XP Firewall has ports 21 & 80 wide open

[anlaoch]

Hi.

I've got xp professional running, and the xp firewall enabled (as well as a NAT router). When I've nothing running, apart from avg in the background, ShieldsUp at grc.com shows some ports as closed, some as running in stealth mode, and ports 21 & 80 open. I've been looking high and low, and can't find anyway to make them stealthy (without jettisoning the xp firewall and using a 3rd party one) and can't even find a way to shut port 21 altogether. I have port 6881 forwarded for bt.

Any suggestions?

All help appreciated. Thanks in advance.

[Mr Snrub]

...(as well as a NAT router)...

Any pen-testing tools on the Internet will be testing the ports on your public IP address, which in your case is your router, not your computer (so long as you have not put your computer into the "DMZ").

"Closed" is just as good as "Stealth", don't be concerned by the sensationalist garbage Mr Gibson spouts - but if it bothers you then the router config is what you should be looking at.

Replacing the XP firewall with another would be pointless and gain you nothing.

[CoffeeFiend]

ShieldsUp at grc.com shows some ports as closed, some as running in stealth mode

As Mr Snrub put it, no need to lose sleep over those.

and ports 21 & 80 open.

That's for ftp and web servers. If you're not running any, I'd look at the router's config (port forwarding specifically, as well as UPnP), and see what IP they're forwarded to (you very well could be in the DMZ too as Mr Snrub said, it would explain why so much stuff open/closed, and you definitely don't want to be in the DMZ)

If you have a properly configured router that does NAT, you don't even need a firewall on your PCs. Everything port you didn't willingly open should be stealth then (the router wouldn't even know what to do with that traffic, so it just drops it)

Edited August 6, 2008 by crahak

[Tripredacus]

If you think about this realistically, you are going to a website to test your ports.... and Windows uses port 80 to get to the internet... so its not surprising that Port 80 is open when browsing a website.

[CoffeeFiend]

and Windows uses port 80 to get to the internet... so its not surprising that Port 80 is open when browsing a website.

No. your web browser might connect to port 80 on the destination box (web server) to get a web page, but that changes nothing at all. Windows (nor your web browser) itself wouldn't "open" (accept connections) on port 80 regardless. And if you're going thru NAT, port 80 should not be open either. In either case, the reply won't be on port 80 but rather a port number higher than 1024.

In other words, when your computer send a SYN, it does it to destination port 80, but with a different source port (let's say 21075 -- it's as good as any other number really), and then you reuse those: the server sends it's SYN/ACK from port 80 to your port 21705, then your computer sends ACK (still src port 21075, dst 80). Now that the TCP handshake is done, your computer makes the HTTP GET or POST request itself (same ports yet again), and the answer from the web server (e.g. HTTP/1.0 200 OK) is just like its SYN/ACK packet (src 80, dst 21075). Your source port 80 isn't involved at any point in the process.

There's no reason to have ports 21 ad 80 open, unless you run a ftp & web server.