Firewall/NAT

I switched from ipcop to monowall because of the increased options to block and open ports. Apart from the difficult installation on a standard pc, it runs perfect now. I tested the monowall with shields up:

(http://www.grc.com/default.htm and click shields up).

Port 23 stays open. I played with the firewall rules (on the LAN and WAN connectors I've blocked port 23, in, out and both) but grc.com keeps telling me port 23 is open. I also put the 'block' rules in LAN above the basic rule to let anything pass. Of course I have renewed the webpages and tried it on several computers in the LAN. Has anywhone got the same experiences? Should I bother the open ports (21 and 23)? I would like to disable the rules only when I need ftp or telnet, so it can be secure for the rest of the time.

Im using the 1.3b3-version

Thanks in advance for your reactions!

Kind regards,

A new (dutch) Monowall user.

Port 23 stays open. I played with the firewall rules (on the LAN and WAN connectors I've blocked port 23, in, out and both) but grc.com keeps telling me port 23 is open.

The default rule on the WAN is 'deny'. Port 23  should not be open if you haven't added a rule to explicitly open it.

I would like to disable the rules only when I need ftp or telnet, so it can be secure for the rest of the time.

I'm not sure what your mean by this. Have you created NAT entries and firewall pass rules to allow external access to your ftp and telnet servers? If so, you can disable those rules while not in use by clicking to edit the rule and then check the "Disable this rule" box.

If you haven't created any rules on your WAN and grc is still showing those ports open, then something else is going on. Perhaps your monowall's WAN lies in a NATed address space and the upstream provider is forwarding those ports to another machine, in which case those ports will report as open, even if not from your network. If you want to test this hypothesis then simply compare mono's WAN address to the address that grc.com is reporting to you during the scan.

db

Best Clarknova,

Thanks for your reaction!

The rules on my WAN are (now) standard, and I haven't got any NAT rules configured. The WAN adress from my modem (i can't see the WAN-IP adress in M0n0wall!?) is the same as the one that showes in grc.com. My 'network' is really very simple: an orange modem (wich I have fully opened), behind that the Monowall and after that a switch and the LAN-clients (just 4 computers).

In the meantime I discovered some more things:

a. In the firewall rules - LAN I closed all ports exept 25,80 and 110. The result was: shields up wouldn't even open anymore(!). So that seems to be a good security rule (I have mailed grc.com for the cause of this result; should I open some ports to get test results???) . But anyway I have the feeling that the WAN-interface should intercept this kind of security issues, not the LAN-interface. I'm not very experienced with firewalls.

b. by visiting probe.hackerwatch.com (another test) I used the port scan, and this test still gave me the old results: Port 21, 23 and 80 are open.

I'm very curious for the results at grc.com and probe.hackerwatch.com on other monowall configurations. Maybe these testreports aren't '' configured'' for using firewalls such as monowall. A test result form other users should give me this information: Am I wrong, are the testsites giving wrong information or...?

With Greetz, Sourcefinder

In monowall the firewall rules are all parsed as incoming on any given interface. Other firewalls may work differently. Thus in monowall if you make a block rule on your LAN interface, then you are blocking connections coming from your local network.

I think grc.com uses some if not all secure elements, therefore their page will not load correctly or at all until you create a LAN rule allowing destination port 443.

To look at mono's WAN IP address click on Status->Interfaces in mono's control page.

If your modem is not in bridge mode then it is possible that the open ports you are talking about are open on your modem.

db

Ok,

Opened port 443 and grc is running. The monowall WAN IP-adress is an adress provided by de DHCP server on the modem. So it's not my 'real' WAN-ip adress (the one provided by my ISP).

My modem is not in bridge mode. My next step is to test grc.com when a pc is directly behind the modem. The modem should be fully opened; the firewall is disabled. So with testing all ports should be open. I will let jou know as soon as I tested this one!

Finally found out; I still have got a lot to learn. Connected a PC directly to my modem, resetted the modem and tested it with grc.com. With the firewall on the modem disabled, port 21 and 23 where open. With the firewall enabled, all ports where closed according to the shields up test. So this test wasn't really testing the Monowall.

This means testst like shields up and hackerwatch.org (also tried) don't really test the monowall that's behind a modem. And that's leaving one question open; wich of the online tests can test a firewall behind a modem with build-in firewall?

Clarknova, thanks for your help!

It appears then that your modem is a NAT device, and as such is a 'de facto' firewall. The only way to test your monowall's firewalling then is to put your modem in bridge mode if possible, or place a testing device between the modem's LAN port and mono's WAN.

db

Yes, I can see that now. I'm glad that the Monowall wasn't the reason for the ''unsecureness reports" that grc.com and hackerwatch.org showed. But though it's strange that these tests don't look any further than the first device they 'see'. Also strange that there aren't any other users who asked themselves these questions and tested the Monowall on this.

As soon as I've got time again I will put the modem in bridge mode (if possible). I'll also report the results to the forum, because I believe it's very important to know wether or not the Monowall (and the personal configurations) are save.

Clarknova, thanks very much for your help on this topic!!!