Skype through ZyXEL firewall.....why stealthed?

wingedwraith · Post by **wingedwraith** » Thu Jun 30, 2005 1:26 pm

Hi,

I need to allow Skype to work through our firewall however there seems to be a problem with the rule I have set up.

The rule is from 'WAN to LAN', externally 'any IP' to internally a fixed IP on a high numbered port (TCP). Skype seems to be working but if I do a port scan with GRC.COM it comes back and shows the port as stealthed. Surely if that was open for incoming packets it would show it as 'open'?

Am I running this rule as a correct type or should it be 'WAN to WAN/Router'? That doesn't seem correct to me as I assume the packets would terminate at the router on this type of rule?

This is really confusing to me as I have differing rule which is WAN to WAN/router for external router configuration and that shows as open on the SU scan.

Any guidance on this would be appreciated.

Neil

cyberskye · Post by **cyberskye** » Thu Jun 30, 2005 1:56 pm

wingedwraith wrote:...Skype seems to be working but if I do a port scan with GRC.COM it comes back and shows the port as stealthed. Surely if that was open for incoming packets it would show it as 'open'?...

Skype is a client not a server. When you launch Skype, it makes a connection to an external network, not the other way around. Similar to connecting to a corporate network via VPN.

You don't need to allow incoming connections at all for Skype to work - I have actually read posts at otehr forums predicting security issues becaue of this.

It is a good thing that you are stealthed. Skype works. What was the question?

Skye

cyberskye · Post by **cyberskye** » Thu Jun 30, 2005 1:58 pm

BTW - a port is only 'open' if there is a server (like http, dns, mail, etc) listening on that port - the stealth bit just means that your router will not respond to requests - it may forward them to a server, but pings will not generate a response, for example.

Skype isn't a server so it doesn't matter.

Skye

wingedwraith · Post by **wingedwraith** » Thu Jun 30, 2005 5:16 pm

cyberskye wrote:BTW - a port is only 'open' if there is a server (like http, dns, mail, etc) listening on that port - the stealth bit just means that your router will not respond to requests - it may forward them to a server, but pings will not generate a response, for example.

Skype isn't a server so it doesn't matter.

Skye

Skye,

Cheers for the info, so let me check if I have this correct. If a port is forwarded through a firewall to a service, let's use web on port 80 for arguments sake, as long as there is not an active, server on that port sending 'I am here' style traffic then the port remains stealthed even though there is a rule forwarding packets?

The reason I ask this is I have another rule on the firewall that forwards traffic for remote management of the router. When scanned by SU is shows that port as 'open' however, with your theory above, that would show that the router's remote management element must act as server and be sending traffic as such through that port keeping it open? That rule is different as it's a WAN to WAN/Router rule so would terminate the packets at the router rather than allowing through the firewall to the LAN.

Thanks for the support and info, this is all a little new to me.

Neil
UK

cyberskye · Post by **cyberskye** » Thu Jun 30, 2005 5:51 pm

wingedwraith wrote:Skye,

Cheers for the info, so let me check if I have this correct. If a port is forwarded through a firewall to a service, let's use web on port 80 for arguments sake, as long as there is not an active, server on that port sending 'I am here' style traffic then the port remains stealthed even though there is a rule forwarding packets?

The server doesn't send 'I am here', a request is sent to the server, then the server responds. If you forward the port to an incorrect address (or a host with no serivce bound to that port) then you would recieve no response from a stealthed router. Point being that the ROUTER itself will not reply, simply forward on. If a port is closed (not stealthed) by the router, it will reply as such - closed. When stealthed it (the router itself) does not reply at all.

wingedwraith wrote: The reason I ask this is I have another rule on the firewall that forwards traffic for remote management of the router. When scanned by SU is shows that port as 'open' however, with your theory above, that would show that the router's remote management element must act as server and be sending traffic as such through that port keeping it open? That rule is different as it's a WAN to WAN/Router rule so would terminate the packets at the router rather than allowing through the firewall to the LAN.

In this scenario, the router is indeed the server (serves up those cute web pages so you can edit settings) and that is a HUGE hole to have in your router (remote management) - that means if I guess your user/password, I can change your rules...probably not the best idea unless you get very specific about which static IP addresses are allowed to access remote management. I suggest you turn it (RM) off altogether - how often do you need to reconfigure your router remotely?

Skye

PS - think of Skype as your web browser. Remote Management Interface as a server. You only need to forward ports if you are acting as a server. Elsewise, the SPI/NAT engine will keep association (SPI means it can tell if a 'reply' message is truly a reply or if it is spoofed)

wingedwraith · Post by **wingedwraith** » Fri Jul 01, 2005 4:25 am

Thanks for the info, that makes sense now.

I see what you mean about RM, it is useful but only on very specific situations when I'm travelling and to be honest it doesn't happen that often so I've turned that off and will do all my modifications from home.

Cheers

Neil