If you can "stealth" ports not advertising that they're "closed for business" in any TCP/IP host, configure it not sending ICMP Unreachable. In a Cisco router, in the interface level use the "no ip unreachables" command. In ISA, just disable the packet filter called "ICMP unreachable in" that's enable by default. Please note that this preconfigured packet filter disables all type 3 codes, and to stealth ports only code 3 (port unreachable) is enough. ICMP Type=3 Destination Unreachable, Code=3 Port Unreachable (RFC792). -----Original Message----- From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx] Sent: sexta-feira, 31 de agosto de 2001 10:25 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Open Ports http://www.ISAserver.org According to the TCP/IP spec, every port should respond with one of two options: 1: "Here I am, what can I do for you?" 2: "Sorry, closed for business." Paranoid Internet security types have added a third to the mix: 3: "..." which Steve Gibson so charmingly refers to as 'stealthed' ports. In other words, you should get a response on every port, but shouldn't be able to open a connection that you haven't allowed. Now, also, bear in mind that what you're doing is NAT. In other words, if you were to throw your firewall wide open, people still wouldn't be able to access anything that wasn't explicitly running on your ISA box, but is running behind your ISA box, unless you set up specific publishing rules. With a forwarding firewall, you'd be thinking differently. -----Original Message----- From: Chris Bond [mailto:chris@xxxxxxxxxxxx] Sent: Friday, August 31, 2001 7:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] Open Ports http://www.ISAserver.org Hi, Just ran a port scan on the external interface of ISA and get the following results: 25 smtp 53 domain 88 kerberos 110 pop3 135 epmap 139 netbios-ssn 143 imap 389 ldap 443 https 445 microsoft-ds 464 kpasswd 636 ldaps 1723 pptp Plus a few others Luckly at the moment the cisco router has an ACL on that only allows 25 through. What is the correct solution to stop it listening for these requests on the external interface (apart from port 25 ofcourse). Although it does seem to say "* BYE Connection refused" and drop the packets, I just find it werid that it has the ports are open in the first place? Anybody got any ideas? Kind Regards, Chris Bond ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: slebrun@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: Hugo@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')