vistafirewallcontrol.freeforums.org

[notgod]

I've tested with everything but the browser being fully blocked, and yet the system is not completely hidden, which I need — most of the ports are closed, but not stealthed. The test is usual ShieldsUp (All service ports), the W7FC is v.3.5.1 Plus on W7x64.

Is the stealth mode possible / planned?

[VistaFirewallControl]

The Stealth mode is rather a (marketing, artificial) trick. Technically if a port is not reachable on the incoming side, host sends ICMP “port unreachable” message to the calling peer. So suppressing outgoing ICMP messages you can effectively turn the stealth mode on even in the current version. We would add a predefined rule for that in the next beta if you would like.

However we are not sure the stealth mode really improves the security, if you could suggest a practical scenario, you would be very much appreciated. The question is why suppressing outgoing ICMP packets (a part of TCP specifications) is more secure, the port is unreachable anyway.

Regarding the test you have mentioned.
Please realize that testing W7FC on Windows7 you practically tested WindowsFilteringPlaform (the native network security core of Windows7 and Vista) W7FC is based on.
On the other hand almost any online security test is involved in a third party security solution promotion. So if a test reports a FeatureA test fails, most probably a recommended FeatureA aware product is announced near. Moreover often there is no information on the FeatureA details provided.

[notgod]

I very strongly disagree with that it is a marketing trick. This is simply due to the logic of the port scanning attacks — in most cases they just drop you after a short number of no-replies to save time, if you reply — they look deeper.

While this is not an immediate threat for a well-configured machine, it at least consumes resources. No reply → presumably no target, a target with closed ports → broader scan, spoofed packets, etc.

So stealth is has both obvious resource and security benefits.

The question is how to suppress the icmp unreachable replies in W7FC? I've tried blocking and failed. Can you tip on how it could be set properly?

[Oleg]

Agreed with notgod
Yet another test - pcflank

[peters]

Im running W7 x 64 with windows 7 firewallcontrol v 3.6.0 beta, both Olegs test and Sheilds up show me to be fully Stealthed

[Gunner]

"Stealth" has NO added security benefit. The Yet another test above has an ad for outpost firewall.... show me a test site that does not sell some sort of security service/software! They tell you so and so port is not stealth, buy this product to help... If a port is closed that is it... doesn't matter how much scanning one does, they cannot gain access to a closed port, and how is stealth a resource benefit? If the firewall is written properly it should just drop the packet and not bog down your machine, if it does, you need to turn off all the bells and whistles or get a better firewall.... or router.

Just disable all services you do not need and you are fine....

[notgod]

Replying on a closed port is very much like saying «no» to «are you there». It does show that you are. It also shows that you are rather dim and might have other weak spots to discover.

From my logs:
Stealth mode = one or two port probes from an ip, then it stops.
Closed mode = full ass massive port scans, forged packets, all sorts of weird requests.

I have few ports with daemons running on, and I cannot be sure that a hole in them will absolutely never be discovered. So I prefer not to reply whenever I can to avoid attention.

Both tests mentioned here — ShieldsUp & Flank — just show your ports state (opened|closed|stealth) from an outside perspective. Some might have banners related to firewalls (there's some logic in that), but these are honest and reputable services which do not forge results to make you buy anything. There've been online since sixties.

My problem with W7FC is that I couldn't find a way how to specify a particular icmp message, it's either icmp on or off. Also, it seems to be replying even with everything blocked.

I've just quickly tested, so maybe I just missed it.

[Gunner]

[quote="notgod"There've been online since sixties.[/quote]

Really?!?! The sixites?!?! So they have been around since ARPANET? WOW!..... your kidding right? The Internet has been a consumer product in a sense since the mid 80's... I know about Steve and all, I have been apart of his Newsgroups for probably 10 years maybe longer.....

Replying on a closed port is very much like saying «no» to «are you there»

Yes, so what? You can't do anything with a closed port, you can knock on the door all you want. If your daemons are up to date, have no security flaws, then you have nothing to worry about....

I don't expect the average consumer to read the RFC's related to TCP and all that, but that is not the correct way to do it....

It also shows that you are rather dim and might have other weak spots to discover

Nah, I look at a person that has closed a port he/she does not use as being smart... People that get a computer and put a firewall on it as a quick fix, that is a different story...

[notgod]

Gunner, I seem to fail to get a cross a very simple idea: while a closed port is safe itself, it marks you as a candidate for deeper scans, while a stealth port probe usually drops you.

This applies to current broad range 'hunt' scan routines, when they initially test just few ports to save time, make a list of replied targets and rescan them deeper.

If your daemons are guaranteed to «have no security flaws» now and forever, I envy you, mine absolutely aren't. They do find flaws in mine.

Yes, the stealth mode is against the tcp standards. Yet it's not against common sense, like many other non-RFC security measures. That's why it's hard to find a good firewall without a stealth option.

If you do know Gibson — it was he who coined the term and promoted the idea to fw vendors. And I guess you won't call him a net noob or idiot. Maybe he had reasons?

My remark on people with closed ports being dim meant «closed as opposed to stealth», not «opened», so I don't understand your comment on that at all. Your reaction on the «since sixties» is very odd.

Anyway, the original question of this thread was how to enable stealth mode, not why.

[VistaFirewallControl]

First of all, gentelmen, please realize, we have been discussing a technical aspect.
Everybody may have and protect his own point of view but don't let's personalize please.

>the original question of this thread was how to enable stealth mode, not why.

As explained initially – by blocking outgoing ICMP of (probably) System (meta) application.
Nobody knows still, what the stealth mode means _exactly_ technically. We all have an only reasonable assumption for that – suppressing ICMP destination unreachable outgoing message.
However the scenario can be different. An online firewall test involved (more or less) in a firewall promotion expects (for instance) something the firewall related in the traffic. I.e the only firewall able to pass the test sends something special to the testing side. The test will never show “passed” till the special pattern is received.Evidently only the selected firewall (if so) is able to send the proprietary pattern. So the the "passed" state of the firewall may be manufacture (not TCP/ICMP) dependent. Please try to ask the test owners for what the stealth mode means technically, is it ICMP destination unreachable dependent only? Otherwise we can "play" with the mode endlessly.

Trying to summarize the above.
The stealth mode is a kind of protection from port scanning.
The port scanning result depends on port scanner patience. A patient (or smart) port scanner can continue scanning and find listening port at last regardless of the stealth mode presence.
So listening applications must be protected regardless of whether the stealth mode presence, by strict firewall configuration and (definitely) by the application level authentication and authorization.

Please take into consideration the following
WindowsFilteringPlaform (the security core of Windows7 and Vista) W7FC is based on has some rules for port scanning prevention, the rules are predefined/uncontrolled, generated/set by the core itself.
The rules are beyond W7FC.

However we will try to implement ICMP rule per-type settings to block type 3 ( Destination Unreachable). We just afraid random ICMP blocking made by unaware users would cause the entire system network instability, some ICMP messages propagation can be vitally important.