Gargoyle - Failed Stealth test @ grc.com

[DoesItMatter]

OK...

I'm definitely liking this Gargoyle, am using the bleeding edge atheros release for my Fon 2201+

I'm wondering... why it would fail the Stealth test rating @ www.grc.com ?

It shows ports closed or stealth, but not all of them.

I put my main test computer, Windows Vista Ultimate - SP2 (its out!) with standard firewall into the DMZ

I run the grc.com test just using the Vista firewall - pure Stealth rating.

Is there a way to stealth those ports by default? Or what rules could I add to stealth them?

[Eric]

First realize that there are not open ports unless you've enabled port forwarding or remote web/ssh. Your router is secure (unless you've done something monumentally stupid like enabling remote web access without a password).

Your concern is the "stealth" mode this site talks about, which is a question of DROPing packets (just ignoring them) or REJECTing them (sending a message back to the sender that the port is closed).

However, it's mostly a myth that using DROP instead of REJECT makes you safer. See here.

However, if you really want to change this edit /etc/config/firewall so that the config section for the wan (the one with "option name wan") has the input and forward options set to DROP instead of REJECT.

[DoesItMatter]

Ahh... good info.

I guess I'm safe then... don't do P2P or Torrents.

Am definitely digging this Gargoyle bleeding edge atheros on my Fon 2201+

[Tank_Killer]

Perhaps its not a question of security, but a question of the extra traffic a reply incurrs? I thought the whole point of making your ports sealth is to prevent ICMP ping/DOS attacks as your router simply drops the packet and doesnt reply. I have noticed my WAN and modem light blinking ALOT faster now that I am on garoyle, the internet is PLAGUED with constant unwarranted activity.

I will cruize the internet to see if I can figure out how to config iptables (its been a long time since I used it), in the mean time anyone have a particular tutorial that might be useful for me?

BTW I LOVE these builds, I donated to this project. thanks in advance.

TK

[DoesItMatter]

I will cruize the internet to see if I can figure out how to config iptables (its been a long time since I used it), in the mean time anyone have a particular tutorial that might be useful for me?

BTW I LOVE these builds, I donated to this project. thanks in advance.

TK

I haven't even bothered with this on the newer builds but I will
do what Eric recommended on my D-Link and then post my changes.

I'll make it simple to understand.

Do understand that you will be making these changes via command line.

Are you familiar with linux? Do you know how to use the vi editor?

Read up on vi if not because thats how you will be making
most of your changes via a telnet session into your router.

[Tank_Killer]

I am familiar with linux, and I have used vi and pico editors and I know how to SSH into a server.

[DoesItMatter]

Not a whole lot of section to edit.

This is what I did:

Telnet into router and cd to /etc/config
Make a copy of firewall -> firewall.bak
Then I did a vi firewall
There are 3 places marked DROP in the code below.

They used to say REJECT - just change it to DROP.
Apply/save the edits and then reboot the router.

Then try running the GRC.com Shields Up test.

Code: Select all

root@Gargoyle:/etc/config# cp firewall firewall.bak
root@Gargoyle:/etc/config# ls
ddns_gargoyle    firewall.bak     ntpclient        upnpd
dhcp             gargoyle         qos_gargoyle     webmon_gargoyle
dropbear         httpd_gargoyle   system           wireless
firewall         network          timeserver       wol
root@Gargoyle:/etc/config# vi firewall
        option forward          REJECT

config zone
        option name             wan
        option network          'wan'
        option input            DROP
        option output           ACCEPT
        option forward          DROP
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           DROP

[Tank_Killer]

Thank you very much for the help, when I get a spare moment I will make these config changes.

Parhaps this should be default in the next builds?

[Tank_Killer]

POW! those changes work great! Will be making those changes to all future builds if not already included.

Thanks again for the great support.

TK

[wrtmonkey]

Is it possible to make these changes via the Web UI? I would like to get my ports Stealthed. I tried using Telnet, but I get the message

Connecting To 192.168.1.1...Could not open connection to the host, on port 23: Connect failed


EDIT:

I installed Putty and ssh.

QUESTION: Why are these settings not on by default?

The lines posted by DoesItMatter don't match completely. The 1st and 2nd "REJECT" matched his lines but the last one was set to "A

Code: Select all

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

I changed "ACCEPT" to "REJECT".

Is this correct?