Hi this is a bit of an odd one. I am a BT Infinity 2 customer with a Home Hub 5A and have recently set up DMZ to allow external pings to reach a device on my network. The device has its own firewall to block any other unwanted traffic.
It seemed to work well until I tried connecting to an external port scan (eg grc.com or pentest-tools.com). If I tried an extensive scan (eg "All Service Ports" at grc.com) instead of getting the expected solid block of "Stealthed" ports (ie no reply to the scan) I got alternating lines of Stealthed and Open ports. If I repeated the scan, I got similar results although with slightly different patterns of which ports were open and which were stealthed. Occasionaly a few Closed ports showed up too.
My first though was that the connected device's firewall was either misconfigured or faulty. If I turned off the DMZ or pointed it towards another device not currently connected, the port scan gave a solid block of "Stealthed" which would appear to support this. However, with the DMZ pointing to the original device, if I disconnected it from the router (unplugged it from the network and powered it down) and reran the port scan, I still got the alternating blocks of Stealthed and Open ports.
After some experimenting I found that any device that has been initially connected to the DMZ but then disconnected would give the same results (alternating blocks) even after disconnection. This only leaves the Home Hub 5 as the possible cause - is this a previously known issue (I couldn't find any similar stories on the forum) - is it a bug or am I perhaps missing something in my setup? Has anyone come across this before or are willing to try it out on their equipment?
Hi bentham and welcome.
Did you get this sorted yet? If not can you post a screen shot of the results you’re seeing?
Hi DavidM and thanks for the reply.
I have continued investigating this and have some information which is possibly more useful. First some screenshots as requested to show what I'm seeing. They are from the grc.com's "shields up" utility with green representing stealthed, red open and blue closed ports.
The fist 3 shots are of consecutive runs with the device attached (192.168.1.150):
Here is a sample of the home hub Event Log output corresponding to picture 3 (port 127=red 128=green, X.X.X.X is my public IP address and 4.79.... is the grc IP address):
14:21:32, 31 Oct. IN: ACCEPT  Connection opened (Port Forwarding: TCP 192.168.1.150:128 <-->X.X.X.X:128 [188.8.131.52:52696] CLOSED/SYN_SENT ppp1 NAPT) 14:21:32, 31 Oct. IN: ACCEPT  Connection closed (Port Forwarding: TCP 192.168.1.150:127 <-->X.X.X.X:127 [184.108.40.206:52696] CLOSED/CLOSED ppp1 Route)
The next screenshot was run with the device unplugged:
The final screenshot was run with DMZ turned off (but I get same result if DMZ is pointed to a device that hasn't yet been connected):
I found some interesting entries in Event Log during one of the first 3 runs:
"BLOCKED 14 more packets (because of Syncookie protection)" "BLOCKED 3 more packets (because of Packet invalid in connection)"
So it looks like it is a mechanism by the hub for blocking synfloods and invalid packets, but why is the default response to report the port as open rather than not reporting/stealthed (the latter appearing to be the default for all other blocked traffic)?
Also why is it still doing it when the device isn't there but not doing it when DMZ is either turned off or pointed to a disconnected device? Finally is it possible to change this behaviour so that these blocked packets are dropped?
that's because the device you are pointing to is actually responding to the requests.
when you port-forward to a device that is not connected it will report as stealthed
when you port-forward to a device that is connected and on, you will get a response based on your security settings for the device in question.
Stealthed - means no response made to the request
Closed - means you responded to the request but you are not accepting connections
Open - means you responded to the request and are available to accept connections
Ideally you should always be stealthed, but you may have ports opened if you are hosting a web or ftp server, gaming server or playing online gaming and hosting.
If you set a device on the DMZ then all traffic for the IP Address in question will be forwarded to that device and it is that, that will respond, so ensure you have the firewall fully configured on that device.
Hi, many thanks for the reply.
The device connected is running a firewall blocking all unsolicited packets except for ICMP echo-requests from the internet using "DROP" instead of "REJECT" so that it should be appearing as stealthed.
If this wasn't working correctly and so was responsible for responding to the requests then it would be expected that there would be a consistant pattern of open ports (ie the first 3 images of my previous post would be identical). More importantly, there would be no open ports visible when I physically disconnected the device (which is not was is happening, as can be seen in the 4th image).
The Event Log entries also do seem to indicate that this is the Home Hub responding to the request.