locked
How do I unstealth a blocked port? RRS feed

  • Question

  • I am blocking incoming connections at FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6.  This appears to drop the connect packet without a reply, which is normally a good idea to prevent port scans.  However I have been asked to 'unstealth' incoming connections on an internal LAN where the delay caused by the timeout is more important than the risk of a port scanner (who would have to be working inside the security anyway).

    Is there an easy way to allow the reset packet to be generated/sent?  If not do I need to generate reset packets within my callout?  If so is there an example of code that does something similar?

    Tuesday, November 23, 2010 4:37 PM

Answers

  • In this scenario, you generally do not see a RST packet, as the stack has essentially seen the inbound packet and knows there is a port listening for it.

    In order to do this, you would need to have a callout (probably the same one that does your drop) and have it generate a new RST packet, injecting it into the outbound path.

    Hope this helps.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, November 27, 2010 10:10 PM
    Moderator