Recently I setup my FTP server so my friends and I could share files. my worries are if I allow “any” to the application rule using port 28 it turns out that the port probe using grc’s test shows port 28 is open. What would be the safest way to configure FTP client and CFP to show that it is stealthed?. by the way, im using serv_U as my FTP server. :SMLR
Here’s the thing… CFP doesn’t hold ports open, as some firewalls do; it simply monitors & filters the traffic, based on the existing rules.
What that means is, that so long as your FTP server (the application end of it) is not actively running/listening on that port, the port will be ‘stealthed.’ The port will only be open, and traffic allowed, when the authorized application is running on that port. Thus you need to make sure that your server setup is secure, for when it’s running…
Not as far as I know. If an application is utilizing a port, that port is detectable from the outside; it doesn’t matter if the application is listening or active, as the port is in use either way.
The only thing would be to limit the Protocols used on that Port’s Inbound Rule. In other words, rather than Allow IP In, you could Allow TCP In, or Allow UDP In (or TCP/UDP, if both are needed). This would stop ICMP pings. However, I think some security sites use TCP (basically a port scan) rather than an ICMP ping, to check for “stealth” ratings. You may be able to create some of these details in the Application Monitor as well, for your FTP server app.
A further detail to add to the Inbound Rule would be to specify the Source IPs (provided that your friends are on static IPs, or a range of IPs if need be). This will limit the accessibility that way, just to increase the security a bit.
Is it possible to define, within your FTP server controls, what IPs can access it?
Then something must be holding port 28 open; I would look at Windows as the culprit on that. Specifically, I’d be looking at svchost.exe, although there may be other options. Unfortunately, you can’t just block svchost, as it’s needed for other aspects of connectivity. It can be blocked, but it’s not simple, and must be very specific/selective.
You may want to file a ticket with Support on this. If you’ve got the exact same rule for both port 21 & 28 and have the FTP server running when you test, but getting different results, there must be something different about the way the FTP server is using the port. That gets a little further beyond the level of help I can offer, unfortunately.
http://support.comodo.com/ You’ll need to register there; the forum’s registration doesn’t cross over. Please let them know that it’s for the current public release of the FW, v2.4, that you have already been in the forums (giving a link back to this topic would be good), and that a Forum Moderator advised you to file the ticket with them for more detailed assistance.