Just ran the Shields Up ports test at grc.com, and it found many ports visible (but closed). I remember some time quite far back doing this and I was completely stealth.
So, why am I now not, and how do I be so?
Oh, just had to put in a new wireless router Linksys WRT120N.
Thanks.
That test is probing your router and not your software firewall. If you would like the test to probe your software firewall, you’ll need to set up a DMZ on your router. Refer to your routers documentation for specifics on how to accomplish this.
I don’t quite get this…if the router blocked the probe, the test would not fail. If it got through the router and Comodo blocked it, the test would fail.
Since the probes DID get through on many ports, neither router nor Comodo blocked them.
So, I still ask, what do I need to change to be all stealth?
Your router did block them. You said your ports were closed, correct? A closed port is a blocked port.
As I said, this test isn’t even seeing your computer.
You’ll need to refer to your routers documentation…
Not right. The probes DID get through both the router and Comodo.
There are three possible states:
a. stealth (cannot see anything)
b. port is acknowledged, but is closed. This is what mine is showing on many ports; others were stealth.
c. port is acknowledged and accepting input.
The problem with “b” is that an attacker knows he has found a live machine and can keep attacking. With “a”, he gets NOTHING back (stealth). It is as if your machine does not even exist, and this is the only acceptable state to have your machine to be seen…errrrr…not seen…in.
What makes you think the probes got through? This test does not even see your computer. If the ports on your router were closed, nothing got through.
Time for a strange real-world analogy that will hopefully drive the point home. GRC is looking at your clothes hamper to determine whether the clothes in your clothes washer are clean or dirty.
Actually, a port is only open or closed. Stealth is a term Steve Gibson made up for a firewall that doesn’t respond with the status of a port. (Open or Closed) Stealth is actually non-standard TCP/IP behavior. As such, your router may not actually let you stealth all of your ports. As I said, you’ll need to check your routers documentation about this as there is no setting in your software firewall that can influence your router…
There is a relatively easy way to determine which device (router or PC) was tested by Shields Up!
PHASE 1
Run the test again and write down the IP address Shields Up says it is testing.
PHASE 2
When finished, click the START button, type CMD and press ENTER (if you are using XP, click START - RUN and then type CMD and press ENTER). In the DOS box that opened, type IPCONFIG /ALL and press ENTER. This command will display the configuration of all currently connected network interfaces in your PC (not your router, only in your PC). Find the interface that you are using to connect to your router and check the IP address.
8 will get you 10 that the IP addresses identified in phases 1 and 2 are different.
If they are different, then Shields Up IS testing your router, not your PC.
The only way you would receive the same IP addresses is if you have configured your router to pass all ports through directly to your PC. If you have done this, please be aware your PC is directly exposed to the internet.
Cheers,
Ewen 
Hmm…I tried this test. Everything was stealthy and all that. The only way I could get CIS to give alerts was to DMZ both my DSL modem and my router. But even when I disabled my firewall…it still said I was stealth(ed?). Oh, I had Windows Firewall enabled. Blah, so is the Windows Firewall just as good as Comodo with inbound connections? ???
My a,b,and c above explained the possible three states of a port and there are three.
Second, the test does not choose whether it is testing the router or testing the firewall. It is sending packets to the computer. The router may block them or the SW FW may block them. But if their is ANY response, even “I’m closed” (that is not a ‘deduction’–it is an answer), the computer sent it. That means you are not a stealthy computer.
If the router does let the port hits through, the SW FW must block them (when they are not a response to a connection initiated by the computer).
OK, I found it. I had told Comodo to trust my local net. When I removed that rule, I now test out at GRC as completely in stealth mode.
My analysis is that, by trusting the whole local net addresses, I was also trusting the router LAN side address. Thus, anything sent to my computer from the router was trusted.
I think the fix will be to trust all local net addresses EXCEPT the router address. But somewhat wondering if that will mean the router cannot send me even legitimate stuff?
LOL. The same problem exists with “A”. Stealthing (or packet dropping and issuing no response) is non-standard and it is a dead giveaway that there is a live machine with a firewall at the other end of the connection. Using standard TCP/IP, an attempted probe will produce a range of responses, but a total lack of response (stealthing) is not one of them.
As I said, it’s a dead giveaway that there is a firewalled system at the other end of the connection.
Ewen
As others in this thread have tried to explain, when you test your ports with a scanner like Shields-up and you have a router between the PC you are testing and the scanner, the test is actually against the ports of the router and not the PC.
This is from the Shields-up FAQ
Yes. Network Address Translation such as the Internet Connection Sharing (ICS) built into the second edition of Windows 98, allows multiple computers to share a single Internet connection. This is accomplished by assigning "private" IP addresses to the sharing machines. Since the external Internet sees only the single IP address of the NAT translating computer, there's absolutely no way for external Internet scanners to reach past the translating computer. This creates a high degree of security for the machines "behind" the main NAT computer.
In the paragraph above “NAT translating computer” = router
If, as you say, there are many ports showing as open, you should really check configuration of the router. Possibilities are:
First, if an attacker hits an address that goes to nothing (is not assigned to anything in the universe) he gets nothing back.
If an attacker hits an address that IS assigned to you, and gets nothing back, you are saying he now knows you exist? Tell me what he saw coming back that was different than hitting a nonexistent address!!
If you get nothing back, you cannot conclude anything. You don’t know if you hit a non existent machine or if it just didn’t respond. You are seeing the same thing in both cases. That is so obvious I can’t believe we are even discussing it.
As for NAT making you totally invisible, explain how, when I changed one rule in Comodo, I suddenly went from closed to stealth! If I were invisible to the test, a change on my end would have made no difference to thte attacker because I was (spposedly) invisible! Clearly I was not totally invisible before deleting the rule.
Did you perform the test suggested above:
There is a relatively easy way to determine which device (router or PC) was tested by Shields Up!PHASE 1
Run the test again and write down the IP address Shields Up says it is testing.PHASE 2
When finished, click the START button, type CMD and press ENTER (if you are using XP, click START - RUN and then type CMD and press ENTER). In the DOS box that opened, type IPCONFIG /ALL and press ENTER. This command will display the configuration of all currently connected network interfaces in your PC (not your router, only in your PC). Find the interface that you are using to connect to your router and check the IP address.8 will get you 10 that the IP addresses identified in phases 1 and 2 are different.
If they are different, then Shields Up IS testing your router, not your PC.
The only way you would receive the same IP addresses is if you have configured your router to pass all ports through directly to your PC. If you have done this, please be aware your PC is directly exposed to the internet.
Also see:
1. The router firewall is disabled 2. The PC you're testing is in the routers DMZ 3. The router is broken, either through poor configuration or physically.
My guess, assuming you do actually have a router, is 1 or 2.
Of course the internet view of “me” is the router’s IP assigned by dhcp from the ISP. My computer IP on the LAN side of the router is in the local LANs range. This is normal.
The fact is that router is passing port probes on through to my computer. Comodo WAS allowing them through (and my computer was responding “here, but closed”), but when I deleted the rule previously referred to, Comodo began blocking the probes, and no response was sent back.
Because of this, I am perfectly happy with my setups now…I am stealth to the internet.
Wrong. The attacker would get one of several messages - TTL (time to live) expired in transit, Destination host unavailable, Request timed out or Unknown host.
If an attacker hits an address that IS assigned to you, and gets nothing back, you are saying he now knows you exist? Tell me what he saw coming back that was different than hitting a nonexistent address!!
Attacker hits a non-existant address = One of the above messages
Attacker hits a non-stealthed valid address = Valid response
Attacker hits a stealthed valid address = Absolute lack of any resonse
If you get nothing back, you cannot conclude anything. You don't know if you hit a non existent machine or if it just didn't respond. You are seeing the same thing in both cases.
No, you’re not - see above.
That is so obvious I can't believe we are even discussing it.
That’s what I would have said, but here we are. 88)
From ZoneAlarm forums;
http://forums.zonealarm.com/showthread.php?t=74557
From the ShieldsUp site
Secondly, NAT very effectively HIDES all of your machines from the prying eyes of the Internet! Anyone scanning across your IP address will ONLY be able to "see" the NAT router! (Which is generally much more secure than the average PC.) So, they won't actually be touching any of your machines located BEHIND the router! Moreover, none of the software running inside your PC can "give out" your network's public IP address because it is completely unknown to your machines! Only the NAT router knows the public IP of your network, your machines only know their private "behind the router" IP's. So Internet client programs, like your web browser which send out the machine's IP address with every request, will be completely fooled and foiled when they're running behind a NAT router.
From the DSLReports site (my emphasis)
Depending on the Code Red variant, [u][b]it would pound a stealthed IP address/port anywhere from three to about ten times as much as it would a non-stealthed, but closed IP address[/b][/u]. (And let's not forget the unfortunate cable users who got hit with the ARP flood of Code Red II, in particular -- that was a pretty good, but apparently unintended denial of service attack against these individuals.) And apparently, if Steve Friedl is correct, KaZaA will just continue to pound away mindlessly forever!
There’s more out there - just google “stealthed ip address” or similar
As for NAT making you totally invisible, explain how, when I changed one rule in Comodo, I suddenly went from closed to stealth! If I were invisible to the test, a change on my end would have made no difference to thte attacker because I was (spposedly) invisible! Clearly I was not totally invisible before deleting the rule.
Before wading into this pool, can you please let us know IF you have run the 2 phase test I outlined above?
In your original post, you said
Since the probes DID get through on many ports, neither router nor Comodo blocked them.
Just because ShieldsUp reported the ports as closed doesn’t mean that the probing “got through”. It was blocked by the closed port on the router.
So, I still ask, what do I need to change to be all stealth?
Whatever you have to change, you’re goimng to have to change it on your newly acquired wireless router Linksys WRT120N.
Again, can you please let us know IF you have run the 2 phase test I outlined above?
Ewen
I did not run the test because I have seen the results hundreds of times in my daily workings…but I provided you the answer… I said…
“Of course the internet view of “me” is the router’s IP assigned by dhcp from the ISP. My computer IP on the LAN side of the router is in the local LANs range. This is normal.”
That answers the two “tests” you requested.
Besides, you win. One of your points I do agree with
Attacker hits a non-existant address = One of the above messages
Attacker hits a non-stealthed valid address = Valid response
Attacker hits a stealthed valid address = Absolute lack of any resonse
Therefore you win. Attacker would see a difference in stealthed destination vs. non-existent destination. You need to tell Gibson he is barking up the wrong tree.
He’s well aware of what his test does.
I just wish as broadband is becoming more and more popular so the number of users behind routers is steadily increasing, that he would make it better known that if you are sitting behind a router, his test is basically irrelevant. Even if it were to report an open port, all that means is that your router has an open port. It does not mean the port is open on your computer.
That and the fact that your router reporting the status of its ports or whether or not a ping succeeds isn’t quite the security hole that he’d like you to believe it is. If somebody does manage to get past your routers firewall, they still need to deal with your software firewall. 
Can I have my half hour back,please? 88)
Attached! ;D