Jim318
join:2012-01-12
Weatherford, TX | VFG6005 not blocking port 53 Had a VFG6005 installed for a couple of months now and finally did a port scan. Two disturbing things showed up:
1) It keeps port 53 open by default
2) Most ports show up as closed rather than stealthed
According to their tech support there is no way to fix either of these items. They said it is because the VFG6005 is a very basic firewall, not as full featured as the USG ones. Got to say, this is the first "firewall" I've ever owned that doesn't have a way to block/stealth everything by default. Kind of disturbing.
As a work around I made a rule that routed port 53 to a non-existent server, and now it shows up as stealthed. No clue why they didn't suggest that to begin with.
Anyway, just posting this as a PSA. I liked these boxes because of the low cost, GigE, and high throughput capability, but not sure I would recommend them now. |
 DrTCPYours trulyPremium,ExMod 1999-04
join:1999-11-09
Round Rock, TX | It seems to be a USA only product. This is probably an outsourced product. I generally like ZyXEL Global products. This product is probably acting as a DNS proxy. So, when there is a packet that is sent to port 53, it is responding with an ICMP message saying there is no service there.
Having said that stealth is a bit overblown. Really does not add much security. I personally would not do that since forwarded packet creates a NAT session on the device. If someone were to attack you on port 53 with many different source IP/Port combinations, your NAT session table would get full quickly and your other traffic would be impaired. If this device have some sort of firewall rules, try using them to block the port 53 instead of forwarding to non-existing LAN IP. |
