dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed


reply to FirebirdTN

Re: USG20 - Opening ports the right way

said by FirebirdTN:

To address your second question, when you "open" the port, you are opening a door, and it will be open for everyone, so yes, it will show up in a port scan immediately.

When i had port forwarding set on the airport extreme (NAT only) the ports never showed open in scans, it was always a mix of closed and stealth. So i was hoping this box and it's more intelligent techniques like SPI and ADP would do the same for me.

iCloud stopped syncing and i found out it needs ports 443 and 993 to be open in order to function properly. the NAT router never needed me to forward that port or anything, it just worked. I don't like the idea of opening that port (specially after finally getting it closed if you remember my other post). So if i open that port up iCloud should be working but anyone typing my IP will see the router login window again which i don't want.

Still much to learn

said by FirebirdTN:

..I think you may be over analyzing your security..



Brighton, TN
You are reading way too much into your port scan results.

As to the Airport Extreme not showing open ports, maybe it was smart enough to detect the scan, and close off the open ports. That can have unintended consequences as well. Maybe you did something wrong (ala nmap and the a/v software), but trust me, in order to have unsolicited inbound traffic, the port has to be open, period. If it isn't, communication won't take place.

I don't know if your read the edit part of my post, but you need to read that and understand that. Yes, port scan results are a very important part of securing your network, but they are not the sole indicator of a secure network. Whoever led you to believe that led you astray.

As to the iCloud, I am unfamilar with it, but it looks like a service, not a device, so opening ports *shouldn't* be necessary. It is probably necessary to have ports 443 and 993 open for OUTBOUND, which the USG does by default.

Don't confuse open OUTBOUND ports with open INBOUND ports.



reply to Jay864
said by Jay864:

but anyone typing my IP will see the router login window again which i don't want

You can have the 443 port open but not showing the login screen, you just need to change the HTTPS port of the USG WWW interface to something else. Or maybe it's even possible to have the USG direct WAN to LAN / LAN to LAN connections differently? Don't know, haven't tried.