Port 113

Question

Sooo when scanning the system i've noticed 113 is the only port showing as closed / reject. Since the other ports are Drop I've created a rule to drop 113 from all connections but SFOS isn't honoring the rule. Why? Why would they decided to reject only 113?

Added TAGs
[edited by: Raphael Alganes at 3:32 AM (GMT -7) on 13 Mar 2024]

midnightSun · Accepted Answer

I fixed this by loading 19.5 and updating it to 20. IDENT port 113 is now stealth. Not sure why but what works works. Thanks everyone for the replies.

PhilippRusch · Answer

If you read further on that grc.com webpage:

Adaptive IDENT Stealthing Experimentation The IDENT protocol's port 113 is quite problematical and tricky to stealth. If the user's port 113 is completely stealthed, connections to some remote Internet servers such as eMail, Internet Relay Chat (IRC), and others, may be delayed or denied altogether. For this reason, many NAT routers and personal firewalls do not attempt to stealth port 113, they settle for leaving it closed. One of the first things that caught my eye about the ZoneAlarm personal firewall was that it was clever about handling port 113: It "adaptively stealthed" the port. 
 To understand the following discussion, you should familiarize yourself with the details of the IDENT protocol and port 113. Please read port 113's Port Authority database page before proceeding. 
 Even after many years, the (free) ZoneAlarm personal firewall from Zone Labs is the only personal firewall to "adaptively" stealth port 113. Unlike any other firewall or NAT router (any of which could also do the same) this allows port 113 to be stealthed to any passing Internet scanners or probes, but "unstealthed" for any valid IDENT connection attempts originating from remote servers with which the user's computer is attempting to connect. (Since this could easily be done by any personal firewall or even NAT routers, I am hopeful that this feature might yet appear in other products.) 
 "Adaptive Stealthing" means that when a TCP SYN packet arrives to request a connection to your machine's port 113, ZoneAlarm checks, on the fly, to see whether your machine currently has any sort of "relationship" with the remote machine (such as a pending outgoing connection attempt). If so, the remote machine is considered to be "friendly" and its IDENT request packet is allowed to pass through ZoneAlarm's firewall. But if the IDENT originating machine is not known to ZoneAlarm as a "friendly" machine, the connection requesting packet is dropped and discarded, rendering port 113 stealth to all unknown port scanners. It's very slick. 
 IDENT, ZoneAlarm, and ShieldsUP! Even though your computer's web browser already has a relationship with the web server at GRC, our tests originate from a different "foreign" IP address. ZoneAlarm therefore drops incoming packets to port 113 from this different probing IP address and ZoneAlarm users see that port 113 is stealthed to passing Internet scans. 
 To demonstrate how ZoneAlarm (and perhaps someday other firewalls or NAT routers) selectively "unstealth" port 113 &mdash; but only for known "friendly" machines &mdash; we simply initiate a connection from your web browser to the ShieldsUP! scanning IP. Even though the connection attempt will ultimately fail (since there's no web server at the probing address), ZoneAlarm will note the outgoing attempt and will unstealth port 113 for subsequent probes. 
 Step One: Verify that our scan currently show port 113 stealthed. (You may wish to use one of the other remote port tests which will be faster than an entire 1056-port grid scan.) 
 Step Two: Open a secondary web browser window to initiate a connection to the probing IP. (Users of Microsoft Internet Explorer can press Ctrl-N to "clone" their current browser window.) 
 Step Three: In the secondary web browser window, click this URL or enter this address: 
 https://4.79.142.206 
 This second connection attempt will ultimately fail, but ZoneAlarm will notice the effort, which is all that's necessary. 
 Step Four: Finally, refresh the port probe window or repeat the scan to check your system's current port status. You should find that port 113 is no longer "stealth" to the probing IP address because you are attempting to connect to it and it has been determined to be "friendly". 
 Step Five: If you're curious, stop and close the secondary web browser window and periodically refresh your port probe window to see how long the "friendly" status persists before Zone Alarm returns the probing IP to unknown status and port 113 to full stealth.

NOTE: Clicking the "http" link above may convince a clever firewall that the remote scanning IP is "friendly" and help to demonstrate its adaptive IDENT handling. But the packets sent to us with that link will also trigger our "Unsolicited Packet" detection since those packets were not received in direct response to our probes.

Port 113

Top Replies