[lug] Netopia R 7100 router problematic?
Samartha
samartha at pobox.com
Thu Feb 17 16:34:52 MST 2000
I am trying to get a Netopia 7100 DSL router to work with NAT but
it's not working. Netopia's tech support is on it since last Friday,
checked configuration but are not able to explain why it is not working.
They upgraded firmware twice without making progress.
The router has telenet and ping clients and from the router it is
possible to ping and telnet to both sides - to the LAN and the
Internet - so routing is not an issue.
The current working router is a ISDN Ascend Pipeline 85 and it works
flawless.
I am at loss with this situation. If you have any comments, it's appreciated.
Below is a snippet of running nmap against the Ascend and the Netopia.
The results speak for themselves and I found the difference quite amazing.
>I added an input filter to prevent pings and telnet to the router:
>Filter Set... ICMP Block
>+-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+
>+-------------------------------------------------------------------------+
>| 1 0.0.0.0 0.0.0.0 ICMP -- -- Yes No |
>| 2 0.0.0.0 0.0.0.0 TCP =23 =23 Yes No |
>incoming ping does not work anymore - which is fine
>but the nmap shows the telnet port open:
>Interesting ports on netopia (***.***.***.***):
>Port State Protocol Service
>22 filtered tcp ssh
>23 open tcp telnet
>25 filtered tcp smtp
>137 filtered tcp netbios-ns
>138 filtered tcp netbios-dgm
>139 filtered tcp netbios-ssn
>1723 open tcp pptp
>and that's not just an oddity of nmap reporting, the port is indeed being
>listened and responded to:
>Telnet connection refused.
>Please disconnect.
>and, when I enable telnet console access, it even allows access to the
>router, giving me a login prompt.
>I don't think this should be the case. As it is, I have no means to shut
>the telnet port off and hide it's internet presence.
>Just out of interest, I ran nmap against the ISDN Ascend router. There it
>would not even respond. I had to use the -P0 option to get any results.
>Contrary to the 7100, it does not announce any of the NAT ports and the
>scan takes prohibitively long - over 6 minutes. Of cause, from a security
>standpoint it would be great that the 7100 could show some similar
>behavior - at least not advertise it's ports to the world.
>nmap -v netopia
>Starting nmap V. 2.3BETA14 by fyodor at insecure.org ( www.insecure.org/nmap/ )
>No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan.
>Use -sP if you really don't want to portscan (and just want to see what hosts
>are up).
>Host netopia (***.***.***.***) appears to be up ... good.
>Initiating TCP connect() scan against netopia (***.***.***.***)
>Adding TCP port 23 (state Open).
>Adding TCP port 1723 (state Open).
>The TCP connect scan took 17 seconds to scan 1511 ports.
>Interesting ports on netopia (***.***.***.***):
>Port State Protocol Service
>22 filtered tcp ssh
>23 open tcp telnet
>25 filtered tcp smtp
>137 filtered tcp netbios-ns
>138 filtered tcp netbios-dgm
>139 filtered tcp netbios-ssn
>1723 open tcp pptp
>Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds
>
>nmap -P0 -v pcssh
>Starting nmap V. 2.3BETA14 by fyodor at insecure.org ( www.insecure.org/nmap/ )
>No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan.
>Use -sP if you really don't want to portscan (and just want to see what hosts
>are up).
>Initiating TCP connect() scan against pcssh (***.***.***.***)
>The TCP connect scan took 484 seconds to scan 1511 ports.
>Interesting ports on pcssh (***.***.***.***):
>Port State Protocol Service
>137 filtered tcp netbios-ns
>138 filtered tcp netbios-dgm
>139 filtered tcp netbios-ssn
>Nmap run completed -- 1 IP address (1 host up) scanned in 484 seconds
More information about the LUG
mailing list