Difference Between A Filtered And A Closed Port?

Maven Premium Member join:2002-03-12 Canada	Premium Member 2003-Aug-7 2:06 am Airtight vs. Filtered Forgive me if this has been answered before, but I search Yahoo and the security FAQ yet came out empty. What is the deviation between closed and filtered ports? If a computer has all it's ports closed, why would it not be fine?

Marilla9 I Am My Ain Arbiter Premium Fellow member bring together:2002-12-06 Belpre, OH	Marilla9 Premium Fellow member 2003-Aug-7 2:17 am Someone may right me on specifics... as nit-picky as I can be, I'm not ever that great on exact wording... that said: Every bit far as I understand it, 'Closed' and 'Filtered' aren't really direct related... Closed ways that no daemon/service is configured to respond on the port in question on a specific host. Filtered means that there is a firewall somewhere which is 'intercepting' and dropping communications for a port. Actually, yous don't so much filter a PORT as you lot filter datagrams based on whatever the rules are... and it's entirely possible that the 'rules' can be "drop all packets for this port" or "driblet all packets EXCEPT those for this port" The reason I say they aren't neccesarily directly related is this: Information technology's entirely possible for a port to be Open up, yet filtered. In fact, that's ane of the greatest reasons to have a firewall in the first place: To enable a service (such as file sharing) to be available on your private network, but to accept connections from outside to that service 'filtered' such that they exercise not get through. Or.. umm.. something like that! And then, to answer your last question: If ALL of the ports are truly closed, so it would seem there isn't really a demand for them to be filtered, too... but.. there's justa little more, because I mentioned a THIRD possibility to a higher place: Dropped. When a port is 'closed', say port fourscore, and I effort to connect to a estimator on that port, the estimator in question commonly sends dorsum an instant reply proverb, "Hey, I don't have any service running on that port!" That's the normal behavior on a 'closed' port. When communications to that port are "filtered" or "dropped", though... that "there'southward nothing here" response never gets sent. This is usually what some online tests mean when they say a port is 'stealthed', and it is a little amend than only beingness 'airtight', because it forces a port scan to wait for a timeout before it can declare the port responding or not.

Randy Bong Premium Member bring together:2002-02-24 Santa Clara, CA	The archetype word at DSLR was done in this old thread: Closed vs Stealthed Ports »Closed vs Stealthed Ports but it is quite long, I warn you .. yet very informative and interesting.

Maven Premium Member join:2002-03-12 Canada	Maven Premium Fellow member 2003-Aug-seven iii:23 am Thanks for the replies. Wow, that'due south quite the discussion Randy Bell . I've only read the commencement ii pages, only I've picked upwards the gist of it so far - Stealth is overrated. Information technology reminds me of the recent thread called "Uh Oh... You lot're not going to similar this!" (»Uh Oh... You lot're not going to similar this! , where there is an interesting give-and-take on whether firewalls are useful or not. In my instance, since the control netstat -an reports nothing unless running an internet awarding, I assume that running a firewall would be redundant. I am on WinME with NetBios disabled and not running file sharing. [text was edited by writer 2003-08-07 03:27:57]

Randy Bell Premium Member join:2002-02-24 Santa Clara, CA	said by Maven: In my case, since the control netstat -an reports nothing unless running an internet application, I assume that running a firewall would exist redundant. I am on WinME with NetBios disabled and not running file sharing. Perchance sometimes little "redundant" so far equally inbound traffic command; but not so far every bit outbound control. Without a firewall, you accept no outbound command, over rogue programs or apps that might try to connect out to the Net. You also have no logging of traffic in/out of your box. This is why I usually recommend a software firewall, even for people who have a NAT router; since the router takes care of inbound traffic but has no constructive outbound control. I too take a tight system with NetBEUI substituted for local networking, file sharing and NetBIOS uncoupled {unbound} from TCP/IP, etc. -- but I still use ZA on all boxes in my home network. HTH

	to Maven said by Maven: Forgive me if this has been answered earlier, only I search Yahoo and the security FAQ all the same came out empty. What is the difference betwixt closed and filtered ports? If a estimator has all it's ports closed, why would it not be fine? Yes, that should be fine. If i empathize correctly, filtered and closed volition requite the same response to someone probing that port. Which is nothing. The packet will but silently be dropped and information technology will seem that there is no calculator at the end. OTOH, if the firewall is set up to "deny" it drops the packets and notifies the probing host that the bundle was rejected. Which lets the probing computer know there is a machine at the other end.

R2 R Not MVM bring together:2000-09-eighteen Long Beach, CA	R2 MVM 2003-Aug-seven ane:19 pm said by catahoula: If i empathize correctly, filtered and closed volition give the same response to someone probing that port. Which is nothing. The package will merely silently exist dropped and it will seem that in that location is no computer at the cease. Non exactly... for TCP/IP ports: Filtered = Stealth = no response at all is sent back to the requesting site. Closed = a specific "port is closed" response is sent dorsum to the requesting site.

	said past R2: Filtered = Stealth = no response at all is sent back to the requesting site. Closed = a specific "port is closed" response is sent back to the requesting site. I idea "Reject" sent a response And "DENY" just dropped the packet. Where did "stealth" come from anyway? I thought there was merely the "Drop" and "Pass up" flags?

Marilla9 I Am My Own Arbiter Premium Fellow member join:2002-12-06 Belpre, OH	Marilla9 Premium Fellow member 2003-Aug-7 4:26 pm "stealth" is mostly, from what I sympathise, a term used by online scanning utilities.. like the scanner here on this site. They report that the ports they bank check are in i of three states: Open up: Meaning a service is agile and responding on that port. Closed: Meaning communications are getting through to the host on the port in question, but that host has no daemons/services and is responding to that effect. Stealth: Significant the advice was merely dropped, and no response was sent at all. "Reject" and "Deny" are terms that the firewall itself uses as to what it does. I MIGHT have these backwards (I always get them backwards! hehe)... but when a firewall "Rejects" a packet, that volition result in a "Stealthed" upshot.. when a firewall "Deny", there may be a "Airtight" response... As I said, I may have 'reject' and 'deny' backwards... just ane but sends the communication to the peachy packet bucket in the sky, only the other one sends a specific reply saying, "zero to see here". so the confusion stems from two carve up sets of terms, used in two different realms of word... from the point of view of the port scanner, or of the firewall.

Randy Bell Premium Member join:2002-02-24 Santa Clara, CA	In the context of the thread championship: "closed vs filtered" -- I think R2 got it correct: said past R2: for TCP/IP ports: Filtered = Stealth = no response at all is sent back to the requesting site. Closed = a specific "port is closed" response is sent back to the requesting site. I retrieve the other interpretation is not consistent with what the thread writer means in his thread championship. JMHO, HTH

MeDuZa join:2003-06-13 Austria	to Maven The oft used association of STEALTH with INVISIBLE is serpent oil. In instance you wouldn't be at that place the nearest router located at your provider would respond with "ICMP-Host unreachable" No answer ways that y'all are there and the requests have been dropped past a packet filter(FW) Turn down means an active pass up of a connection attempt with a special ICMP message. DENY ways to throw away the connection attempts. The inquiring computer gets a timeout in this example.

	to Marilla9 said by Marilla9: "stealth" is mostly, from what I sympathise, a term used by online scanning utilities.. like the scanner hither on this site. They study that the ports they cheque are in ane of three states: [..] "Decline" and "Deny" are terms that the firewall itself uses as to what information technology does. I MIGHT have these backwards (I always get them backwards! hehe)... [..] so the defoliation stems from two separate sets of terms, used in two different realms of give-and-take... from the point of view of the port scanner, or of the firewall. I go them backwards too sometimes ! lol So the "closed" country would be the well-nigh idea so. Or so it sounds, considering the probing computer would have no testify of a service in that location to attack. It sounds as if "stealth" lets the hacker know there is a firewall there because the parcel was simply dropped.

gwion wild colonial boy join:2000-12-28 Pittsburgh, PA	to Maven I think he may be using "filtered" as used as a term of art by nMap and nMap inspired port scanners, perhaps? An nMap scan might return something like: Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap ) Interesting ports on 195.98.xxx.xxx: (The 1601 ports scanned simply not shown below are in state: filtered) Port State Service 21/tcp open up ftp 22/tcp open ssh 113/tcp airtight auth From the nMap man folio, »www.insecure.org/nmap/da ··· age.html : The event of running nmap is commonly a list of involvement ing ports on the car(s) beingness scanned (if whatever). Nmap e'er gives the port's "well known" service proper name (if any), number, country, and protocol. The state is either "open up", "filtered", or "unfiltered". Open up ways that the target machine volition accept() connections on that port. Filtered ways that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to exist closed and no burn wall/filter seems to be interfering with nmap's attempts to make up one's mind this. Unfiltered ports are the common case and are only shown when most of the scanned ports are in the filtered country.

Randy Bell Premium Member bring together:2002-02-24 Santa Clara, CA	said by gwion: The state is either "open", "filtered", or "unfiltered". Open ways that the target motorcar will accept connections on that port. Filtered means that a firewall, filter, or other network obstacle is roofing the port and preventing nmap from determining whether the port is open. Unfiltered means that the port is known by nmap to be closed and no firewall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are the common instance and are but shown when most of the scanned ports are in the filtered land. Precisely what R2 stated, thanks gwion . [text was edited by author 2003-08-07 19:57:30]

R2 R Not MVM join:2000-09-18 Long Beach, CA	to catahoula7 said past catahoula7: So the "closed" land would be the most idea(fifty) and then. Or so it sounds, because the probing computer would have no evidence of a service there to set on. Information technology sounds equally if "stealth" lets the hacker know there is a firewall there considering the parcel was simply dropped. It depends on how you await at it... I believe the term "stealth", was coined or at least put into THIS general utilise past GRC. Previously, the term "stealth" refered to the Type of port scan being done. Regardless, at this point in time we have to take that many people are going to employ the term "stealth" to mean "filtered" -- which simply means the packet was "dropped". This means, the receiving computer sends NO acknowledgement back to the requesting calculator. If someone is probing your ports and every unmarried probe is non returned, then your computer is relatively "invisible" -- meaning that the prober does non know for sure if your figurer is on the Internet or not. Yous could but accept your calculator turned off or unplugged information technology -- the prober cannot easily tell. You cannot assume with 100% certainty that a "stealth" response (i.e., no response) means the user has a firewall. ______________________________ An "ICMP-Host Unreachable" packet is not generated when a firewall "drops" or "filters" a packet -- as stated to a higher place. Still, when I tried to probe non-existent IP addresses (e.k., 123.123.123.123 or 111.111.111.111) with 4 TCP/IP SYN packets, I also got NO RESPONSE -- the reqests "timed out". I did NOT get back whatsoever ICMP-Host Unreachable packets -- I don't know why. I just know that when I probed port 80 on those addresses with iv TCP/IP SYN packets, I got no reponse at all. If I probe port 80 at DSLR, I get an Open up response (open = SYN/ACK) -- encounter to a higher place. If I probe port 81 at DSLR, I get a Airtight response (ACK/RST). If I probe port 1234 at DSLR, I get back nothing -- a "filtered" or "stealth" response -- if yous will. I get the same response (NONE) when I probe port 1234 hither that I practise when I probe any port at the non-existant sites. That being said, I then tried a simple ping of those addresses, and I constitute this: Pinging 123.123.123.123 with 32 bytes of information: Request timed out. Reply from 65.112.160.53: Destination host unreachable. Request timed out. Reply from 65.112.160.53: Destination host unreachable. Ping statistics for 123.123.123.123: Packets: Sent = iv, Received = ii, Lost = 2 (50% loss), Guess round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\WINDOWS\Desktop>ping 111.111.111.111 Pinging 111.111.111.111 with 32 bytes of data: Request timed out. Answer from 65.123.254.57: Destination host unreachable. Request timed out. Asking timed out. Ping statistics for 111.111.111.111: Packets: Sent = four, Received = ane, Lost = 3 (75% loss), Estimate circular trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Which -- I believe -- only then happens to bear witness MeDuZa's signal!:) Fifty-fifty though I got no response to a TCP/IP probe, at least SOME of the ICMP probes clearly come back Destination Host Unreachable. But not all... Therefore, perhaps with extensive probing i could effigy out with some partial degree of certainty that the estimator has a firewall. BUT... given the eratic response of the ICMP packets, this seems a little challenging and makes it difficult to be absolutely sure.... [text was edited by author 2003-08-08 10:39:29]

Reverend Ike Premium Member join:2001-08-24 Sacramento, CA	to Maven I think the critical question is whether the person ("hacker") sending the packets actually cares whether a port is "airtight" or "stealth". IMHO, I doubt information technology. If a port is stealthed, does the hacker put it on a "don't carp" list and never effort that port once again? Of course not. He has no way of knowing that a stealthed port won't be an open port an 60 minutes or a mean solar day or a week from now. Same affair with a closed port. For the moment, all he cares nigh is "open" or "other". If it's open, he tries to break in, if it'south other, he moves on to the side by side port or adjacent IP accost. Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't respond, the phone rings and rings. Airtight is similar an answering machine with an car-response "There is nobody at home" which doesn't accept incoming messages. In either instance, the autodialer just moves on. Only when the autodialer starts a new cycle, information technology will call the same number once again, just in case someone might answer side by side time. On paper, it seems slightly more desirable to have your ports stealthed rather than airtight. Simply in the real world, with zombie machines and lightning-fast port scanners, I don't call back it makes any divergence. Nobody is going to sit down effectually and go along hammering ane port but because it is "airtight" rather than "stealthed", when there are millions of open up ports waiting on millions of other machines ...

R2 R Not MVM bring together:2000-09-eighteen Long Beach, CA	R2 MVM 2003-Aug-viii 4:00 pm Well said.

	to Reverend Ike said by Reverend Ike: Stealth is like a phone with Caller ID. A telemarketing autodialer calls, the resident doesn't answer, the telephone rings and rings. Closed is like an answering machine with an car-response "There is nobody at home" which doesn't accept incoming messages. In either instance, the autodialer merely moves on. But when the autodialer starts a new cycle, it will telephone call the same number again, but in instance someone might respond side by side time. On paper, it seems slightly more desirable to have your ports stealthed rather than closed. Only in the existent world, with zombie machines and lightning-fast port scanners, I don't think information technology makes any difference. Nobody is going to sit around and continue hammering one port just because it is "closed" rather than "stealthed", when there are millions of open ports waiting on millions of other machines ... Excellent! A very clear analogy. Thank you.

reaver221 bring together:2003-05-08 Cincinnati, OH	to Maven I could very well exist wrong, but wouldn't 'stealth' help to defeat accurate OS detection? For example, nmap supposedly needs to get responses from both closed and open ports to practise a good chore of detecting a target host's Os, because 'stealth' = less OS specific packets to fingerprint. I didn't become a risk to read much of the thread that Randy linked to, then this could've already be talked about. [text was edited past author 2003-08-08 19:thirty:44]