Page 1 of 2
Gargoyle - Failed Stealth test @ grc.com
Posted: Tue May 26, 2009 12:08 am
by DoesItMatter
OK...
I'm definitely liking this Gargoyle, am using the bleeding edge atheros release for my Fon 2201+
I'm wondering... why it would fail the Stealth test rating @
www.grc.com ?
It shows ports closed or stealth, but not all of them.
I put my main test computer, Windows Vista Ultimate - SP2 (its out!) with standard firewall into the DMZ
I run the grc.com test just using the Vista firewall - pure Stealth rating.
Is there a way to stealth those ports by default? Or what rules could I add to stealth them?
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Wed May 27, 2009 7:49 am
by Eric
First realize that there are not open ports unless you've enabled port forwarding or remote web/ssh. Your router is secure (unless you've done something monumentally stupid like enabling remote web access without a password).
Your concern is the "stealth" mode this site talks about, which is a question of DROPing packets (just ignoring them) or REJECTing them (sending a message back to the sender that the port is closed).
However, it's mostly a myth that using DROP instead of REJECT makes you safer. See
here.
However, if you really want to change this edit /etc/config/firewall so that the config section for the wan (the one with "option name wan") has the input and forward options set to DROP instead of REJECT.
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Thu May 28, 2009 3:17 am
by DoesItMatter
Ahh... good info.
I guess I'm safe then... don't do P2P or Torrents.
Am definitely digging this Gargoyle bleeding edge atheros on my Fon 2201+
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Mon Nov 07, 2011 12:46 pm
by Tank_Killer
Perhaps its not a question of security, but a question of the extra traffic a reply incurrs? I thought the whole point of making your ports sealth is to prevent ICMP ping/DOS attacks as your router simply drops the packet and doesnt reply. I have noticed my WAN and modem light blinking ALOT faster now that I am on garoyle, the internet is PLAGUED with constant unwarranted activity.
I will cruize the internet to see if I can figure out how to config iptables (its been a long time since I used it), in the mean time anyone have a particular tutorial that might be useful for me?
BTW I LOVE these builds, I donated to this project. thanks in advance.
TK
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Mon Nov 07, 2011 12:52 pm
by DoesItMatter
Tank_Killer wrote:
I will cruize the internet to see if I can figure out how to config iptables (its been a long time since I used it), in the mean time anyone have a particular tutorial that might be useful for me?
BTW I LOVE these builds, I donated to this project. thanks in advance.
TK
I haven't even bothered with this on the newer builds but I will
do what Eric recommended on my D-Link and then post my changes.
I'll make it simple to understand.
Do understand that you will be making these changes via command line.
Are you familiar with linux? Do you know how to use the vi editor?
Read up on vi if not because thats how you will be making
most of your changes via a telnet session into your router.
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Mon Nov 07, 2011 1:05 pm
by Tank_Killer
I am familiar with linux, and I have used vi and pico editors and I know how to SSH into a server.
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Tue Nov 08, 2011 2:07 am
by DoesItMatter
Not a whole lot of section to edit.
This is what I did:
Telnet into router and cd to /etc/config
Make a copy of firewall -> firewall.bak
Then I did a vi firewall
There are 3 places marked DROP in the code below.
They used to say REJECT - just change it to DROP.
Apply/save the edits and then reboot the router.
Then try running the GRC.com Shields Up test.
Code: Select all
root@Gargoyle:/etc/config# cp firewall firewall.bak
root@Gargoyle:/etc/config# ls
ddns_gargoyle firewall.bak ntpclient upnpd
dhcp gargoyle qos_gargoyle webmon_gargoyle
dropbear httpd_gargoyle system wireless
firewall network timeserver wol
root@Gargoyle:/etc/config# vi firewall
option forward REJECT
config zone
option name wan
option network 'wan'
option input DROP
option output ACCEPT
option forward DROP
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target DROP
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Tue Nov 08, 2011 10:13 am
by Tank_Killer
Thank you very much for the help, when I get a spare moment I will make these config changes.
Parhaps this should be default in the next builds?
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Fri Nov 11, 2011 12:24 am
by Tank_Killer
POW! those changes work great! Will be making those changes to all future builds if not already included.
Thanks again for the great support.
TK
Re: Gargoyle - Failed Stealth test @ grc.com
Posted: Mon Feb 25, 2013 12:11 am
by wrtmonkey
Is it possible to make these changes via the Web UI? I would like to get my ports Stealthed. I tried using Telnet, but I get the message
Connecting To 192.168.1.1...Could not open connection to the host, on port 23: Connect failed
EDIT:
I installed Putty and ssh.
QUESTION: Why are these settings not on by default?
The lines posted by DoesItMatter don't match completely. The 1st and 2nd "REJECT" matched his lines but the last one was set to "A
Code: Select all
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
I changed "ACCEPT" to "REJECT".
Is this correct?