Theme

Welcome · log in · join	food

Home

Reviews

Speed Test

	All Forums		Hot Topics		Gallery

Search similar:

Forums → The Site → Old Forums →

Westell → Continuous Network Activity, Odd Firewall Behavior

uniqs
4522

« Westell 7500 config while bridged -- set time and other info • westell 7500 password change »

Caveat join:2012-03-01 USA 2 edits	Caveat Member 2012-Apr-12 6:27 pm Continuous Network Activity, Odd Firewall Behavior NOTE: This post (and countless others, no doubt) obviously concerns both "connectivity" as well as "modem/router". Yet, I found myself unable to tick both categories and therefore reluctantly chose "none". Hello again, Ever since first setting it up last month, I've been experiencing some odd behavior with my Verizon DSL connection. First, I see continuous, non-stop, low-level network activity (in both directions) that I cannot account for. Below is the output from the netstat and ifconfig commands I ran right after booting into Ubuntu (GNU/Linux). netstat output at boot: caveat@ubuntu:~$ sudo netstat -anp \| grep -e tcp -e udp tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1277/cupsd tcp 1 0 192.168.1.36:53883 23.67.243.18:80 CLOSE_WAIT 1760/clock-applet tcp6 0 0 ::1:631 :::* LISTEN 1277/cupsd udp 0 0 0.0.0.0:68 0.0.0.0:* 1460/dhclient caveat@ubuntu:~$ Output of ifconfig at boot: eth1 Link encap:Ethernet HWaddr [I redacted what appeared here because I wasn't sure whether posting it could compromise my privacy or security in some way] inet addr:192.168.1.[xx] Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: [redacted] Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:81 errors:0 dropped:0 overruns:0 frame:0 TX packets: 27 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: 14460 (14.4 KB) TX bytes: 2957 (2.9 KB) Interrupt:18 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::[redacted] Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:720 (720.0 B) TX bytes:720 (720.0 B) And now the ifconfig output after ten-fifteen minutes of being completely idle as far as I could tell (had only the terminal and gedit text-editor open. Notice the additional traffic in both directions: (lo remained the same each time, so I didn't bother copying the output) eth1 Link encap:Ethernet HWaddr [redacted] inet addr:192.168.1.[xx] Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: [redacted] Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: 790 errors:0 dropped:0 overruns:0 frame:0 TX packets: 131 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: 59842 (59.8 KB) TX bytes: 9619 (9.6 KB) Interrupt:18 Just a few minutes later, a little more traffic still: eth1 Link encap:Ethernet HWaddr [redacted] inet addr:192.168.1.[x] Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: [redacted] Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: 1126 errors:0 dropped:0 overruns:0 frame:0 TX packets: 180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: 81346 (81.3 KB) TX bytes: 12755 (12.7 KB) Interrupt:18 The "Network Monitoring" app in PCLinuxOS* also showed continuous low-level network activity in both directions-- even when the same netstat command did not show any services listening on any ports. (PCLOS had been my primary distro up until today and the one I first set-up the new Verizon DSL connection with) My router (provided by Verizon) is the Westell 7500 ( Model: A90-750015-07, Rev:Z, Made in China 06/2011) and I have not set up any wireless at all yet, so this is with just the standard ethernet connection. The green E1 light on the router continuously blinks slowly-- maybe once, sometimes twice per second. The "Internet"* light seems somewhat erratic; I monitored it fairly closely today while waiting to get the ifconfig output that I posted above (with nothing open other than a terminal and a text editor), and did not notice it blink at all during that short period. However, I'm pretty sure that there were many times in the past when despite being completely idle as far as I could see, I noticed the "Internet" light blinking. Another thing that has me completely baffled: I have run many port scans at the GRC "Shield's Up!" site-- some with my software firewall and my router firewall both enabled, some with both of them disabled, and others with various combinations of each... And I always get the same result regardless. This is true not only for the two GNU/Linux installations that I have now used this router/DSL account with (PCLinuxOS and now Ubuntu) but also for all of the several other distros that I have tried running live during this time. In contrast, when I used dialup, my port scan results would vary quite distinctly depending upon the status and settings of my software firewall as well as the ISP I was using. This is what I get from GRC (every time): said by GRC Shield's Up! : Results from scan of ports: 0-1055 0 Ports Open 3 Ports Closed 1053 Ports Stealth --------------------- 1056 Ports Tested NO PORTS were found to be OPEN. Ports found to be CLOSED were: 20, 21, 500 Other than what is listed above, all ports are STEALTH. TruStealth: FAILED - NOT all tested ports were STEALTH, - NO unsolicited packets were received, - A PING REPLY (ICMP Echo) WAS RECEIVED. I'm not worried about the results themselves (Seems like most of those who really know security don't consider "stealth" necessary-- or even ideal in all circumstances). What concerns me is what I already described above: How could I possibly get the exact same results regardless of my both router firewall settings as well as my OS/software firewall/port settings?! At the same time, I know that changing the setting of the Westell firewall through the GUI at »192.168.1.1 actually does make a difference in what traffic can get through...Only after doing just that was I was finally able to connect to a key server to import a GPG signing key... So, to summarize, my two basic questions are: 1.) Why do I have constant network activity even when completely idle? and 2.) Why is there never any variation in the results of my port scans-- whether I have both my router and and software firewalls at the max settings, or have neither of them enabled at all, the port scan results show no difference whatsoever. I thank everyone who took the time to read this and for any help that anyone may be able to offer in solving this mystery to me.
	actions · 2012-Apr-12 6:27 pm · (locked)
Smith6612 MVM join:2008-02-01 North Tonawanda, NY ·Charter Ubee EU2251 Ubiquiti UAP-IW-HD Ubiquiti UniFi AP-AC-HD 1 recommendation	Smith6612 MVM 2012-Apr-13 10:13 am 1: Try disabling network scanning in the Westell 7500's "My Network" link in the GUI. The ARP traffic you're seeing is from that. 2: This is due to NAT. If the Firewall on the modem and system is being disabled, NAT is still at play, and if your system has nothing listening in on a port, that is also at play.
	actions · 2012-Apr-13 10:13 am · (locked)
Caveat join:2012-03-01 USA 1 edit	Caveat Member 2012-May-14 6:50 am Thanks Smith6612 and sorry for not replying sooner. (Had tried but site was down) See below. said by Smith6612: 1: Try disabling network scanning in the Westell 7500's "My Network" link in the GUI. The ARP traffic you're seeing is from that. That did it! But is there any downside to having network scanning disabled? 2: This is due to NAT. If the Firewall on the modem and system is being disabled, NAT is still at play, and if your system has nothing listening in on a port, that is also at play. Wait... I thought that NAT is the router firewall (hence the term "NAT router")?!
	actions · 2012-May-14 6:50 am · (locked)
Caveat	Caveat Member 2012-May-16 5:12 am Note to Mods: It now seems to me that this thread is not so much specific to Verizon as to DSL routers/modems in general, and the Westell 7500 in particular. So perhaps it should be moved to a more appropriate forum? ....... Another concern I have regarding my Westell 7500: I sometimes notice the "Internet" LED flickering when the ethernet cable is unplugged from my computer (or any other device). (And wireless is disabled) What could explain that? Thanks again.
	actions · 2012-May-16 5:12 am · (locked)
Alex G Bell join:2002-07-02 Boston, MA	Alex G Bell to Caveat Member 2012-May-16 3:48 pm to Caveat I don't know if this answers your question or not, but if ICMP ping is disabled (it is enabled by default in the Westell 7500 in router mode--but not bridge mode--I don't think there is an easy way to turn it off) the ATM switch in the ISP's WAN network can still ping your modem (OAM test); this is one way it knows the modem is connected to your line when in bridge mode--the flickering DSL light you see may be because of it, or it may be because of a failed malicious port inquiry. Oh, sorry, you meant the "internet" light, sorry.
	actions · 2012-May-16 3:48 pm · (locked)
aefstoggaflm Open Source Fan Premium Member join:2002-03-04 Bethlehem, PA Linksys E4200 ARRIS SB6141	aefstoggaflm Premium Member 2012-May-18 9:02 pm said by Alex G Bell: I don't know if this answers your question or not, but if ICMP ping is disabled (it is enabled by default in the Westell 7500 in router mode--but not bridge mode--I don't think there is an easy way to turn it off).. I point to »Verizon DSL FAQ »How do I stealth all ports on my Westell 7500 modem router
	actions · 2012-May-18 9:02 pm · (locked)
Alex G Bell join:2002-07-02 Boston, MA 1 recommendation	Alex G Bell Member 2012-May-19 12:54 pm You are certainly right; my memory was confused between the ICMP ping issue and the FTP issue. As I now remember, I could not stealth the FTP ports without disabling FTP entirely on the Westell (6100G as I recall).
	actions · 2012-May-19 12:54 pm · (locked)
Caveat join:2012-03-01 USA 1 edit	Caveat Member 2012-May-23 4:50 am Now the "Internet" LED -- but none of the other LEDs-- is flickering like mad while I am connected, browser open, but idle as far as I can see. ........... Thanks for trying to help, Alex G.Bell. _________________________ From what I've seen, including in posts right here at DSLR, there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable.
	actions · 2012-May-23 4:50 am · (locked)
Caveat	Caveat Member 2012-May-31 7:17 pm Since it has been close to two weeks now without any reply to my posts, I have decided to summarize the remaining, unresolved questions/concerns regarding my Westell 7500: 1.) Is there any downside to disabling the network scanning that had been causing the continuous activity that I had originally asked about? 2.) The "Internet" LED sometimes flickers continuously when the ethernet cable is unplugged from my computer (or any other device) (And wireless is disabled) What could cause this? 3.) Regarding the Internet LED flickering while connected but idle as far as I can see, is there anything (other than some overlooked legitimate net traffic on my system) that could cause this? 4.) Is there a way to temporarily disable NAT in order to test a software firewall or to see which ports may be blocked by Verizon? 5.) Finally, said by aefstoggaflm: I point to »Verizon DSL FAQ »How do I stealth all ports on my Westell 7500 modem router As I have noted previously, it would appear, from a number of posts I have seen here and elsewhere, that there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable. Yet, in the FAQ entry linked above, there is no mention that the issue is even controversial and the implication is that stealthing all ports is something that one should do. Shouldn't this be corrected?
	actions · 2012-May-31 7:17 pm · (locked)
aefstoggaflm Open Source Fan Premium Member join:2002-03-04 Bethlehem, PA Linksys E4200 ARRIS SB6141	aefstoggaflm Premium Member 2012-Jun-3 2:25 pm said by Caveat: 1.) Is there any downside to disabling the network scanning that had been causing the continuous activity that I had originally asked about? I do not know for sure, but I am taking an educated guess - if that helps. If forwarding ports with network scanning enabled, you can select the device that you want to forward to. If network scanning is disabled: To forward ports, you must enter in the IP Address of the device that you want to forward to. said by Caveat: 2.) The "Internet" LED sometimes flickers continuously when the ethernet cable is unplugged from my computer (or any other device) (And wireless is disabled) What could cause this? As addressed by Alex G Bell #1 The router is repling to ping? OR #2 it may be because of a failed malicious port inquiry? said by Caveat: 3.) Regarding the Internet LED flickering while connected but idle as far as I can see, is there anything (other than some overlooked legitimate net traffic on my system) that could cause this? See above. said by Caveat: 4.) Is there a way to temporarily disable NAT in order to test a software firewall or to see which ports may be blocked by Verizon? #1 One of the ways is to follow the info that is at »Verizon DSL FAQ »How do I use a router with the Westell 6100? #2 Another way might be to use Firewall -> DMZ Host OR Firewall -> Static NAT. See the sample screens shots of what the DMZ Host and Static NAT feature(s) look like in my modem combo in the thread »[modem/router] Putting Westell G90-6100 into bridge mode said by Caveat: 5.) Finally, said by aefstoggaflm: I point to »Verizon DSL FAQ »How do I stealth all ports on my Westell 7500 modem router As I have noted previously, it would appear, from a number of posts I have seen here and elsewhere, that there seems to be a fairly broad consensus among security experts that achieving "stealth" is unnecessary and perhaps even undesirable. Yet, in the FAQ entry linked above, there is no mention that the issue is even controversial and the implication is that stealthing all ports is something that one should do. Shouldn't this be corrected? If you think it should, use the Got Feeback Link..
	actions · 2012-Jun-3 2:25 pm · (locked)

Forums → The Site → Old Forums → Westell	« Westell 7500 config while bridged -- set time and other info • westell 7500 password change »