# Port 443 / Firewall issue



## chieftain

OS: Windows 7 Professional
AV: MS Security Essentials (manually updated twice daily)
Firewall: Windows Firewall (set to block ALL incoming connections)

Here's my problem. When I run a firewall status check for port vulnerability via the online service auditmypc.com, I am told there are no issues with open ports etc.

However, when I run GRC/ShieldsUP! and Symantec Security Scan (both online), they tell me 443 is open. I read here that Skype could be responsible so I unchecked the relevant box in Skype's advanced connection settings, after which I passed the tests/scans at GRC and Symantec. Remote assistance is unchecked and I have config'd it to "Don't allow connections on this computer" in the Remote Tab of system properties for Computer.

A few days later I run these tests and again 443 seems to be open. I refresh the browser after a while and this time both tests are passed!!

I'm confused why they report 443 to be open one time and then a short while later report it to be 'Stealth' or closed (safe).

Help?


----------



## johnwill

I'm guessing it has to do with UPnP on the router.


----------



## chieftain

johnwill said:


> I'm guessing it has to do with UPnP on the router.


There's no way (atm) for me to find out if the router's UPnP has anything to do with this because my ISP has the habit of stripping the firmware and substituting it with its own version and even rebranding the router. (Its a Conexant wifi router I guess). I look at EVERY section in the admin page and there's no mention of UPnP anywhere!!:4-dontkno

I have been checking for open ports (non-stealth mode) a number of times and so far everything seems ok and stealthed. I guess Windows Firewall (by itself) is not too bad and the fact that I've blocked all incoming connections is a good thing, right?


----------



## johnwill

That's a good thing. :smile:


----------



## chieftain

This is really weird now. I ran these 2 tests as usual

1. GRC ShieldsUP!
2. Symantec Security Scan (http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=21&pkj=MLBNPVTROSNVKLRCEOR)

Both reported (with alerts) that my system was at risk because 443 was open/visible.

I refreshed the page and ran the tests again and this time both reported that all ports were stealthed. Why the flip-flop?:upset::4-dontkno


----------



## johnwill

Some router firewalls have adaptive behavior and they'll initially show a port as open, but later report it stealthed.


----------



## chieftain

I guess you're right. I never had this problem with my earlier router (non-wifi). I observed this only recently after getting a wifi router from my ISP. I will check/confirm again with the old one in a couple of days. Thanks for the tip!


----------



## Super Troll

OK simple answer for you, port 443 is used by secure http i.e. *https*://www.blahblahblah.tld forget the router this windows opening the port to a secure site, MS Security Essentials itself opens port 443 to get its updates, this is to stop definition injection (happened to mcafee a while ago)


----------



## Super Troll

port 443 and 80 are always safe to be open


----------



## chieftain

Yes, I know but what's disconcerting is the fact that GRC and Symantec flag it (with words like "Failed" and red alert icons) when the test results show that 443 is open. There should be a consensus right? Either its safe or its not. I actually like https and the padlock is very reassuring and from what I gather, users generally say (online forums etc) that 443 is ok to be open. then there are others who say you ONLY need it to be open if you're running a web server etc. And online port scanners that flag it one time then give the "all clear" the next moment is what really confuses me.

I cannot figure out the firmware modifications made in my router. Its altered by my ISP and the interface is totally confusing and vague.

I just want a way to figure out how I can stealth EVERY port ALL the time irrespective of what the router's firewall settings are (i.e. if there really is a functioning firewall left in that thing). I want to be able to do this using ONLY Windows Firewall.

I have Norton 360 v4 on my other computer but dont want to use it on this since MS Security Essentials and Win Firewall are pretty lightweight. And I observe the 443 port alert "flip-flop" on that PC too anyway *groan*


----------



## Super Troll

cominng back to Security Essentials it peridoically sends info to MS servers (dont worry nothing dodgy just normal operation) since this is sending data up and down the 443 port it leaves what is called "half open" packets some of the more "home user focused" security scanners like the ones mentioned will raise a flag when this happens because to a basic scanner it looks like a very common type of hack (i will not disclose so please dont ask), security essentials is not the only culprit for this a few apps and services can cause this i really would not worry, this hack i mention is never performed on port 443 for certain reasons i wont mention either but a basic security scanner will not be programmed to look that closly at it. this is what is known as a flase positive.


----------



## Super Troll

p.s. Norton 360 is an awful product and can actually create holes used for attacking a system. trust me i know ;-)


----------



## johnwill

Super Troll said:


> port 443 and 80 are always safe to be open


What makes you think ports 80 and 443 are any safer to open than other ports? If you have no reason to open them, and 99.99% of the user community doesn't, why would you open them?


----------



## Super Troll

@Johnwill please do not forget that we are talking about opening ports not forwarding ports, that is 2 different things. i totally agree that if you are not running a webserver you should not *FORWARD* these ports to your system, but leaving these ports open on your *COMPUTER* (not router, i stress this point) is ok, as many games and applications require some form of 2 way communication, esp games (a mini temp webserver if you will, but with packet header info so it can route back through the NAT) .

if you were to run a scan on most home routers from an external source you would see that 99.9% of the time port 443 is open, this has nothing to do with your computer and is more than likly to be the remote management interface on the router. (this can be disabled very easily)

You cannot gain access to a pc on that network because this port is *OPEN* on the router as you would have to traverse the NAT, packet manipulation (not worth the time or effort, extremely difficult)


----------



## Super Troll

@Johnwill and just for the record 99.9% of the community DOES have these ports open. look in your advanced firewall conf. try disabling it watch what happens.


p.s. sorry if i seem to come accross rude, i have trouble geeting my words out in writing, im a hands on kinda guy. :1angel::1angel:


----------



## johnwill

Those ports are only open for outgoing traffic, a large difference.


----------



## Super Troll

@johnwill, sorry buddy there must be some confusion here i'll post an image of a fresh windows os install showing windows firewall *INBOUND* rules,

You can quite clearly see that https (443) is open and any ip is allowed access. most users will not even know how to get to this to be able to change the settings.











if i am barking up the wrong tree please do let me know, but i am 99.999999999999999% sure im correct.


----------



## johnwill

I hear barking, just don't know which tree you're at. :wink:


----------



## chieftain

So, do I disable this rule in Windows Firewall Advanced Settings? Or do I go to the rule's properties and Block the Connection??

I just want 443 to be 100% stealthed. How do I do it using Windows Firewall only?


----------



## Super Troll

chieftain said:


> So, do I disable this rule in Windows Firewall Advanced Settings? Or do I go to the rule's properties and Block the Connection??
> 
> I just want 443 to be 100% stealthed. How do I do it using Windows Firewall only?


As i say, my guess is that the scans you are running are picking up port 443 from your routers remote management interface not your pc.

What you will need to do is log into your router and disable "remote management" or similar, also block port 443.

to be honest you really should be doing all your port blocking/allowing from there and not windows firewall!

If you give the exact model of your router i will write you step by step guide.


just to make it clear for you, your ports on your computer are not visible from the outside world.
the outside world only sees the open ports on your router.

Hence why windows firewall will make no difference.

to access a port on your pc from the outside world you need to *forward* the port from your router to the pc.

I hope this clears tings up for you.


----------



## chieftain

Hi Super Troll,

The firmware of my router has been modified by my ISP. The makers are Fujian Star-Net Communication, I guess.

Model Name AR800V v3.0
Firmware Version 10.4.3.12.12_SII
Hardware Version Solos 4615 RD / Solos 461x CSP v1.0

There is no "Firewall" section in the settings. The closest thing to that is IP Filtering which is disabled.

Screenshot:










Also, I don't have any ports forwarded and remote access looks like this:


----------



## ZippyTheGrunt

@SuperTroll - I don't think that's right what you said about 443 open by default.

Your highlighted rule (in your picture) is IPHTTPS, which is a transition technology for tunneling IPv6 packets inside HTTPS datagram inside an IPv4 packet.

Link: http://technet.microsoft.com/en-us/library/cc755158(WS.10).aspx

I would also say that it's not open by default because if you try to run a webserver, no other computer on the network can connect without another rule for HTTP/HTTPS. I have a webserver strictly for testing and my laptop next to it could not connect until I added an inbound rule for 80/443.

I'm fairly new to the networking game, so I could be wrong. I like to learn new things, so let me know either way


----------



## johnwill

I decided it wasn't useful to continue to argue the point. :wink:


----------



## Super Troll

ZippyTheGrunt said:


> @SuperTroll - I don't think that's right what you said about 443 open by default.
> 
> Your highlighted rule (in your picture) is IPHTTPS, which is a transition technology for tunneling IPv6 packets inside HTTPS datagram inside an IPv4 packet.
> 
> Link: http://technet.microsoft.com/en-us/library/cc755158(WS.10).aspx
> 
> I would also say that it's not open by default because if you try to run a webserver, no other computer on the network can connect without another rule for HTTP/HTTPS. I have a webserver strictly for testing and my laptop next to it could not connect until I added an inbound rule for 80/443.
> 
> I'm fairly new to the networking game, so I could be wrong. I like to learn new things, so let me know either way



@johnwill - good point,:grin:, no arguements:grin:

@zippythegrunt - I tip my hat to you sir ray: over the IPHTTPS thing, damn really kicking myself here i'm normally so on top of this stuff how did i make such a schoolboy error.
either way i did a test with a fresh installation of windows 7, installed apache and can 100% confirm that port 443 and 80 are open by default (accessed over standard ipv4 network, without the need to add additional rules) so we both had a wrong and right point!:laugh::laugh:

@chieftain - ok if you bear with me i'll write you up a config for your router, FYI ip filtering is firewall more or less.
for now, you could enable the packet filtering and "add" a new rule to block specific incoming ports (443 etc), if you cant work it out no sweat wait until i write the guide :grin:


----------



## ZippyTheGrunt

@ SuperTroll - Ok after this I'm done hi-jacking the topic.

If the ports 80 and 443 are open by default, then what's the rule to disable both those ports?

I have not done a from scratch install recently, but I can tell you from numerous blogs and forums that most people say you have to open 80 and 443 on Windows 7.

Here are some examples from a simple google search:
http://www.ofzenandcomputing.com/zanswers/3240
http://superuser.com/questions/92488/apache-server-on-windows-7-opening-up-ports
http://msdn.microsoft.com/en-us/library/ms751530.aspx

I'm not trying to be a jerk, but I want to know (if you're right) how one would go about disabling. Because if something is switched on, it must also be able to be switched off.

Now Windows Vista has a firewall rule World Wide Web Services (HTTP) and another one for HTTPS, but I can't find the equivalent in Windows 7. I am not trying to be a pain, but I really want to get to the bottom of this.


----------



## chieftain

Super Troll said:


> @chieftain - ok if you bear with me i'll write you up a config for your router, FYI ip filtering is firewall more or less.
> for now, you could enable the packet filtering and "add" a new rule to block specific incoming ports (443 etc), if you cant work it out no sweat wait until i write the guide :grin:


Thanks Super Troll. That would be AWESOME! Take your time. I really do appreciate it!!ray:


----------



## Super Troll

it is easy to block, in windows 7 + Vista, 

*click start -> in the search box type "windows firewall with advanced security" -> open that up -> select inbound rules from the left colum -> in the right coloum click "new rule" -> now select port + click next -> select tcp and type port that you want to block i.e. "80, 443" using comma to define ports + click next -> select block the connection + click next -> click next -> name the rule i.e. webserver block + click finish-> your done 80 and 443 inbound are now blocked, *

i will say it once and i'll say it again 80 and 443 ARE open by default!!!!!!!!!!


----------



## chieftain

Thank you very much Super Troll!!!

As you probably recall I also have Norton 360 on my other PC. Please have a look at the following screenshots and let me know if I'm on the right track and help me out with a couple of the stages here. 

*This is the Firewall Settings interface
*









*Then, I add a new rule to "Block"
*









*I select "Connections from other computers"
*









*On the next page, I select "Any Computer"*









*A little confused here, do I select "TCP and UDP" or only "TCP"? I select the second option (Only communications that match... ports..."*









*In locality, do I select "Local" or "Remote"? Does Remote refer to my router? What should I do here?*









*What do I do here? By the way, I have unchecked all IPv6 options in network settings as well as disabled it via netsh etc.*









*Finally, this is the last confirmation/warning page. I have not done anything so far, rather I cancelled the rule at this point. Once you let me know what I need to do/change, I'll go ahead.*









Thanks again for your help!


----------



## Super Troll

Ok so your pretty much there with norton 360, and you are obviously getting the hang of things, *select local ports* (there are the ports you want to block on your system) remote ports are where the incoming connection originated from.
also tick to apply the rule for NAT traversal it will stop certain tricks used to fool firewalls into letting it at a port.

Hope that helps.


----------



## chieftain

I did all those things and GRC still displays the same results.

1st time scan: GRC says 443 is open
2nd scan (refreshing the page): GRC says all ports are stealth.

Interestingly, when I check for open ports at http://www.canyouseeme.org/, the site cannot "see" any port (80, 21 etc) EXCEPT for 443 



Code:


Error: I could not see your service on xxx.xxx.xxx.xxx on port (21)
Error: I could not see your service on xxx.xxx.xxx.xxx on port (80)

But, when I type in 443 and click "Check":


Code:


Success: I can see your service on xxx.xxx.xxx.xxx on port (443)
Your ISP is not blocking port 443

I wish it could not 'see' 443 either!!!

I will check with a wired router over the weekend. I remember passing all GRC tests with that wired router except for the PING test. With this wireless router, it passes the PING test everytime but fails 443 the first time.


----------

