What's new

Possible translation to something more simple?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TheLyppardMan

Very Senior Member
I was curious to know why the FRITZ!Box 7530 AX router supplied by my ISP (which I'm keeping as a backup) failed the GRC ShieldsUP! port-scan test, while my RT-AX88U Pro passes the test.

I did receive a reply today from my ISP (Zen Internet), but it's in technical language, which I don't fully understand, so I was wondering if someone could offer me a simple summary of what it means?

This is the message I received and the attachement I am uploading shows the result of the port-scan test.

"Thank you very much for the enquiry you sent to our AVM support team.

Some servers on the Internet send a reply request to the IP address of the client that has contacted them to verify that the client actually exists under this IP address.

The servers send TCP-SYN packets (TCP packets that initiate a connection) to the IP address of the client on port 113 and/or 1080. When the ports are completely blocked by the firewall of the client ("Stealthed" or "Secure"), theses TCP-SYN packets are blocked without the server receiving a reply. In this case, the server drops the connection.

Thus, the FRITZ!Box blocks TCP ports 113 and 1080 for TCP-SYN packets from the Internet, yet reply requests for these ports with an RST packet (TCP-Reset = rejected reply). In this case, no attack on the LAN via these TCP ports is possible, but the existence can be verified by a server on the Internet via a rejected reply.

The existence of the closed ports 113 and/or 1080 does not pose a security threat. Computers on the LAN cannot be accessed from the Internet via these ports.

If the FRITZ!Box should reject unsolicited requests from the internet instead of replying with ICMP control messages, enable the option "Firewall in stealth mode" under "Internet > Filters > Lists > Global Filter Settings" in the FRITZ!Box user interface."

I did follow the suggested procedure to set the firewall to stealth mode when I first got the FRITZ!Box, but even so, port 113 still remained as closed, rather than stealthed. Also, I'd forgotten that I had followed that procedure and when I reverted back from the latest beta firmware (which they call "Lab") once Wireguard became available on the latest official firmware. Doing so required the router to be reset to factory defaults, which I now know is why I lost the firewall stealth settings that I had previously enabled (my memory is quite flaky at times nowadays nd probably age-related).
 

Attachments

  • GRC ShieldsUp Port Scan Result.png
    GRC ShieldsUp Port Scan Result.png
    171.1 KB · Views: 22
What does this have to do with Asus-Merlin?
 
What does this have to do with Asus-Merlin?
I knew someone was going to ask me that! It's just a comparison, so I can have some idea whether I would be putting my network at risk if I had to swap out my ASUS product (in case of a fault) for my backup router. I like to be prepared in advance. All I'm asking for is a quick and simple explanation of the reply I have received.
 
Some ISPs will actively reject connections to some ports before you. That's often the reason why some specific port connections are rejected rather than dropped.
 
I was curious to know why the FRITZ!Box 7530 AX router supplied by my ISP (which I'm keeping as a backup) failed the GRC ShieldsUP! port-scan test, while my RT-AX88U Pro passes the test.

I did receive a reply today from my ISP (Zen Internet), but it's in technical language, which I don't fully understand, so I was wondering if someone could offer me a simple summary of what it means?

This is the message I received and the attachement I am uploading shows the result of the port-scan test.

"Thank you very much for the enquiry you sent to our AVM support team.

Some servers on the Internet send a reply request to the IP address of the client that has contacted them to verify that the client actually exists under this IP address.

The servers send TCP-SYN packets (TCP packets that initiate a connection) to the IP address of the client on port 113 and/or 1080. When the ports are completely blocked by the firewall of the client ("Stealthed" or "Secure"), theses TCP-SYN packets are blocked without the server receiving a reply. In this case, the server drops the connection.

Thus, the FRITZ!Box blocks TCP ports 113 and 1080 for TCP-SYN packets from the Internet, yet reply requests for these ports with an RST packet (TCP-Reset = rejected reply). In this case, no attack on the LAN via these TCP ports is possible, but the existence can be verified by a server on the Internet via a rejected reply.

The existence of the closed ports 113 and/or 1080 does not pose a security threat. Computers on the LAN cannot be accessed from the Internet via these ports.

If the FRITZ!Box should reject unsolicited requests from the internet instead of replying with ICMP control messages, enable the option "Firewall in stealth mode" under "Internet > Filters > Lists > Global Filter Settings" in the FRITZ!Box user interface."

I did follow the suggested procedure to set the firewall to stealth mode when I first got the FRITZ!Box, but even so, port 113 still remained as closed, rather than stealthed. Also, I'd forgotten that I had followed that procedure and when I reverted back from the latest beta firmware (which they call "Lab") once Wireguard became available on the latest official firmware. Doing so required the router to be reset to factory defaults, which I now know is why I lost the firewall stealth settings that I had previously enabled (my memory is quite flaky at times nowadays nd probably age-related).

It simply means FritzBox leave some ports closed, not stealthed , while ASUS stealth the ports.

There is no problem the ports are blue/closed which is all that matters.

GRC.com and its owner have this notion that having ports stealthed makes you more secure or invisible to hackers , they are wrong.

Don't worry about it.
 
Some ISPs will actively reject connections to some ports before you. That's often the reason why some specific port connections are rejected rather than dropped.
Thanks Merlin. But wouldn't I therefore expect to see the same results with my ASUS router if that were the case? (excuse my ignorance here)
 
It simply means FritzBox leave some ports closed, not stealthed , while ASUS stealth the ports.

There is no problem the ports are blue/closed which is all that matters.

GRC.com and its owner have this notion that having ports stealthed makes you more secure or invisible to hackers , they are wrong.

Don't worry about it.
I'll bear that in mind if I do need to use the AVM router. I may just apply the stealthed setting sooner rather than later though, in case I forget what I've just been told. Thank you for the explanation - much appreciated.
 
Thanks Merlin. But wouldn't I therefore expect to see the same results with my ASUS router if that were the case? (excuse my ignorance here)
That's correct. In that case it might just be some different behaviour on the Fritzbox, which sound odd to me.

Ultimately it does not matter. Whether it's dropped (ignored) or rejected (with a RST packet sent back), the end result is the same.
 
I'll bear that in mind if I do need to use the AVM router. I may just apply the stealthed setting sooner rather than later though, in case I forget what I've just been told. Thank you for the explanation - much appreciated.

In reality I've yet to see a site that requires you to respond in that fashion as a security measure. All my ports are stealthed and never any problems. Your ISP may have implemented it for one particular site or service, maybe many years ago, and has just kept it in there.

From a security perspective, it does not open you up to anything, but generally stealth is better than reject (reset) since if someone is scanning for active IPs, yours may reply (depending what ports they're scanning). Even though it is a reject/reset, it tells them the IP is active and maybe a potential target.

I'd compare this to the feature in most routers to "allow ping on WAN IP". Most disable that so they won't get picked up by ping scans and become a potential target. It does not make you more secure per se, just helps keep you off the radar. Also reduces the attack surface for a DOS/DDOS attack but pretty rare for a home user to be subject to that, unless you piss off a group of people in IRC etc, in which case you just need to force a new WAN IP.

If their box gives you the option to disable that "feature" I'd do it if you ever need to use it, but if not, I wouldn't worry about it.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top