Re: Q: How do stealth ports manage to accept a connection?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Q: How do stealth ports manage to accept a connection?

From: Mailman <mailman@anonymous.org>
Date: Thu Feb 02 2006 - 09:40:08 CET



On Tue, 31 Jan 2006 03:19:52 -0800, Entropy1024 wrote:



> An open port will respond to all clients attempting to connect. A


> closed port will respond with a 'port closed' response. A stealth port


> will not respond at all.


> 


> I have an FTP running on my PC. The port is set to stealth but people


> can access it throught my router. It all works a treat and I have no


> complaints.


> 


> My question is how does an FTP server running on my local lan manages


> to accept a connection to a client if the port is in stealth mode?


> 


> As I see it there is a three way handshake to initiate a connection.


> Client sends a SYN packet. Server, if open, sends a SYN/ACK back.


> Client responds with an ACK. Normal communication then begins.


> If the port is closed the server ould respnd with a SYN/RST to say port


> is closed.


> In stealth the server does not respond at all to the SYN request so I


> can't see how any comminication is initiated.


> 


> Many thanks for any help.



That really depends very much on _which_ port is in so called "stealth"


mode. Remember, "stealth" means that if a packet arrives to that port and


no process is listening there, the kernel does not reply at all (rather


than with RST). Normally, a firewall will do this even if a process is


listening on that port (the packet is never forwarded to the process), but


not always - some "helpful" firewalls may decide to behave otherwise.



FTP uses two ports: one for the control connection, and one for data. The


data connection is usually an ad-hoc port number (or it may be fixed), and


the direction of the opening (which side sends the first SYN) varies by


protocol. Try searching for active/passive FTP to see exactly what happens.



A typical scenario: a client connects to your FTP server control port,


which is happily listening on port 21. Your FTP server replies "I'll send


data to your port 61234", the client starts listening on that port, and


the server initiates a connection there. No problem anywhere.



I suggest you try sniffing the network traffic and see exactly what is


being sent.



-- 
Mailman
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----


Received on Tue Feb  7 20:58:48 2006