Sorry to post this a second time but I haven’t had any reply yet.
Original post read
“I have been using COMODO firewall for a month …no problems…
However, I checked with SHIELDS UP (Gibson) today and it showed that
Port 1 tcpmux - TCP Port Service Multiplier - was closed but not stealthed
Before, I got 100% stealth rating and I have changed nothing.
Any comments about this?
How can I stealth this port?”
Is there any reason why this port does not show up as stealthed?
I never had this result in the past.
Can anyone tell me how to steath this port?
Does anyone else have this result ?
I cannot understand why this firewall does not stealth this particular port
I would appreciate any advice
Thanks
Sorry no one has answered your first thread, TheBFG. (BTW, I removed that older one to avoid duplication).
I would’ve answered earlier, without a doubt, had I known the answer :-[. The fact that it’s closed rather than stealth means that CFP is at least protecting you because you’re still safe. The basic difference is that stealth means the internet won’t “know” your ports are there or not. Another thing to note is that there is some application/process/service running that is using this port if I’m not mistaken.
I’m not sure, I think it depends on the firewall that is integrated into the router.
When I run the GRC test connected through a router, I also get many closed ports, depending on the router’s firewall settings. On the other hand, when connecting with dial-up, all ports are stealth
With the exact same setup, I get different responses on each test site. And yes, I’m behind a router, so that’s being tested. I can go from one to the other, with the same applications running, and have different results. Go figure.
Whether they’re inaccurate or not, they are different. This would lead me to question the accuracy, at any rate.
Generally it seems to be considered a better/more reliable test to use a resident scanner (such as SuperScan) and scan the localhost for open ports.
There is also debate over whether it is “better” to have “stealthed” ports or “closed” ports; all agree you do not want “open” ports! Basically, if a hacker gets either no reply (stealth) or a port unreachable reply (closed), they know the same thing: a computer is there, and it has a firewall.
And what about a listening port that’s opened up for a program like uTorrent to accept incoming connections? When testing at those scanning sites it shows Opened, but is it just for uTorrent or can the internet hack from there? (Common question, but our friends need to know (:WIN))
If a port is open and you don’t have CFP (or some form of firewall), you’re vulnerable.
However, with CFP an inbound connection will only be allowed if there is an allowed application actively running to receive it. So to take the p2p example, with utorrent. Let’s say you have rules in the NetMonitor to allow TCP, and UDP In, on port 46847 (just to pick a number). There are a couple things you need to know:
The port is not OPEN. Not unless utorrent is running; then it’s a listening port (which is still not actually the same as being open). This is why it’s important to set the port in the p2p application, application & network rules, so that access is controlled, and you don’t have some other application authorized to use the same port…
In order for a connection to be successful, utorrent must be running and accessing the torrent (now the port will be seen as open). However, there can only be a connection if the NM rule matches an AM rule, and the app in question is actively running.
Just to give an idea of testing your security, here’s some scan results:
The IP list contains 1 entries
Service TCP ports: 179
Service UDP ports: 88
Packet delay: 10
Discovery passes: 1
ICMP pinging for host discovery: Yes
Host discovery ICMP timeout: 2000
TCP banner grabbing timeout: 8000
UDP banner grabbing timeout: 8000
Service scan passes: 1
Hostname resolving passes: 1
Full connect TCP scanning for service scanning: No
Service scanning TCP timeout: 4000
Service scanning UDP timeout: 2000
TCP source port: 0
UDP source port: 0
Enable hostname lookup: Yes
Enable banner grabbing: Yes
Scan started: 03/13/07 11:25:33
-------- Scan of 1 hosts started --------
Scanning 1 machines with 1 remaining.
-------- Host discovery pass 1 of 1 --------
Host discovery ICMP (Echo) scan (1 hosts)…
1 new machines discovered with ICMP (Echo)
TCP service scan (SYN) pass 1 of 1 (1 hosts x 179 ports)…
UDP service scan pass 1 of 1 (1 hosts x 88 ports)…
Performing hostname resolution…
Performing banner grabs…
TCP banner grabbing (0 ports)
UDP banner grabbing (0 ports)
Reporting scan results…
-------- Scan done --------
Discovery scan finished: 03/13/07 11:25:46
This was done just now, while connected to the internet, with Firefox running. Note the attached screenshot from currports; firefox has established connections on localhost, but the scan still shows nothing is open…
So in short, there’s nothing to worry if it’s set up in the application, the Application Monitor, and the Network Monitor to all match the same port #.
I’ve attached two 'shots of SuperScan settings. If yours is the same, I’m not sure. The only thing I would think at that point is if you blocked it with CFP; I normally get two popups asking permission to connect, which I allowed (without remember).
Thanx for the answer.
Unfortunately it didn’t help :(, it still cannot find localhost…
I don’t think that CFP blocks it, since I’ve tired scanning with CFP off (allow all)
I finaly solved the problem with superscan not scanning the localhost: for some reason it doesn’t work with the wireless connection, but it works perfectly with the wired one.
But there is another problem: superscan found 5 opened ports:
Thanks for the replies
My set up …I have cable connection in my home. Three computers are on the network.
One of them (mine) has COMODO firewall…the other two use XP2 firewall.
The cable modem output is split by a switching HUB.
Two weeks ago this setup was exactly the same and ALL computers recorded 100% stealth on the Shields Up test.
Now ALL computers show port 1 as closed rather than open.
So I realize now that maybe it’s not a COMODO issue.
But I still don’t see why the change occurred.
But at least I can see COMODO is doing it’s job in the light of the replies.
If anyone has any other suggestions I appreciate it ( It’s always good to increase knowledge!)
Thanks
First question, did you have any applications (such as your browser) open when you ran Superscan?
Port 113 is normally used for IDENT on IRC channels.
Port 135 is for RPC (Remote procedure Call) used by some applications in an MS world.
Port 445 is used for various things on a MS Active Directory network.
Port 1025 is a bit strange! Do you play on-line card games?
Port 5000 is for SSDP and UPNP unless you have a router that needs this you can kill the services.
I guess we need a little more information to make a decision…
If you open CFP, on the Summary page on lower right, it shows your IP address. Is this address the same/different than the one showing in your posts on the lower right corner?
