What to do in lieu of "Default Action: Block"?

johndball · 12-21-2011, 12:20 PM

Need some more help with 9.x. Trying to block everything from 1-1024 incoming. When I port scan the box there are many ports reporting as open.

Is this the BOX that is showing open? Any way to close these ports?

dmorris · 12-21-2011, 12:26 PM

Is Untangle running as a router? Do you have port forwards?

johndball · 12-21-2011, 12:30 PM

Yes and yes.

dmorris · 12-21-2011, 12:39 PM

Well, those ports aren't open on Untangle (well, 443 is, but the rest aren't). So my guess would be that you are forwarding the traffic to server with those ports open.

I'd try removing your port forwards.

johndball · 12-21-2011, 12:49 PM

This is the setup.

Mathiau · 12-21-2011, 12:55 PM

which ports is it claiming are open?

johndball · 12-21-2011, 01:07 PM

See the first attatched image in the start of this thread.

raditude · 12-21-2011, 01:24 PM

I know by default (without any port forwards and with the firewall default action pass), you can see port 22 and 443 (both can be altered to closed easily), but all other ports (on external interface) should be noted closed (this has been verified by several scans/companies). If you are not seeing this, then you or someone has opened them up with port forwards/bypass/packet filter changes.

sky-knight · 12-21-2011, 01:27 PM

Yup, commonly people go into the packet filter and untick the "block all local traffic" rule. That make UT show all sorts of stuff open.

By default a UT in router mode, on external a port scan should show TCP 443 as open, and TCP 22 as closed. All of the rest of the ports are "stealth".

johndball · 12-21-2011, 01:29 PM

This is a brand new install (actually the 4th brand new install).

I'm the only one with access. Would you like to access the box?

johndball@johndball.com
jball@nola.gov

985.290.9812
504.658.6703

12-21-2011, 12:26 PM	#2 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,611	Is Untangle running as a router? Do you have port forwards? __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

12-21-2011, 12:39 PM	#4 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,611	Well, those ports aren't open on Untangle (well, 443 is, but the rest aren't). So my guess would be that you are forwarding the traffic to server with those ports open. I'd try removing your port forwards. __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

12-21-2011, 12:55 PM	#6 (permalink)
Mathiau Join Date: Feb 2008 Location: Costa Frickn' Rica Posts: 1,467	which ports is it claiming are open? __________________ Def1:Started:UT 7.1 x64 -- Current :UT 9.1 x64\| Gigabyte GM-G31 mATX \| Intel Q8200 \| 8G DDR2 800 \| 80G WD \| 4x Intel Pro 1000 GT NIC's \| Corsair 550W PSU \| Norco RPC-250 2U Case \| 50mb/50mb \| 10 users

12-21-2011, 01:27 PM	#9 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,454	Yup, commonly people go into the packet filter and untick the "block all local traffic" rule. That make UT show all sorts of stuff open. By default a UT in router mode, on external a port scan should show TCP 443 as open, and TCP 22 as closed. All of the rest of the ports are "stealth". __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

12-21-2011, 01:29 PM	#10 (permalink)
johndball Master Untangler Join Date: Apr 2008 Location: New Orleans, La Posts: 103	This is a brand new install (actually the 4th brand new install). I'm the only one with access. Would you like to access the box? johndball@johndball.com jball@nola.gov 985.290.9812 504.658.6703 Last edited by johndball; 12-21-2011 at 01:47 PM..

Protect

Filter

Perform

Connect

Manage

Add-Ons

12-21-2011, 12:30 PM	#3 (permalink)
johndball Master Untangler Join Date: Apr 2008 Location: New Orleans, La Posts: 103	Yes and yes.

12-21-2011, 01:07 PM	#7 (permalink)
johndball Master Untangler Join Date: Apr 2008 Location: New Orleans, La Posts: 103	See the first attatched image in the start of this thread.

12-21-2011, 01:24 PM	#8 (permalink)
raditude Join Date: Jan 2009 Location: Eugene, OR Posts: 1,112	I know by default (without any port forwards and with the firewall default action pass), you can see port 22 and 443 (both can be altered to closed easily), but all other ports (on external interface) should be noted closed (this has been verified by several scans/companies). If you are not seeing this, then you or someone has opened them up with port forwards/bypass/packet filter changes.