How to "stealth" a port with Symantec Desktop Firewall or Symantec Client Firewall
|Article:TECH98847|||||Created: 2000-01-27|||||Updated: 2002-01-31|||||Article URL http://www.symantec.com/docs/TECH98847|
You want to know how to "stealth" a port so that it is invisible from the outside.
When you "stealth" an IP port, you not only close that port, but the port also does not respond to any probes or scans from the outside. This makes that port essentially invisible. In Symantec Desktop Firewall (SDF) or Symantec Client Firewall (SCF), you cannot directly configure a port for "stealth", rather than "blocked." There is no button to click or setting that you can change.
By default, SDF and SCF silently block (stealth) unused IP ports. Ports that are being used (listened on) are either open or closed by a specific rule. Those that are closed cannot be stealthed without making adjustments. Those adjustments depend on the rule and the service listening on a port. In most cases, removing the rule suffices. In other situations, such as those involving protocols, stealthing the port is more involved. Two examples are ports 113 and 139.
Port 113 (auth) is the port used for identification and authorization. This service is frequently required by news, IRC (Internet relay chat), or mail servers. The rule in SDF/SCF is to allow inbound packets on this port. You can modify the rule to block inbound packets, but the only way to stealth the port is to remove the rule. In this way, port 113 becomes an unused port, silently blocked (stealthed) by SDF/SCF.
Port 139 is the NetBIOS Session service port. The rule for this service is set to block incoming packets on that port. However, deleting that rule will not make the port an unused port. The only way to stealth this port (or any of the NetBIOS ports) is to detach NetBIOS from the adapter. The Symantec Security Check has a tutorial at http://security.norton.com/default.asp?productid=nissupport&langid=1033&venid=sym&loc=netbios_faq
This FAQ details how to reconfigure NetBIOS so that you can stealth port 139.
Article URL http://www.symantec.com/docs/TECH98847