DG814 and Ports 54321 and 12345

I have found what seems to be a problem with the DG814 and wonder if
other users could check it out to see if it is a general problem - I
found one reference on Google about a year ago.

If you go to http://scan.sygatetech.com/ check if these two 'common
Trojan' ports ( 54321 and 12345) are shown as Closed rather than
Blocked.

On all our PCs connected to the DG814 they show as Closed implying that
they are being passed through. Even forwarding then to a non-existent
address still shows them as Closed.

(Further checking shows threads in comp.security.firewalls in July and
August 2002 showing same problem with Netgear RP614)

--
Les Desser

Les Desser said:

> I have found what seems to be a problem with the DG814 and wonder if
> other users could check it out to see if it is a general problem - I
> found one reference on Google about a year ago.
>
> If you go to http://scan.sygatetech.com/ check if these two 'common
> Trojan' ports ( 54321 and 12345) are shown as Closed rather than
> Blocked.
>
> On all our PCs connected to the DG814 they show as Closed implying that
> they are being passed through. Even forwarding then to a non-existent
> address still shows them as Closed.

Don't worry, nothing is sneaking through the router to your PCs. The router
reported 'closed' - that's as far as their probing got. )

Only ports marked as "Open" are forwarded to your connected PCs and that
should only be when you configure the router to "port forward" the required
ports.

As an experiment, try the following:

a) unplug all your PCs from the router except _one_
b) install a software firewall such as ZoneAlarm on that PC.
c) revisit the sygatetech site with only the one firewalled PC attached to
router.

Does ZoneAlarm (or whatever firewall application you use) report any
incoming traffic on those ports? (54321 and 12345)

My guess: No.

Stephen.

In article <Q2r_a.3045$(E-Mail Removed)>, Stephen Smith
<(E-Mail Removed)> writes
>Les Desser said:
>
>> I have found what seems to be a problem with the DG814 and wonder if
>> other users could check it out to see if it is a general problem - I
>> found one reference on Google about a year ago.
>>
>> If you go to http://scan.sygatetech.com/ check if these two 'common
>> Trojan' ports ( 54321 and 12345) are shown as Closed rather than
>> Blocked.
>>
>> On all our PCs connected to the DG814 they show as Closed implying that
>> they are being passed through. Even forwarding then to a non-existent
>> address still shows them as Closed.
>
>Don't worry, nothing is sneaking through the router to your PCs. The router
>reported 'closed' - that's as far as their probing got. )
>
My understanding is that indeed the router let those two ports through
to the PC and Windows responded with a no-one-here.

>Only ports marked as "Open" are forwarded to your connected PCs and that
>should only be when you configure the router to "port forward" the required
>ports.
>
Again, as I understand it, Open means that there is a program monitoring
that port - which in this case would be a nasty Trojan!

>As an experiment, try the following:
>
>a) unplug all your PCs from the router except _one_
>b) install a software firewall such as ZoneAlarm on that PC.
>c) revisit the sygatetech site with only the one firewalled PC attached to
>router.
>
>Does ZoneAlarm (or whatever firewall application you use) report any
>incoming traffic on those ports? (54321 and 12345)
>
>My guess: No.

If I do not specifically bar those ports then I do not get any messages
and the ports are reported as Closed. Nothing shows in ZAP logs - as I
would expect as I have not asked it to block these ports.

If I then explicitly block those ports in ZAP and re-run the test then I
still get only a Closed status - and ZAP still does not report anything
in its logs - maybe I am setting up ZAP wrong. I also tried blocking
these ports using Outpost on a second PC and get the same results.

To muddy the waters further, after making some changes and re-running
the test I have seen that both ports were Blocked only to find on
re-testing that they reverted to Closed.

My conclusion is that the NAT router is failing to block these two ports
despite the fact that there is no port forwarding set up - and in fact
it totally ignores port forwarding, even if it is set up to a
non-existent address.

I am however confused as to why my firewalls are not picking up these
ports - which implies they are not getting to the PC - in which case the
router is itself sending back some sort of acknowledgement - is that
possible?

I am happy that I do not have a Trojan; I am not concerned if the router
is miss-managing these ports, but I would like to understand the
mechanisms involved.
--
Les Desser

Les Desser wrote:

> In article <Q2r_a.3045$(E-Mail Removed)>, Stephen Smith
> <(E-Mail Removed)> writes
> >Les Desser said:
> >
> >> I have found what seems to be a problem with the DG814 and wonder if
> >> other users could check it out to see if it is a general problem - I
> >> found one reference on Google about a year ago.
> >>
> >> If you go to http://scan.sygatetech.com/ check if these two 'common
> >> Trojan' ports ( 54321 and 12345) are shown as Closed rather than
> >> Blocked.
> >>
> >> On all our PCs connected to the DG814 they show as Closed implying that
> >> they are being passed through. Even forwarding then to a non-existent
> >> address still shows them as Closed.
> >
> >Don't worry, nothing is sneaking through the router to your PCs. The
> >router reported 'closed' - that's as far as their probing got. )
> >
> My understanding is that indeed the router let those two ports through
> to the PC and Windows responded with a no-one-here.

Hmm, well if that is the case, *why* didn't ZoneAlarm log anything on my PC?

Answer: because the router was configured to NOT forward those ports - it
(i.e the router, NOT the PC) simply reported back they were "closed". The
probing doesn't get as far as your PC, Windows or even ZoneAlarm; router
stops it dead in its tracks.

> >Only ports marked as "Open" are forwarded to your connected PCs and that
> >should only be when you configure the router to "port forward" the
> >required ports.
> >
> Again, as I understand it, Open means that there is a program monitoring
> that port - which in this case would be a nasty Trojan!

Yes, but only if you're _forwarding_ the said port on the DG814. It doesn't
matter if Mr evil trojan is listening for traffic on port X on your PC; if
the router isn't _forwarding_ port X (and to *that* specific PC the trojan
is on, I might add) then the trojan will receive no traffic. (nor will the
PC/Windows - the router will report to the outside world that port X is
closed)

> >As an experiment, try the following:
> >
> >a) unplug all your PCs from the router except _one_
> >b) install a software firewall such as ZoneAlarm on that PC.
> >c) revisit the sygatetech site with only the one firewalled PC attached
> > to router.
> >
> >Does ZoneAlarm (or whatever firewall application you use) report any
> >incoming traffic on those ports? (54321 and 12345)
> >
> >My guess: No.
>
> If I do not specifically bar those ports then I do not get any messages
> and the ports are reported as Closed. Nothing shows in ZAP logs - as I
> would expect as I have not asked it to block these ports.
>
> If I then explicitly block those ports in ZAP and re-run the test then I
> still get only a Closed status - and ZAP still does not report anything
> in its logs - maybe I am setting up ZAP wrong. I also tried blocking
> these ports using Outpost on a second PC and get the same results.

No, nothing wrong so far... keep on reading.... I think you're getting the
hang of it.

> To muddy the waters further, after making some changes and re-running
> the test I have seen that both ports were Blocked only to find on
> re-testing that they reverted to Closed.
>
> My conclusion is that the NAT router is failing to block these two ports
> despite the fact that there is no port forwarding set up - and in fact
> it totally ignores port forwarding, even if it is set up to a
> non-existent address.
>
> I am however confused as to why my firewalls are not picking up these
> ports - which implies they are not getting to the PC - in which case the
> router is itself sending back some sort of acknowledgement - is that
> possible?

Ah ha..! :-) That last paragraph. If I understand you correctly you're
thinking along the same lines as me. The firewalls on the PC are not picking
anything up because it is the router who is reporting them as "closed".

You will find that *most* ports are "stealthed" - this means that the router
doesn't even report them as closed. It just ignores the intruding party
completely! This is a good thing.

However, there are these other ports (like 12345 and 54321) where for some
unknown reason it reports as "closed" which basically translates to the
intruding party "ey up, yep I'm here but I'm not talking to you so
nerrrrrrrrrr - sod off!" :-)

> I am happy that I do not have a Trojan; I am not concerned if the router
> is miss-managing these ports, but I would like to understand the
> mechanisms involved.

I hope you now have a better understanding.

In a nutshell, only worry about ports that you DO FORWARD. If you're not
forwarding anything, don't worry! :-)

If there *is* a problem with the DG814 then I think the main issue is that
it should STEALTH *all* non-forwarded ports. Unfortunately, it doesn't -
some errornously (?) report back as closed.

Either way, it's secure, and in the month I've had my 814+ADSL connection
I've not had a SINGLE event logged in ZoneAlarm.... previously on 56k
dial-up I would receive - quite literally - 100's per DAY. The router is
*definately* doing it's job in my opinion. The ZoneAlarm logs speak for
themselves.

So, try not to lose any sleep over it! ;-)

Best regards,

Stephen.

Les Desser wrote:

> In article <yeL_a.3448$(E-Mail Removed)>, Stephen Smith
> <(E-Mail Removed)> writes
> >> I am however confused as to why my firewalls are not picking up these
> >> ports - which implies they are not getting to the PC - in which case
> >> the router is itself sending back some sort of acknowledgement - is
> >> that possible?
> >
> []
> >
> >You will find that *most* ports are "stealthed" - this means that the
> >router doesn't even report them as closed. It just ignores the
> >intruding party completely! This is a good thing.
> >
> >However, there are these other ports (like 12345 and 54321) where for
> >some unknown reason it reports as "closed" which basically translates
> >to the intruding party "ey up, yep I'm here but I'm not talking to you
> >so nerrrrrrrrrr - sod off!" :-)
> >
> If you say so I believe you

heh heh. :-)

> What threw me was the inconsistent behaviour of the router and the
> assumption that the 'sod off' was coming from the PC.

I think the inconsistent behaviour is probably a bug in the DG814's
firmware, something that maybe Netgear has overlooked?

> I did not understand, and still do not, what business the router has to
> return a reply.

I'm currently no guru when it comes to the low-level-inner-workings of
TCP/IP networking, but the simple reason why the router returns a reply
(i.e. 'closed') is to do with how the communication protocols [are expected
to] work.

Rather than just leave a device in limbo, it is polite to acknowledge it
with either a success (i.e open) or failure (i.e. closed) result.

Admittedly, being stealthy (hence, not being polite and reporting back as
"closed") is even better for us, as it is as if we're not even there - and
how can something that isn't there report back "closed"?

> I would have assumed that such functionality was totally redundant - a
> NAT router should (I thought) either pass the packet through or drop
> it.

Yes, in an ideal world, it should - I agree completely. But the 814
doesn't - *most* ports are stealthed, *some* ports cheekily [but politely!]
report back as closed. C'est la vie! )

> (I tried scanning 64 ports either side of 12345 and 54321 and found all
> the others Stealthed except for a block 54321-54336 which are Closed.
> Strange!)

So did I, and I also got similar results.

Do you know what version of the DG814's firmware you're using?

(to find out, log onto your router with web browser and click on the
"Gateway Status" link Your firmware version should be shown at the top of
the page that appears)

I use firmware 4.4, dated Oct. 28, 2002.. (!)

> >Either way, it's secure, and in the month I've had my 814+ADSL
> >connection I've not had a SINGLE event logged in ZoneAlarm....
> >previously on 56k dial-up I would receive - quite literally - 100's per
> >DAY. The router is *definately* doing it's job in my opinion. The
> >ZoneAlarm logs speak for themselves.
> >
> I totally agree with that - my experience the same.
>
> >So, try not to lose any sleep over it! ;-)
>
> Thank your for all the assurance. Much appreciated.

No problem, sir, glad I was an enlightenment.

Stephen.

In article <Ad3%a.3800$(E-Mail Removed)>, Stephen Smith
<(E-Mail Removed)> writes
>Do you know what version of the DG814's firmware you're using?
>
>(to find out, log onto your router with web browser and click on the
>"Gateway Status" link Your firmware version should be shown at the top
>of the page that appears)
>
>I use firmware 4.4, dated Oct. 28, 2002.. (!)
>
V4.7 Jun. 10, 2003

A lot of bugs were fixed since 4.4 - but if you have no problems then
stay put. Upgrade if you have problems with maintaining connection.

>>
>> Thank your for all the assurance. Much appreciated.
>
>No problem, sir, glad I was an enlightenment.

Keep up the good work.
--
Les Desser

Les Desser wrote:

> In article <Ad3%a.3800$(E-Mail Removed)>, Stephen Smith
> <(E-Mail Removed)> writes
> >Do you know what version of the DG814's firmware you're using?
> >
> >(to find out, log onto your router with web browser and click on the
> >"Gateway Status" link Your firmware version should be shown at the top
> >of the page that appears)
> >
> >I use firmware 4.4, dated Oct. 28, 2002.. (!)
> >
> V4.7 Jun. 10, 2003

Bit more modern than mine then! Saying that, however, I've not had a single
problem with my 814.

> A lot of bugs were fixed since 4.4 - but if you have no problems then
> stay put. Upgrade if you have problems with maintaining connection.

Absolutely, no problems encountered here so I'm definately staying put.

Regards,

Stephen.

Going slightly off topic, but never the less concerning the Netgear DG814's
firewall.

I am toying between purchasing a DG814 plus a standalone WAP or a DG824
which has an integrated WAP.

I would rather go down the DG814 path, but unlike the DG824, its firewall
doesn't have SPI and DoS protection.

Is having a firewall with SPI and DoS a 'must have' ? and hence I purchase
the DG824, or is the firewall in the DG814 more than adequate ?

thanks

Steve B.



---
Steve Barlow's outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.509 / Virus Database: 306 - Release Date: 12/08/2003

"ste-bar" <(E-Mail Removed)> wrote in message
news:bhlrt1$p1f$(E-Mail Removed)...
> Going slightly off topic, but never the less concerning the Netgear
DG814's
> firewall.
>
> I am toying between purchasing a DG814 plus a standalone WAP or a DG824
> which has an integrated WAP.
>
> I would rather go down the DG814 path, but unlike the DG824, its firewall
> doesn't have SPI and DoS protection.
>
> Is having a firewall with SPI and DoS a 'must have' ? and hence I
purchase
> the DG824, or is the firewall in the DG814 more than adequate ?
>
> thanks
>
> Steve B.

I don't know much about the DG824; but the DG814 doesn't have a firewall.
However, as a NAT router it discards unsolicited incoming traffic. It
doesn't, however, do anything about outgoing traffic.

Some people think this - combined with a good AV program - is sufficient.
Others like to run a software firewall on the PCs behind the router.

Colin

ste-bar wrote:

> Going slightly off topic, but never the less concerning the Netgear
> DG814's firewall.

OK, I'll stop you there... ;-)

It's as how Colin has said; the DG814 doesn't have a firewall in it, per se.

It simply either forwards ranges of port numbers to LAN IP addresses (all of
which can be freely configured) specified by the user, or ignores
unsolicited (i.e. ports that _aren't_ forwarded) incoming traffic.

I take it that you've read the other posts written by myself and Les Desser?
If not, go and have a little read. :-)

Regards,

Stephen.