Making UPnP port invisible on Alcatel Speedtouch 510 router...

Anybody know if it's possible to make this 'invisible'? Ie.
Described as 'stealth' instead of 'closed' by Shields Up? It's
the only port that indicates any presence to passing port
scanners yet it's also quite useless. I'd rather it were
invisible.

I changed the following config line:

config upnp=on

...to...

config upnp=off

....but it made no difference after a reboot.
--
Lee J.

Lee J. bashed at the keyboard and said:

> Anybody know if it's possible to make this 'invisible'? Ie.
> Described as 'stealth' instead of 'closed' by Shields Up? It's
> the only port that indicates any presence to passing port
> scanners yet it's also quite useless. I'd rather it were
> invisible.
>
> I changed the following config line:
>
> config upnp=on
>
> ..to...
>
> config upnp=off
>
> ...but it made no difference after a reboot.

Download and install UPNP from http://grc.com/unpnp/unpnp.htm

Lee J. bashed at the keyboard and said:

> Meanwhile in the Korova Milkbar, Mcploppy's rassoodock was made
> up and bolshy yarblockos were golossed:

<snip>

> I'm after a hardware (router configuration) solution, not a
> software solution. Particularly not windows software solutions
> because all machines plugged into my LAN are Gentoo Linux or Mac
> OSX powered.
>
> Besides, it's the router (not any computer behind it) indicating
> that the UPnP port exists but is closed. So it wouldn't work
> even if I was running Winders.

Sorry only trying to help !!!!

"Lee J." <(E-Mail Removed)> wrote:

> Anybody know if it's possible to make this 'invisible'? Ie.
> Described as 'stealth' instead of 'closed' by Shields Up? It's
> the only port that indicates any presence to passing port
> scanners yet it's also quite useless. I'd rather it were
> invisible.
>
> I changed the following config line:
>
> config upnp=on
>
> ..to...
>
> config upnp=off
>
> ...but it made no difference after a reboot.

Hi,
telnet into your router, and login using the same login name / password
as you use for the web interface. You will need to create a new firewall
rule to drop all incoming connections to TCP port 5000. So firstly, you
need to see how your firewall is setup. so follow these steps :-

=>firewall
[firewall]=>rule list chain=sink

If this returns details of existing rules in this chain, then you can just
add an additional rule at the start of the sink chain (for packets coming
into the router from the WAN). Use the following rule to stealth port 5000
:-

rule create chain=sink index=0 srcintfgrp=wan prot=tcp dstport=5000
action=drop

If the sink chain does not exist, then you will need to use these commands
instead to create the chain :-

[firewall]=>rule create chain=sink index=0 srcintfgrp=wan prot=tcp
dstport=5000 action=drop

[firewall]=>assign hook=sink chain=sink

Note that these will work only if you are at the firewall level, so make
sure you type 'firewall' on a line by itself before any of these commands.
For your info, the firewall has 3 hooks called sink, source and forward.
Each hook can have a single chain attached, and you can create a large
number of rules on each chain. Using an index of 0 will insert a rule at
the start of the chain. sink is the hook for data coming into the router
itself, source is for data from the router and forward is for traffic
passing through the router to the LAN. See
http://www.sdharris.com/speedtouch510/basic.htm for more info on using the
speedtouch firewall.

--

Martin

Meanwhile in the Korova Milkbar, Martin's rassoodock was made up
and bolshy yarblockos were golossed:
[..]
>
> rule create chain=sink index=0 srcintfgrp=wan prot=tcp
> dstport=5000 action=drop

I appreciate your help, but it doesn't work. The firewall is
on, there is a sink chain, I can add that and it does store
itself as the first (0) index. I saved the settings and
rebooted. That data hadn't erased but the UPnP port is still
visible to the outside, albeit closed.

You can see the CLI output below:

[firewall]=>rule list chain=sink
:firewall rule create chain=sink index=0 srcintfgrp=wan prot=tcp dstport=5000 action=drop
:firewall rule create chain=sink index=1 srcintf=eth0 srcbridgeport=1 action=accept
:firewall rule create chain=sink index=2 srcintfgrp=!wan action=accept
:firewall rule create chain=sink index=3 prot=udp dstport=dns action=accept
:firewall rule create chain=sink index=4 prot=udp dstport=68 action=accept
:firewall rule create chain=sink index=5 action=drop

I'm wondering if this a hardware issue. Because UPnP is a
feature of the router, perhaps - for whatever bizarre reason -
it always bypasses the firewall; even when the port is closed.

But then maybe my speculation is unfounded guff. ;-)

(Also: apologies to the other poster. I didn't mean to offend,
but to explain why an .exe was a bad solution. I'll enroll in
diplomatic school in September. <grin>)
--
Lee J. Moore

"Lee J." <(E-Mail Removed)> wrote:

> Meanwhile in the Korova Milkbar, Martin's rassoodock was made up
> and bolshy yarblockos were golossed:
> [..]
> >
> > rule create chain=sink index=0 srcintfgrp=wan prot=tcp
> > dstport=5000 action=drop
>
> I appreciate your help, but it doesn't work. The firewall is
> on, there is a sink chain, I can add that and it does store
> itself as the first (0) index. I saved the settings and
> rebooted. That data hadn't erased but the UPnP port is still
> visible to the outside, albeit closed.
>
> You can see the CLI output below:
>
> [firewall]=>rule list chain=sink
> :firewall rule create chain=sink index=0 srcintfgrp=wan prot=tcp
dstport=5000 action=drop
> :firewall rule create chain=sink index=1 srcintf=eth0 srcbridgeport=1
action=accept
> :firewall rule create chain=sink index=2 srcintfgrp=!wan action=accept
> :firewall rule create chain=sink index=3 prot=udp dstport=dns
action=accept
> :firewall rule create chain=sink index=4 prot=udp dstport=68 action=accept
> :firewall rule create chain=sink index=5 action=drop
>
> I'm wondering if this a hardware issue. Because UPnP is a
> feature of the router, perhaps - for whatever bizarre reason -
> it always bypasses the firewall; even when the port is closed.
>
> But then maybe my speculation is unfounded guff. ;-)
>
> (Also: apologies to the other poster. I didn't mean to offend,
> but to explain why an .exe was a bad solution. I'll enroll in
> diplomatic school in September. <grin>)

Thats odd, as the rule works fine on my speedtouch. However, I also have
the rule :-

rule create chain=forward index=0 srcintfgrp=wan prot=tcp dstport=5000
action=drop

in the forward chain. Might be worth adding that, but I would only expect
that to have any effect if you had real IP's behind the router. Are you
using routed static IP's by any chance ?

--

Martin