - I
found one reference on Google about a year ago.

If you go to http://scan.sygatetech.com/ check if these two 'common
Trojan' ports ( 54321 and 12345) are shown as Closed rather than
Blocked.

On all our PCs connected to the DG814 they show as Closed implying that
they are being passed through. Even forwarding then to a non-existent
address still shows them as Closed.

(Further checking shows threads in comp.security.firewalls in July and
August 2002 showing same problem with Netgear RP614)

--
Les Desser
  #2  
Old August 13th 03, 02:25 PM posted to uk.telecom.broadband
Stephen Smith
external usenet poster
 
Posts: 19
Default DG814 and Ports 54321 and 12345

Les Desser said:

I have found what seems to be a problem with the DG814 and wonder if
other users could check it out to see if it is a general problem - I
found one reference on Google about a year ago.

If you go to http://scan.sygatetech.com/ check if these two 'common
Trojan' ports ( 54321 and 12345) are shown as Closed rather than
Blocked.

On all our PCs connected to the DG814 they show as Closed implying that
they are being passed through. Even forwarding then to a non-existent
address still shows them as Closed.


Don't worry, nothing is sneaking through the router to your PCs. The router
reported 'closed' - that's as far as their probing got. )

Only ports marked as "Open" are forwarded to your connected PCs and that
should only be when you configure the router to "port forward" the required
ports.

As an experiment, try the following:

a) unplug all your PCs from the router except _one_
b) install a software firewall such as ZoneAlarm on that PC.
c) revisit the sygatetech site with only the one firewalled PC attached to
router.

Does ZoneAlarm (or whatever firewall application you use) report any
incoming traffic on those ports? (54321 and 12345)

My guess: No.

Stephen.


  #3  
Old August 13th 03, 11:40 PM posted to uk.telecom.broadband
Les Desser
external usenet poster
 
Posts: 55
Default DG814 and Ports 54321 and 12345

In article , Stephen Smith
writes
Les Desser said:

I have found what seems to be a problem with the DG814 and wonder if
other users could check it out to see if it is a general problem - I
found one reference on Google about a year ago.

If you go to http://scan.sygatetech.com/ check if these two 'common
Trojan' ports ( 54321 and 12345) are shown as Closed rather than
Blocked.

On all our PCs connected to the DG814 they show as Closed implying that
they are being passed through. Even forwarding then to a non-existent
address still shows them as Closed.


Don't worry, nothing is sneaking through the router to your PCs. The router
reported 'closed' - that's as far as their probing got. )

My understanding is that indeed the router let those two ports through
to the PC and Windows responded with a no-one-here.

Only ports marked as "Open" are forwarded to your connected PCs and that
should only be when you configure the router to "port forward" the required
ports.

Again, as I understand it, Open means that there is a program monitoring
that port - which in this case would be a nasty Trojan!

As an experiment, try the following:

a) unplug all your PCs from the router except _one_
b) install a software firewall such as ZoneAlarm on that PC.
c) revisit the sygatetech site with only the one firewalled PC attached to
router.

Does ZoneAlarm (or whatever firewall application you use) report any
incoming traffic on those ports? (54321 and 12345)

My guess: No.


If I do not specifically bar those ports then I do not get any messages
and the ports are reported as Closed. Nothing shows in ZAP logs - as I
would expect as I have not asked it to block these ports.

If I then explicitly block those ports in ZAP and re-run the test then I
still get only a Closed status - and ZAP still does not report anything
in its logs - maybe I am setting up ZAP wrong. I also tried blocking
these ports using Outpost on a second PC and get the same results.

To muddy the waters further, after making some changes and re-running
the test I have seen that both ports were Blocked only to find on
re-testing that they reverted to Closed.

My conclusion is that the NAT router is failing to block these two ports
despite the fact that there is no port forwarding set up - and in fact
it totally ignores port forwarding, even if it is set up to a
non-existent address.

I am however confused as to why my firewalls are not picking up these
ports - which implies they are not getting to the PC - in which case the
router is itself sending back some sort of acknowledgement - is that
possible?

I am happy that I do not have a Trojan; I am not concerned if the router
is miss-managing these ports, but I would like to understand the
mechanisms involved.
--
Les Desser
  #4  
Old August 14th 03, 01:23 PM posted to uk.telecom.broadband
Stephen Smith
external usenet poster
 
Posts: 19
Default DG814 and Ports 54321 and 12345

Les Desser wrote:

In article , Stephen Smith
writes
Les Desser said:

I have found what seems to be a problem with the DG814 and wonder if
other users could check it out to see if it is a general problem - I
found one reference on Google about a year ago.

If you go to http://scan.sygatetech.com/ check if these two 'common
Trojan' ports ( 54321 and 12345) are shown as Closed rather than
Blocked.

On all our PCs connected to the DG814 they show as Closed implying that
they are being passed through. Even forwarding then to a non-existent
address still shows them as Closed.


Don't worry, nothing is sneaking through the router to your PCs. The
router reported 'closed' - that's as far as their probing got. )

My understanding is that indeed the router let those two ports through
to the PC and Windows responded with a no-one-here.


Hmm, well if that is the case, *why* didn't ZoneAlarm log anything on my PC?

Answer: because the router was configured to NOT forward those ports - it
(i.e the router, NOT the PC) simply reported back they were "closed". The
probing doesn't get as far as your PC, Windows or even ZoneAlarm; router
stops it dead in its tracks.

Only ports marked as "Open" are forwarded to your connected PCs and that
should only be when you configure the router to "port forward" the
required ports.

Again, as I understand it, Open means that there is a program monitoring
that port - which in this case would be a nasty Trojan!


Yes, but only if you're _forwarding_ the said port on the DG814. It doesn't
matter if Mr evil trojan is listening for traffic on port X on your PC; if
the router isn't _forwarding_ port X (and to *that* specific PC the trojan
is on, I might add) then the trojan will receive no traffic. (nor will the
PC/Windows - the router will report to the outside world that port X is
closed)

As an experiment, try the following:

a) unplug all your PCs from the router except _one_
b) install a software firewall such as ZoneAlarm on that PC.
c) revisit the sygatetech site with only the one firewalled PC attached
to router.

Does ZoneAlarm (or whatever firewall application you use) report any
incoming traffic on those ports? (54321 and 12345)

My guess: No.


If I do not specifically bar those ports then I do not get any messages
and the ports are reported as Closed. Nothing shows in ZAP logs - as I
would expect as I have not asked it to block these ports.

If I then explicitly block those ports in ZAP and re-run the test then I
still get only a Closed status - and ZAP still does not report anything
in its logs - maybe I am setting up ZAP wrong. I also tried blocking
these ports using Outpost on a second PC and get the same results.


No, nothing wrong so far... keep on reading.... I think you're getting the
hang of it.

To muddy the waters further, after making some changes and re-running
the test I have seen that both ports were Blocked only to find on
re-testing that they reverted to Closed.

My conclusion is that the NAT router is failing to block these two ports
despite the fact that there is no port forwarding set up - and in fact
it totally ignores port forwarding, even if it is set up to a
non-existent address.

I am however confused as to why my firewalls are not picking up these
ports - which implies they are not getting to the PC - in which case the
router is itself sending back some sort of acknowledgement - is that
possible?


Ah ha..! :-) That last paragraph. If I understand you correctly you're
thinking along the same lines as me. The firewalls on the PC are not picking
anything up because it is the router who is reporting them as "closed".

You will find that *most* ports are "stealthed" - this means that the router
doesn't even report them as closed. It just ignores the intruding party
completely! This is a good thing.

However, there are these other ports (like 12345 and 54321) where for some
unknown reason it reports as "closed" which basically translates to the
intruding party "ey up, yep I'm here but I'm not talking to you so
nerrrrrrrrrr - sod off!" :-)

I am happy that I do not have a Trojan; I am not concerned if the router
is miss-managing these ports, but I would like to understand the
mechanisms involved.


I hope you now have a better understanding.

In a nutshell, only worry about ports that you DO FORWARD. If you're not
forwarding anything, don't worry! :-)

If there *is* a problem with the DG814 then I think the main issue is that
it should STEALTH *all* non-forwarded ports. Unfortunately, it doesn't -
some errornously (?) report back as closed.

Either way, it's secure, and in the month I've had my 814+ADSL connection
I've not had a SINGLE event logged in ZoneAlarm.... previously on 56k
dial-up I would receive - quite literally - 100's per DAY. The router is
*definately* doing it's job in my opinion. The ZoneAlarm logs speak for
themselves.

So, try not to lose any sleep over it! ;-)

Best regards,

Stephen.


  #5  
Old August 15th 03, 12:07 PM posted to uk.telecom.broadband
Stephen Smith
external usenet poster
 
Posts: 19
Default DG814 and Ports 54321 and 12345

Les Desser wrote:

In article , Stephen Smith
writes
I am however confused as to why my firewalls are not picking up these
ports - which implies they are not getting to the PC - in which case
the router is itself sending back some sort of acknowledgement - is
that possible?


[]

You will find that *most* ports are "stealthed" - this means that the
router doesn't even report them as closed. It just ignores the
intruding party completely! This is a good thing.

However, there are these other ports (like 12345 and 54321) where for
some unknown reason it reports as "closed" which basically translates
to the intruding party "ey up, yep I'm here but I'm not talking to you
so nerrrrrrrrrr - sod off!" :-)

If you say so I believe you


heh heh. :-)

What threw me was the inconsistent behaviour of the router and the
assumption that the 'sod off' was coming from the PC.


I think the inconsistent behaviour is probably a bug in the DG814's
firmware, something that maybe Netgear has overlooked?

I did not understand, and still do not, what business the router has to
return a reply.


I'm currently no guru when it comes to the low-level-inner-workings of
TCP/IP networking, but the simple reason why the router returns a reply
(i.e. 'closed') is to do with how the communication protocols [are expected
to] work.

Rather than just leave a device in limbo, it is polite to acknowledge it
with either a success (i.e open) or failure (i.e. closed) result.

Admittedly, being stealthy (hence, not being polite and reporting back as
"closed") is even better for us, as it is as if we're not even there - and
how can something that isn't there report back "closed"?

I would have assumed that such functionality was totally redundant - a
NAT router should (I thought) either pass the packet through or drop
it.


Yes, in an ideal world, it should - I agree completely. But the 814
doesn't - *most* ports are stealthed, *some* ports cheekily [but politely!]
report back as closed. C'est la vie! )

(I tried scanning 64 ports either side of 12345 and 54321 and found all
the others Stealthed except for a block 54321-54336 which are Closed.
Strange!)


So did I, and I also got similar results.

Do you know what version of the DG814's firmware you're using?

(to find out, log onto your router with web browser and click on the
"Gateway Status" link Your firmware version should be shown at the top of
the page that appears)

I use firmware 4.4, dated Oct. 28, 2002.. (!)

Either way, it's secure, and in the month I've had my 814+ADSL
connection I've not had a SINGLE event logged in ZoneAlarm....
previously on 56k dial-up I would receive - quite literally - 100's per
DAY. The router is *definately* doing it's job in my opinion. The
ZoneAlarm logs speak for themselves.

I totally agree with that - my experience the same.

So, try not to lose any sleep over it! ;-)


Thank your for all the assurance. Much appreciated.


No problem, sir, glad I was an enlightenment.

Stephen.


  #6  
Old August 15th 03, 04:34 PM posted to uk.telecom.broadband
Les Desser
external usenet poster
 
Posts: 55
Default DG814 and Ports 54321 and 12345

In article , Stephen Smith
writes
Do you know what version of the DG814's firmware you're using?

(to find out, log onto your router with web browser and click on the
"Gateway Status" link Your firmware version should be shown at the top
of the page that appears)

I use firmware 4.4, dated Oct. 28, 2002.. (!)

V4.7 Jun. 10, 2003

A lot of bugs were fixed since 4.4 - but if you have no problems then
stay put. Upgrade if you have problems with maintaining connection.


Thank your for all the assurance. Much appreciated.


No problem, sir, glad I was an enlightenment.


Keep up the good work.
--
Les Desser
  #7  
Old August 15th 03, 07:26 PM posted to uk.telecom.broadband
Stephen Smith
external usenet poster
 
Posts: 19
Default DG814 and Ports 54321 and 12345

Les Desser wrote:

In article , Stephen Smith
writes
Do you know what version of the DG814's firmware you're using?

(to find out, log onto your router with web browser and click on the
"Gateway Status" link Your firmware version should be shown at the top
of the page that appears)

I use firmware 4.4, dated Oct. 28, 2002.. (!)

V4.7 Jun. 10, 2003


Bit more modern than mine then! Saying that, however, I've not had a single
problem with my 814.

A lot of bugs were fixed since 4.4 - but if you have no problems then
stay put. Upgrade if you have problems with maintaining connection.


Absolutely, no problems encountered here so I'm definately staying put.

Regards,

Stephen.


  #8  
Old August 16th 03, 07:07 PM posted to uk.telecom.broadband
ste-bar
external usenet poster
 
Posts: 5
Default DG814 and its firewall

Going slightly off topic, but never the less concerning the Netgear DG814's
firewall.

I am toying between purchasing a DG814 plus a standalone WAP or a DG824
which has an integrated WAP.

I would rather go down the DG814 path, but unlike the DG824, its firewall
doesn't have SPI and DoS protection.

Is having a firewall with SPI and DoS a 'must have' ? and hence I purchase
the DG824, or is the firewall in the DG814 more than adequate ?

thanks

Steve B.



---
Steve Barlow's outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.509 / Virus Database: 306 - Release Date: 12/08/2003


  #9  
Old August 16th 03, 08:16 PM posted to uk.telecom.broadband
Colin
external usenet poster
 
Posts: 1
Default DG814 and its firewall


"ste-bar" wrote in message
...
Going slightly off topic, but never the less concerning the Netgear

DG814's
firewall.

I am toying between purchasing a DG814 plus a standalone WAP or a DG824
which has an integrated WAP.

I would rather go down the DG814 path, but unlike the DG824, its firewall
doesn't have SPI and DoS protection.

Is having a firewall with SPI and DoS a 'must have' ? and hence I

purchase
the DG824, or is the firewall in the DG814 more than adequate ?

thanks

Steve B.


I don't know much about the DG824; but the DG814 doesn't have a firewall.
However, as a NAT router it discards unsolicited incoming traffic. It
doesn't, however, do anything about outgoing traffic.

Some people think this - combined with a good AV program - is sufficient.
Others like to run a software firewall on the PCs behind the router.

Colin


  #10  
Old August 17th 03, 03:09 PM posted to uk.telecom.broadband
Stephen Smith
external usenet poster
 
Posts: 19
Default DG814 and its firewall

ste-bar wrote:

Going slightly off topic, but never the less concerning the Netgear
DG814's firewall.


OK, I'll stop you there... ;-)

It's as how Colin has said; the DG814 doesn't have a firewall in it, per se.

It simply either forwards ranges of port numbers to LAN IP addresses (all of
which can be freely configured) specified by the user, or ignores
unsolicited (i.e. ports that _aren't_ forwarded) incoming traffic.

I take it that you've read the other posts written by myself and Les Desser?
If not, go and have a little read. :-)

Regards,

Stephen.


 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 10:51 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.