Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SW TZ 370 W - nmap discover 65535 open ports at WAN Port

Hello together,

I am in the process of configuring our new Sonicwall. This is in our test environment.

I have run "nmap -p- <ip>" on the WAN IP and nmap tells me that the Sonicwall has 65535 open ports.

Where every connection attempt is terminated with a "reset".


I have activated the "Stealth Mode" and according to my understanding, no ports should be found or a connection attempt should be terminated with "refushed".


I have now looked at all possible documentation, looked in the forum and compared my settings with an older SonicWall and I know I'm missing something, I just don't know what.


Can you tell me what setting I'm missing here?


Thanks for your help

mezzo

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    "I get 65535 open ports. The connection establishment is closed with a "connection reset"."

    Technically they are not open ports. Again, a reset response is normal behavior. Maybe you have discovered a bug in Stealth Mode.

    Are you on the latest firmware version?

    I'd suggest opening a case with support.

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    You have failed to explain where you are testing from. The LAN side? The WAN side?

  • mezzomezzo Newbie ✭

    Thanks, thats right.

    The TZ 370 W is connected to LAN of another SonicWall. The Linux PC with nmap is connected to the same LAN.

    The TZ 370 W has a static IP address.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Your explanation is convoluted, but I understand. You are testing traffic to the WAN IP of the TZ370W from the WAN side.

    I think this is more of an TCP/IP question than Sonicwall, but I will attempt to explain. TCP Reset packets are commonly used by firewall (and other) devices to indicate closed ports. It is their way of aborting the connection. There actually isn't a 'refused' flag in the TCP specification, so expecting a 'refused' result is inaccurate.

    Read more: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure

    https://isc.sans.edu/forums/diary/The+special+case+of+TCP+RST/26824/

  • mezzomezzo Newbie ✭

    I see my post is confused, thanks for pointing it out.

    I let myself be influenced too much by what I have read before.


    Back to the topic:

    I have a Sonicwall, the LAN interface has the default setting, the WAN interface also, except that a static IP was assigned.

    The access rules are also standard. I have not added any blocking or sharing rules.

    In the firewall settings the Stealth Mode is activated!

    As described above, the SonicWall and the nmap client are on the same LAN and the same switch. The switch is connected to another SonicWall.


    What the Stealth Mode does I got from here: https://www.sonicwall.com/support/knowledge-base/what-is-stealth-mode/170505790029839/

    Quote: If the security device does not respond, the result is as if the remote node is trying to connect to an IP address that is not assigned to anything. This is known as stealth mode.


    If I now execute an "nmap -p- <ip" or an "nmap -sT <ip>" I get 65535 open ports. The connection establishment is closed with a "connection reset".


    When I compare the quote and the evaluation of nmap, I think that the stealth mode does not work.


    Have I misunderstood the stealth mode and is the behavior of the SonicWall correct?

    Or did I miss something in my configuration? If so, what?


    Thanks for your help

    mezzo

  • mezzomezzo Newbie ✭

    Hello TKWITZ,

    thanks for your feedback and i think the same, it is a bug. The support case is open.

    The latest Firmware is installed.


    Kind regards

    mezzo

Sign In or Register to comment.