WRT350N Leaving Port 21 Wide Open with SPI Firewall Enabled

I just ran Shields Up and noticed port 21 (FTP) is wide open, while all the other ports marked as stealthed.
The router is a Linksys WRT350N with the latest firmware 1.03.2.  SPI Firewall is enabled and it's blocking "Anonymous Internet Request."
Am I missing something here?  Why isn't port 21 being stealthed along with all the other ports?  I've run this test before with other Linksys routers and all the ports are stealthed so I'm concerned now.
https://www.grc.com/x/ne.dll?bh0bkyd2
Anyone else with the same router and configuration please run the Shields Up port scan at GRC to see if your port 21 is open and report back.  Thanks!

Linksys told me that that port had to "stay" open, it is part of the FTP service when you attach the USB storage device.  After a lengthy amount of time on the phone, I had to suggest maybe a flash update.  But they would not put anyone on the phone to convince me they had a grasp on thiss issue, SO I FIGURED IT OUT.  Access the router.  Select "Storage", then select "Administration",  There you find "Internet Access".  Unselect "Enable" and obviously select "Disable".  Port 21 now in Stealth.  Now who can take it futher and figure out port forwarding/triggering for when one will start to use server?  Max

Similar Messages

  • Excessive no. of ports remaining open with HttpUrlConnection

    Hi,
    I am facing problem where excess no. of TCP ports getting opened or remaining open on client of my application (from where I send XML requests to application).
    The scenario happens when I simulate a load of 100 concurrent requests through JMeter (SOAP/XML-RPC requests)
    Client app is deployed on Tomcat 5.5 on a Linux box.
    My code looks like follow:
    try {
    URL url = new URL(<url string>);
    HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
    httpURLConnection.setRequestMethod("POST");
    httpURLConnection.setConnectTimeout(10000);
    httpURLConnection.setDoOutput(true);
    OutputStreamWriter outputStreamWriter = new OutputStreamWriter(httpURLConnection.getOutputStream());
    outputStreamWriter.write(<write something>);
    outputStreamWriter.close();
    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
    <read buffered reader here>
    bufferedReader.close();
    } catch {}
    finally {
    httpURLConnection.disconnect();
    }What's wrong here that is causing excessive TCP IP ports to remain open?
    Also, I want to restrict the no. of Http connections that I can make from client to server. Is this possible?
    I searched about <Connector acceptCount=<> .... > in server.xml on Tomcat. But it is about incoming connections on Tomcat port and not the outgoing connections. I also explored -Dhttp.maxconnections but it doesn't serve my purpose. Only option I can think about is creating a custom object pool for HttpConnectionUrl (which I would like to avoid due to some reasons)
    Is there any built-in support/ready API/tool to restrict no .of connections while sending Http requests?
    regards,
    suraj

    I am facing problem where excess no. of TCP ports getting opened or remaining open on clientCompared to what?
    The scenario happens when I simulate a load of 100 concurrent requests through JMeter (SOAP/XML-RPC requests)Aha.
    What's wrong here that is causing excessive TCP IP ports to remain open? Nothing except your definition of 'excessive'. You are simulating hundreds of clients on one client host so you will get all the bahaviour of those client hosts in your single client host. The problem is in the simulation, not the TCP ports.
    Also, I want to restrict the no. of Http connections that I can make from client to server. Is this possible? Why?

  • After 3.6.4 update, FF will not open with imacros addon enabled.

    After 3.6.4 update I can no longer run FF with the imacros addon enabled. Imacros has not released an update yet. How can I revert back to 3.6.3 until they do update? Or are there any other suggestions?
    == This happened ==
    Every time Firefox opened
    == after 3.6.4 upgrade

    Mathias,
    Thank you for helping me (any so many others) back up and running :)
    PS - Allowed my desktop (old pentium 4 running winxp) to update to FF3.6.4 and it worked just fine without the updated iMacros. Not sure what is different between the 2 machines, but figured you might like to have the info.
    Tommy

  • Can you configure a static port to use with certsrv.msc?

    I am trying to use certsrv.msc to connect from my workstation to the CA for administration purposes.  Workstation is Win7, CA is 2008 R2 Enterprise running Enterprise Subordinate on a dedicated box.
    I configured a static DCOM port for certsvc by following this article, including bouncing the service and also rebooting the CA box:
    http://social.technet.microsoft.com/wiki/contents/articles/1559.how-to-configure-a-static-dcom-port-for-ad-cs.aspx
    The static port was opened in the firewall from my workstation to the CA.  We also found that TCP 445 was required, so that has been opened as well, port 135 & other ports normally needed for autoenrollment should be open.  Sniffing the firewall
    showed that a random high numbered port that is not the static dcom port is being attempted - this is the only port showing dropped packets & no traffic on the static port.
    I am wondering if there is a way to configure a static port for this high-level random port to use with certsrv.msc as I was able to do with the certsvc dcom port?  I am trying to avoid having tens of thousands of network ports wide open going to my
    CA...  Thanks in advance!

    Hi Steve,
    I am sorry that I wasn’t able to find references about restricting certificate services only use one port in the random port range.
    However, we can configure RPC dynamic ports allocation to restrict port range. In the meantime, we should keep at least 100 ports open to keep necessary system services running.
    More information for you:
    How to configure RPC dynamic port allocation to work with firewalls
    http://support.microsoft.com/kb/154596/en-us
    Service overview and network port requirements for Windows
    http://support.microsoft.com/kb/832017/en-au
    Firewall Rules for Active Directory Certificate Services
    http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
    Best Regards,
    Amy Wang

  • What Protection Beyond NAT Does SPI Firewall in E4200 Provide?

    In the E4200 Cisco has dumbed-down the settings and Help to the point where it's impossible to derive any hard information from the documentation.
    My question is this:
    In a NAT environment (i.e., where I have a private LAN using 192.168.x.x addresses):
    Specifically what additional protection, if any, does enabling the E4200's "SPI Firewall" setting provide?
    Please do not answer with basic "It's good, set it" or "It enables the firewall" or what you guess it must do type answers.  I'm looking for information beyond that - what I want to know is just what the "SPI Firewall" ENABLED setting is adding in addition to the basic incoming request blocking that's inherent in a NAT setup.  Is the router doing additional IP header validation, blocking packets from specific addresses (and if so, who sets the table), etc.?
    I have only IPv4 capability through my ISP at the moment, so an answer oriented toward IPv4 will be fine.
    Thank you.
    -Noel

    NAT per definition does address translation. It does not provide security. It tries to deliver packets arriving on the public IP address. It tries to find the LAN IP address to which it can deliver an incoming packet. If it can't it will deliver the packet locally (i.e. to the router itself). NAT doesn't filter. NAT doesn't drop packets. It rewrites the destination IP address of packets arriving from the internet if it knows it has to.
    The SPI firewall filters traffic. That's the part which drops packets. When you initiate traffic from the LAN to the internet it will remember this session/state and then will allow matching incoming responses from the internet back through (after they went through NAT).
    Of course, this means that NAT and firewall go hand-in-hand when a new session is initiated from the LAN:
    1. NAT remembers a NAT session to rewrite responses to the correct LAN IP address.
    2. SPI remembers a firewall session to let incoming responses go through to the destination.
    But still these are two different tables for two different purposes. You may want to do a little reading in the Linux firewall iptables on which the firewall in most cheap routers are built on.
    Thus with NAT enabled the major effect of turning off the SPI firewall is to expose the router itself to the internet. All traffic which does not match NAT sessions is delivered locally. If the SPI firewall is off you expose the router to the internet. Of course, most ports are closed thus you won't notice the difference. But as we have only learned recently some routers listen for UPnP on the internet IP address (which they shouldn't of course) and a SPI firewall might have helped here to blocked exactly that traffic.
    In addition, you often find that NAT is configured with more "relaxed" settings internally than the firewall. As NAT is not a security measure but an enabling technology to deliver and not to drop you often find that NAT sessions time out (due to inactivity) later than firewall sessions. And NAT sessions usually only time out. They don't keep a session state. But of course this depends on the exact implementation and configuration of Linksys which I don't know.
    SPI, however, is also used to do "deep inspection", i.e. not only look at the source/destination IPs/ports but also into the contents of some protocols. For Linksys routers it's usually the URL filtering which checks the contents of HTTP requests. Possibly Cisco/Linksys has implemented more checks there.
    So to sum up: without SPI firewall you expose the router to the internet and access restrictions shouldn't work.
    And as you may think: with IPv6 the SPI firewall becomes very important as you don't need NAT anymore...

  • Which port need open for Imoprt WS in to the TREE ??

    ZfD6.5SP2.
    WS----firewall-------NW_SERVER
    Which ports ned open on the firewall for import Ws in to the TREE ??
    Serg

    Serg,
    >Which ports ned open on the firewall for import Ws in to the TREE ??
    8039
    Jared Jennings
    Data Technique, Inc.
    Novell Support Forums Sysop
    http://wiki.novell.com

  • EA6500 - Problem with Ipv4 firewall disabled

    I'm encountering the same issue described on this thread: http://homecommunity.cisco.com/t5/Wireless-Routers/EA4500-Problem-when-SPI-IPv4-is-disabled/m-p/5520...
    But with my new EA6500.
    When i disable the IPv4 firewall, i'm not able to access a lot of websites(the homecommunity included).
    I think its time to take some action about this problem, i want to access my router remotely, but if i disable the firewall i cant acess it.
    This is very disappointing 

    I have some equipaments that i need to access remotely, like my IpCameras purchased together with the new router. With the firewall enabled, i'm not able to connect with them.
    With my old router(its old, sooo old), i dont have any of this issues, but i'll give a try when I get home today, i'm in work now, but i have no expectation that will work.
    This is a strange and non sense bug, cause i'm acessing the sites, not the sites accessing my router, a disabled firewall could not be a problem, not to access a web site.
    I have problems of many disconnects too, like i saw in other threads, but this is another subject.
    I think all that i can do is wait till a FW update, cause i'll not be able to return the router, and my old router is **bleep** 
    Thanks for the replies.
    EDIT: I forgot to mention, before post here, i already tried to reset, re-configure so many times. I'm with the latest FW.

  • RV042 opens ports 80 and 443 when HTTPS enabled in firewall

    I recently installed an RV042 v1.1 vpn router (older hardware revision but using the latest available firmware 1.3.12.19-tm) and set up VPN access with the QuickVPN client.  QuickVPN requires that the HTTPS setting be enabled under the Firewall options, so I did.  I then scanned our static IP with grc.com's ShieldsUP! to check for open or non-stealthed ports and discovered that ports 80 and 443 show as wide open, while port 113 is closed but not stealthed.  If I disable the HTTPS setting under Firewall, then ports 80 and 443 become stealthed.  Is there any way to use QuickVPN and keep these ports stealthed?
    Thank you!
    Tim

    Solved this by forwarding ports 80, 113 and 443 to an unused internal IP address.  Tested QuickVPN after doing this and am still able to log on AND have a full stealth rating from ShieldsUP!

  • New WRT350N router has bug: Open port 21 NOT STEALTHY!!!

    I got my new WRT350N router all configured and on the Internet and went to Gibson Research to make sure that all ports were stealthed. My previous linksys router WRT54GS was always fully stealthy. I ran the all ports test and it failed! Port 21 is wide open. I was able to log straight on to ftp. Now the port scanners know they found a good IP and can launch all kinds of other nasty attacks against my IP. I reported this problem to Linksys support a few minutes ago and asked them to forward it up the chain. Hopefully they can quickly release a firmware upgrade to fix this hole.

    After closing port 21 via "Storage" and checking with grc.com I figured this router was then stealthy. Today I decided to test the stealthiness with a linux machine using 'nmap', a well known tool for testing. So I ran nmap with a full scan of all ports and the router is showing open and closed (not stealthed) ports:Starting Nmap 4.20 ( http://insecure.org ) at 2007-09-23 14:44 EDT
    Interesting ports on XXX.XXX.XXX.XXX:
    Not shown: 65519 filtered ports
    PORT STATE SERVICE
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    143/tcp open imap
    65000/tcp closed unknown
    65001/tcp closed unknown
    65002/tcp closed unknown
    65003/tcp closed unknown
    65004/tcp closed unknown
    65005/tcp closed unknown
    65006/tcp closed unknown
    65007/tcp closed unknown
    65008/tcp closed unknown
    65009/tcp closed unknown
    So once again this router does not appear to be stealthy.
    Message Edited by greno on 09-23-2007 02:24 PM

  • Ports and IPs to be open/permitted in firewall to download and work in creative cloud

    What is the complete list of ports and IP addresses to be open/permited in our enterprise firewall in order to let internal PCs download and work with creative cloud applications?

    Our firewall only supports IP configuration (not URL). Do you have IP list?
    From: Rajshree [email protected]
    Sent: miércoles, 06 de noviembre de 2013 17:23
    To: Simon, Mariano
    Subject: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
    Re: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
    created by Rajshree <http://forums.adobe.com/people/Rajshree>  in Adobe Creative Cloud - View the full discussion <http://forums.adobe.com/message/5819892#5819892

  • Does configuring an endpoint opens a port in the guest VM firewall?

    Hi there. I found out that if I want to access a specific port in a VM (Java RMI in my case), I have to configure an endpoint for this port. However, I was surprised that configuring an endpoint was enough to access the port. I didn't change the firewall
    rules in the guest for this port and it was immediately accessible from outside Microsoft Azure.
    Does configuring an endpoint opens a port in the guest VM firewall?

    Hi,
    According to the official article below, it indicates that "Firewall configuration is done automatically for ports associated with Remote Desktop and Secure Shell (SSH), and in most cases for Windows PowerShell Remoting. For ports specified for
    all other endpoints, no configuration is done automatically to the firewall in the guest operating system. When you create an endpoint, you'll need to configure the appropriate ports in the firewall to allow the traffic you intend to route through the endpoint."
    How to Set Up Endpoints to a Virtual Machine
    Best regards,
    Susie

  • MySQL port open in Leopard firewall (and in ipfw) but can't access

    Hi There,
    I'm trying to allow MySQL access to a Mac Mini dev server I've setup using MAMP Pro. I've installed OS 10.5 server because I couldn't open a port manually using the Terminal under a Snow Leopard client install.
    *MAMP Pro:*
    - "Allow local access only" is unticked under MySQL
    *Leopard Server Admin:*
    - MySQL port 3306 is open for "any"
    - I can also see it's open if I run this from the terminal "$ sudo ipfw list"
    *Querious Database App:*
    - If I try to connect to the database from a client machine using Querious via 3306 or tunnel via ssh I can't connect
    *Network Utility:*
    - If I do a port scan from my client machine no ports are open on the Mac Mini
    *Other info:*
    - Stealth mode is off
    - The Firewall is the only service which is running in Server Admin
    - I can connect via ssh/terminal from this same client machine
    - I'm just trying to connect on a local network (so not through a router etc)
    Obviously I thought this would be much simpler than it is! Are there other things that need to be configured - do I have to forward the port onto MAMP Pro somehow?
    Not sure how it all works sorry so any help would be much appreciated.
    Cheers
    Ben

    Hi Ben,
    I have done some brief digging on MAMP and it would appear that you're trying to override the inherent features in OS X Server by using MAMP instead. Apache, MySQL and PHP are all inherent parts of OS X Server, minus the unified interface of MAMP. (phpMyAdmin is open-source and can be installed independently.) This may have been necessary on a non-server (client) version of OS X, but not for Server. As Harry pointed out, removing those elements from OS X Server are not simple tasks and you would be far better off using the built-in versions over trying to bypass them to run MAMP.
    3306 is the default port for MySQL, so your pings are reaching the mysql service. You may run into the same problem as I did when trying to establish external connections to mysql from anywhere other than on the host machine (whether that be across a LAN or via the Internet though PHP commands to the mysql service) since requests from anything other than the localhost will be rejected. Working around that with MAMP is not well documented. phpMyAdmin doesn't get under the hood to make the changes needed to allow requests from other hosts.
    The MAMP documentation is also lacking on how one can get under the hood of its mysql service, other than that you can access it through Terminal at:
    /Applications/MAMP/Library/bin/mysql
    in which case all normal mysql commands should work when working in that directory:
    +/Applications/MAMP/Library/bin/mysql --host=localhost -uroot -proot+
    All in all, though, I think it would be far easier to use the built-in versions. OS X Server is configured to work with what is already there and Apple's support documentation is built around that. Trying to get MAMP working means that you're pretty much on your own trying to figure out the whats, hows and whys when things aren't working. The Server Admin application gives you access to all those services (at least at a base level, excluding phpMyAdmin).
    For 10.5 Server, the built-in version of MySQL is 5.0.91; PHP version is 5.2.14; Apache version is 2.2.14, all of which are mostly-current, stable releases.
    I don't have any /mysql/msql directories inside the /var/ directory.
    That is really odd, as they should be there for an installation of Server.
    -Doug

  • Which ports to open for registering an iPod Touch OTA via proxy / firewall ?

    I need to set up  some iPod Touch over the air via a wifi network controlled with a firewall. I get a message "unable to connect registration server". I suppose I have to open ports, but which ones ??

    Try here:
    http://support.apple.com/kb/ts3297
    http://support.apple.com/kb/TS3125

  • I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

    I have an old external drive with a firewall connection-How do I use this on my Mac with it's USB3 ports?

    Does your Mac have ThunderBolt ports?
    There are ThunderBolt to FireWire adapters.
    As far as I know there are no FireWire to USB 3 adapters.
    Allan

  • How to check weather a remote port is open or closed by a firewall

    Hi,
    Need to check weather a remote port is open or closed by a firewall. can i use Java Socket class to do that?
    Is there any proper way?

    In general, there is no way to determine anything about the status of a firewall from the outside (unless you know one is running and you want to verify it's functioning correctly).
    When trying to connect to a socket, you might get a time-out, which means either the firewall is silently dropping packets or the server is down or too busy or that there is a network problem. Or your connection might be refused, which means either the firewall has denied your request or the server isn't listening on the port you specified.
    In most cases, you should only be interested in successful connections and not try to guess too much as to the cause of unsuccessful ones.

Maybe you are looking for