Cannot stealth ports with CFP3 or router.

[Guest]

[Comofo]

Passed all leak testing but Shields Up says it can see my ports even though I've stealthed them.

GRC Port Authority Report created on UTC: 2008-03-25 at 22:52:00

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
                            119, 135, 139, 143, 389, 443, 445,
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
   23 Ports Closed
    3 Ports Stealth
---------------------
   26 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 21, 23, 80

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

In my Zyxel 660r-elnk settings I've tightened it up as best I could...
Is there something that I'm missing here?
Thanks

[sded]

Your "router" does not seem to have a stealth function.  A NAT (Network Address Translation) router blocks all traffic that is not a response to something you sent out, and usually has a firewall that does not respond to port probes.  I also had a cheap-ass Elnk crippled firmware router (PPPOE modem) several years ago, and it did not do NAT at all.   And my software firewall was inundated with "internet noise". The stealth ports show up in the report because:  your firmware can block telnet (port 23), ftp (port 21) and web/http (80) from responding.  Ping (ICMP) doesn't use ports; SNMP is not blocked from WAN to LAN, so shows up only as closed-apparently the SNMP ports do respond.  A "stealthed" port does not repond to inputs from the internet.  If your router has a port that is only closed, it responds with a "request denied".  If that is the case, there is obviously nothing CFP3 can do to stealth it afterward.  Assuming your "elnk router" can be set up in bridge mode, so it is only a modem passing WAN data to your computer, there are a couple of options.   One solution is to buy a stealthable NAT router and use your current "router" as a DSL bridge.  Linksys wrt54g or gl wireless router is probably still the most popular, can be had for $40 or so, but there are lots of other good stealthy NAT routers.   Another solution is to directly connect to your LAN port and set up the PPPOE connection on your computer, and let CFP3 do the stealthing. 

[Comofo]

Thanks S,
I appreciate the information.
I'm going to investigate this further and see what I can work up. It appears that there's a NAT function, but I need to study up on this a bit (or a lot) and am pleading ignorance...I have to do my homework in this department before proceeding.
The good news is that I have  a few routers laying around [SMC Barricade and a Lynksys or two] ...wondering if I can replace the elnk altogether.
I'll come back when I'm smarter.

Ps. And yes, in the title I meant modem - not router .

[sded]

Sorry for adding to the confusion; I made some  corrections to the previous message.     You do have the NAT function, of course, but not apparently the firewall/stealth capability that usually goes with it in a NAT router.  Elnk did actually send me a NATless PPPOE modem I remember less than fondly.  Without NAT, some of your ports would show as open.  You probably can't replace it entirely, because you need the modem part, but putting it into bridge mode should let you use both the NAT and firewall/stealth capabilities of the Linkysy or SMC router and allow stealthing of your ports.  It should also do the PPPOE.  Unless you can find a setting on your current router that turns off WAN responses. 

[Comofo]

Thanks again sded,
While I was away I did some homework and; Yes, you're right on the $$$ (as usual )
Looks like the Barricade is the bad boy of the two and there's even a "wizard" in my web configurator to help me along the way. Other like-minded forums are all indicating that this is a proverbial cakewalk...so I'll no doubt be stymied. Sometimes I feel like an ape with an abacus. 

Obliged 

[Vettetech]

Thats odd. I have a 2Wire Gateway DSL Modem with a hardware firewall and I have alot more options then just yours Comofo. I dont even need a software firewall to pass any on site port test all stealthed. Like sded said check your stealth settings and echo ping if there is an option.

[Comofo]

Thanks Vet,
I know...either I'm completely ignorant to the methods of doing this, or there are no such options available with the p660r-elnk. The only security measures I can find are what you see in my pic above - which I obviously have as tight as they can be (ping is there).
I'm currently checking with the folks over at dsl reports to confirm this, but I think I'll be employing the Barricade before too long. Here's what they've said:
The ZyXEL P660R is a Router. Its default setup mode is Router Mode and the ZyXEL P660R uses NAT/NAPT since the ZyXEL obtains a Public IP from EL and it hands our Private IPs to PCs connected to it on the LAN (multiple PCs can be added by purchasing a simple 10/100 Multi-Port Switch. As the first FAQ below states, The ZyXEL P660R once configured supports "up to" 32 PCs since it is preset to hand out that many Private IPs by default on its DHCP server settings page. It can actually be set to handle "up to" 253 PCs like any Router if you add enough ports....but this doesn't really help me...does it?

[sded]

Not really a help.  It is a single port router, which is good since you can just use a switch for distribution-I didn't see the DHCP function in your pictures, but apparently it has one-probably on the LAN tab.  Don't understand why it doesn't stealth the ports, but the technical spec for TCP/IP is to respond with a nack/ack, not remain silent-just almost no one does that anymore for internet routers because of security concerns.  Check again for an obscure setting that turns off the responses-you showed us it's not there on the security tab, so maybe the WAN tab?  I wonder if the non-elnk version has a "firewall tab"?  Often the "free" ISP routers have something like that disabled so you can't sell them on eBay in competition with the vendor version. 

[Comofo]

Before I read the 20,000 word manual I thought I'd post these for the heck of it - in case you see something I don't.
I really do appreciate the extra help here guys, I'm fully aware this is almost entirely out of Comodo territory.

Obliged,
mo

[sded]

Change NAT mode to "full feature" and see what happens under "edit details". 

[Comofo]

Got it. Rooks rike this...

[sded]

Does "full feature" stealth your ports?  If not, turning off "SIP ALG" looks like your last chance. 

[Comofo]

Ya know...I don't know.

What'da think of this (reading manual.pdf presently)

[Vettetech]

In all those tabs there isn't a thing about stealthing any where, odd. Really odd. Time to get e new modem. LOL. Here is a screen shot of my 2Wire DSL modem.

[Comofo]

Thanks Vet,
I know...it's starting to PMO too. The support forums keep telling me "it IS a NAT router" and I say " I know, but it doesn't seem to stealth - so should I bridge another w/ NAT stealthing capabilities?" to which they'll say "Don't you get it? It is a NAT router. What don't you understand?" and so on in that manner until there's a vain poking out of my forehead.

So it seems that I'm only able to block traffic - and hide nothing. I don't know...nobody does...if they do, they're not talking.

I don't think I can ditch the Zyxel altogether with Jerk-Link the way they are...wonder if they'd be willing to sell me a slightly better one for more than it's worth? That'd be great.

I appreciate you guys taking the time though...really.

[Tags:]