Before I go any further I must admit that I’m pretty rubbish at setting these up, so please be gentle!
Now my problem; I have a normal desktop pc (I don’t want to set it up as a server) but when I check the hardness of my set up with Gibson Research Centre, it fails. It can see ports 22,23,80,443 as closed but still visible…? I have never had this happen to me before and struggling my way through yast firewall tool, I can find no easy way of sorting this out… Please help
I am behind a Virgin “superhub” so I guess that is through a router. It’s funny in the YAST firewall2 there doesn’t seem to be anywhere to disable ports, whereas in Guarddog this is a very useful feature.
Thanks nrickert, yes the superhub is a router and I have a private IP. I guess that means I should actually tune the settings on the router. I hadn’t actually considered that GRC may only be looking at that!
As see, during my sleep somone else already gave you a hint you are following now. But anwsering your question above:
I did not ask you to do
sudo netstat -tulp
Running anything as root when not needed is thus to your own risk.
Next time when copying/pasting a peice of computer converstation here, please do so between CODE tags to make it readable (Posting in Code Tags - A Guide.
It gives you insight in the network servers you are running and the ports they are listening to. The firewall may block those ports and thus make them unusable.
In your case, your test tells you about e.g. port 80. But the output from the netstat tells you that there is no program on your system listening on port 80 (http). Thus be asured nobody can enter your system using that port, firewall or no firewall.
I do not believe this is necessarily correct. I believe the GRC probes are sophisticated enough, if the router has open ports, to “see” the target machine. I would research the info on GRC - he probably covers that aspect of things somewhere. Steve is a pretty thorough guy.
If he is behind a NAT router, then the router simply will not forward those packets to the machine unless he has setup port forwarding for the specific ports. I’ll admit that I didn’t mention the possibility of port forwarding, but that’s because the wording of the original post made it look very unlikely that the mentioned ports were being forwarded.
I am not a fan of the Yast firewall tool. It reminds me of the bad old Windows days, when tools were added to windows but only after they were crippled or stripped down to near uselessness. Firestarter and Guarddog do a much better interface, imho. But, enough kvetching, and on to something constructive and useful.
If I recall - and I searched for a link or a reference, which I did not find, so I am sure one of the other folks who inhabit these forums will add their $.02 - the default setting in the firewall, when it is on, is “deny”. Which means if you don’t open it on purpose, it is closed. This is for the “external” zone. The “internal” zone, again, if I recall, is by default open, or “accept” in iptables lingo. Put your eth0 on the external zone. And, I am pretty sure that, unlike windows, a program will not open a port without you being pretty aware that it is trying to do so. I apologize that the answer is a little mushy - “if I recall” and all that - but I did some quick research and didn’t find what I was looking for to back this up, but I figured I would at least add this to the conversation and others might fill in on the solid references - or your own research might be guided in a helpful direction.
The thing is I’ve done the same scan via Windows and got the exact same result…
Also my eth0 is in the external zone.
What is annoying is that I can’t see an obvious gui YAST firewall way of changing the access permissions to ports. YAST is so brilliant imho (that’s why I love openSuse) in every other way but why can’t I sort this easily like I could using Guarddog?
No, if the router doesn’t forward the ports to the target machine (check if there is a default forward on that router by the way), then you are seeing the router’s response, not the target machine’s. Just notch it down to a router that decided to do a REJECT on the packets on those ports instead of a DROP.
Incidentally it may feel nice to have your IP address completely stealthed, but in practice having DROP instead of REJECT adds insignificant security. And given the exhaustion of IPv4 address pools, most addresses are in use. Skript kiddies just fire packets away without worrying about whether something is really there, and most victims are fall prey to social engineering and identity theft anyway.