[CLUE-Tech] How secure is a Linksys BEFSR41 with these ports open

David Anselmi anselmi at americanisp.net
Sun Aug 18 20:31:29 MDT 2002 

bof wrote:
> Hello,
> 
> I was seeking a firewall/NAT router for my DSL connection and bought a 
> Linksys BEFSR41. This post is to see if anyone else could check or 
> comment on my experiences with it.
> 
> Following its instructions to set up blocking WAN requests (according to 
> their User's Guide, this would deny ping requests to hide the network 
> ports (their words)), I then checked how well it was hidden by running 
> nmap against its IP address.
> 
> Here's what I found (the IP address is not shown for privacy and no 
> longer belongs to me anyway, since it was a DCHP allocation):

[ports 80/tcp and 53, 67, 69, 161, 520, and 5050/udp open, all else 
snipped...]

I would say that things are not as they should (could?) be.  But you 
need to be specific about what you are seeing.

First, ping has nothing to do with ports.  Ping uses the ICMP protocol 
(which is a sibling of TCP and UDP).  Since TCP and UDP are where ports 
are defined there are no ports for ICMP and it is incorrect to say you 
are pinging a particular port.

Second, you should be scanning from outside your LAN (that is, from the 
Internet side of your firewall--as Grant said).  If those ports are 
open, what is listening on them?  Is it the router/firewall?  Is it a 
machine behind the firewall?

Your firewall should not be listening for any connections from outside 
because that allows it to be abused.  For example, the Cisco 67x DSL 
router has a web interface that the Internet can see (by default).  One 
attack is password guessing to get in and reconfigure it.  Even worse 
though are attacks that exploit bugs in the web server code.  Code Red 
happened to exploit one of those bugs (by accident, I think).  So when 
Code Red was wrecking IIS servers, it was also locking up Cisco DSL 
routers.  Don't let anyone outside talk to your border router/firewall 
if you can help it.

Your firewall should not be passing inbound packets to machines behind 
it unless they are related to traffic originated inside (part of an 
outbound TCP connection or a response to an outbound UDP packet).  The 
only exception is when you are running a server that is publicly accessible.

Dave

More information about the clue-tech mailing list