Security Scan: Port 80 Closed, Not Blocked

[tomilius]

I just don't get it. I've spent the last few hours working with iptables... well the last many hours... and I've tried to drop packets heading from the WAN port to tcp port 80 and to my WAN IP address port 80 but nothing has worked. The port appears Closed rather than Blocked on Sygate's Security Scan unless I have a firewall running on my main computer. It's not DMZ'd or anything else, I swear I'm not that much of a newbie, though I do have a lot of ports forwarded to it, and port 20080 on the outside goes to port 80 on the inside... (iptables -A PREROUTING -p tcp -m tcp -d wan_ip --dport 20080 -j DNAT --to-destination 192.168.1.10:80). Not sure if that has anything to do with it.

I've tried any of these:

iptables -A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -m tcp -i eth1 --dport 80 -j DROP
iptables -A INPUT -p tcp -m tcp -d 68.x.x.x --dport 80 -j DROP
iptables -A FORWARD -p tcp -m tcp -d 68.x.x.x --dport 80 -j DROP

Previously I've tried forwarding everything incoming from the WAN (through Virtual Servers) to port 80 to 0.0.0.0. No luck. It appears Closed on any computer on the network...

I've tried using -I also which should, I believe, make these rules the highest priority? No luck.

UNLESS I have a firewall running on 192.168.1.10 (my main computer)! Then it appears Blocked. I.. don't know why. It's not in my settings at all. I've reset them enough to know.

Let me repeat that it doesn't matter which computer I run the test from. It only matters whether or not the software firewall is running on this specific computer, and I have the same exact firewall running on another one.

So, for example, I can run the scan from a completely different and firewalled computer on the network and port 80 will appear closed. I open the software firewall on 192.168.1.10 and there you go.

Here's my set-up. It's unique but should be self-explanatory:

post-firewall:

Code:

#!/bin/sh
sed 's/wan_ip/'$2'/g' /usr/local/firewall >/tmp/firewall
iptables-restore /tmp/firewall
#rm /tmp/firewall

firewall:

Code:

#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 33770 -j DNAT --to-destination 192.168.1.1:80
# === port forwarding rules
# --Comp0
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5900 -j DNAT --to 192.168.1.10
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5800 -j DNAT --to 192.168.1.10
# Telnet
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 20023 -j DNAT --to-destination 192.168.1.10:23
# Web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 20080 -j DNAT --to-destination 192.168.1.10:80
# SSL
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 443 -j DNAT --to 192.168.1.10
# NetMeeting 1
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 1503 -j DNAT --to 192.168.1.10
# NetMeeting 2
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 1720 -j DNAT --to 192.168.1.10
# Reverse VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5500 -j DNAT --to 192.168.1.10
# Shareaza
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 13692 -j DNAT --to 192.168.1.10
# WinMX TCP
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 6699 -j DNAT --to 192.168.1.10
# WinMX UDP
-A PREROUTING -p udp -m udp -d wan_ip --dport 6257 -j DNAT --to 192.168.1.10
# ABC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 6881:6999 -j DNAT --to 192.168.1.10

#iptables -A PREROUTING -p tcp -m tcp -d wan_ip --dport 5800 -j DNAT --to 192.168.1.10

# --Comp1
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5902 -j DNAT --to 192.168.1.12
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5802 -j DNAT --to 192.168.1.12

# --Comp2
# VNC
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5901 -j DNAT --to 192.168.1.11
# VNC web
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 5801 -j DNAT --to 192.168.1.11
COMMIT

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [150:10999]
#:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:bad_addresses - [0:0]
# Allow any traffic originating locally
-A INPUT -i lo -j ACCEPT
# put in your trusted address here so you can't lock yourself out
-A INPUT -i eth1 -s 192.168.1.11 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
# Weed out bad addresses
-A INPUT -i eth1 -j bad_addresses
# Drop stealth scans
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP
# Allow services that have already been established
-A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Custom services/from firmware
-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -d 192.168.1.1 --dport 21 -j ACCEPT
#-A INPUT -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Restrict ICMP traffic
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-reply              -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-request            -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type time-exceeded           -j ACCEPT
# Log everything else
#-A INPUT -m limit --limit 3 -j LOG
# --- Bad Address tables ---
-A bad_addresses -s 192.168.0.0/255.255.0.0 -j DROP
-A bad_addresses -s 10.0.0.0/255.0.0.0      -j DROP
-A bad_addresses -s 172.16.0.0/12           -j DROP
-A bad_addresses -s 127.0.0.0/8             -j DROP
-A bad_addresses -s 0.0.0.0/8               -j DROP
-A bad_addresses -s 169.254.0.0/16          -j DROP
-A bad_addresses -s 224.0.0.0/4             -j DROP
-A bad_addresses -s 240.0.0.0/5             -j DROP
-A bad_addresses -d 224.0.0.0/4 -p ! udp    -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP
COMMIT

Firmware: 1.8.1.7-3, happened with all others ever tried.

Oh, and I've tried "-A INPUT -p tcp -m tcp -i eth1 --dport 80 -j DROP" at the top and bottom to rule out precedence issues...

You know what the weirdest part of this is? I'm pretty sure my ISP blocks port 80... Why would it ever be Closed and not Blocked anyway? Why would it ever fluctuate.

[mctiew]

I just don't get it. I've spent the last few hours working with iptables... well the last many hours... and I've tried to drop packets heading from the WAN port to tcp port 80 and to my WAN IP address port 80 but nothing has worked. The port appears Closed rather than Blocked on Sygate's Security Scan unless I have a firewall running on my main computer.

I think it has to do with -j DROP verses -j REJECT. If you have the luxury of putting in -j REJECT, give it a shot. Drop means the probing party got into black hole, it's not getting any reply. REJECT will give some feedback to probing party.

Cheers

[tomilius]

iptables v1.2.7a: Couldn't load target `REJECT':File not found

Probably because I'm using 1.8.1.7-3... and I don't plan to upgrade until ASUS releases a new firmware source and it is customized. I'm done experimenting until then. I wasted a whole week off from trying to solve issues with dropped connections. But wouldn't REJECT actually just make it show up as Closed which is what is happening now anyway... ?

I'm actually OK with this I guess. All my computers are software firewalled so I should be fine with any of the nonsense of the WL-500g's firewall. At least I (may) have a stable connection now.

Oh, and thanks by the way for your help and quick reply. Sorry for being rude, I'm just exhausted.

[mctiew]

iptables v1.2.7a: Couldn't load target `REJECT':File not found

You need to go get some good rest first. I said 'if you have the luxury' ....

The REJECT extension is not present in the firmware.

I have attached it below.

Cheers

[tomilius]

[EDITED COMPLETELY]

Yay. With some simple hex editing I was able to perform this without a usb file system... but it's a no-go. Don't understand why it would work--doesn't REJECTING give a reply, like you said? What good would it do to use it? Either way, I tried this:

/usr/local/sbin/iptables -A INPUT -p tcp -m tcp -d 68.x.x.x --dport 20 -j REJECT

And then ran a quick TCP scan. Connections on 20 were still "Blocked," not "Closed," even when I used DROP.

[Styno]

You can store it in the flashfs filesystem if the entire filesystem does not exceed the 64 Kb boundary.

Check out http://wl500g.dyndns.org for more info on the flashfs filesystem.

[tomilius]

Thanks Styno! I figured it out though.

Anyway, I even tried accepting or rejecting connections on random unopen ports. Nada, all blocked. That might have something to do with that port scanning mangler thing I have set up, and some of the other protections in there.

Latest endeavor: Only allowed port 80 access through wireless. Still nothing doing, showing up Closed. I'll try disabling port 80 entirely and making no reference to it.

NEWS FLASH (hehe): The router doesn't care, apparently. It allows port 80 traffic anyway. Maybe it's the default policy stuff.

This is an ugly line: -A INPUT -i eth1 -s 192.168.1.11 -j ACCEPT

Uh... I'm thinking maybe it's hard-coded somehow. I've tried everything. With -A PREROUTING -p tcp --dport 80 -j DROP, I was unable to connect to the web interface at all (for once) even on the LAN, but... the Sygate Scan still called it "Closed." I still don't understand how having a firewall running on MY computer of them all alone makes it Blocked.

[tomilius]

UPDATE: GAH! See the post below this one, please.

I figured it out! The following rule ASUS automatically generates causes the problem:

Code:

-A FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT

So, to solve it, this should be put in post-firewall:

Code:

iptables -D FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT

I'm not sure about the following lines, but I took them out as well:

Code:

-A FORWARD -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
-A FORWARD -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

In case anyone is interested, here's how my ruleset looks now (without port forwarding included). It uses port 33770 port web administration, and has some handy "theoretical" features gathered from various places--I'm not positive they work . Keep in mind wan_ip is automatically replaced with the correct IP with the post-firewall setup I outlined previously.

Oh and if you do use it, be sure to make room in the filter section for the FORWARD part of nat stuff.

Code:

#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -d wan_ip --dport 33770 -j DNAT --to-destination 192.168.1.1:80
# === port forwarding rules go here

#The Mangle portion of the ruleset. Here is where unwanted packet types get dropped.
#This helps in making port scans against your server a bit more time consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT

#The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:MACS - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:bad_addresses - [0:0]
-A INPUT -m state --state INVALID -j DROP

# and now some stuff from http://linux.jamesnet.ca/filter
#

-A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT

# Allow any traffic originating locally
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# allow all communication on internal device , you may use lanip on a hub,
# most at home switches dont like when you use this, 
-A INPUT -i br0 -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT

# allow output on external device from lan ips
-A OUTPUT -o eth1 -s 192.168.1.0/24 -j ACCEPT

# Weed out bad addresses
-A INPUT -i eth1 -j bad_addresses
# Drop stealth scans
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP

# allow related and established
# allow INPUT of RELATED and ESTABLISHED communication except for ICMP
-A INPUT -i eth1 -p ! icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Traceroute - allows output on external interface of UDP packets from source port of defined
# ports for traceroute, and to specified UDP destination ports of the state NEW.
-A OUTPUT -o eth1 -p udp --sport 32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT

# ICMP this is of course required to recieve response time back from traceroute ping
-A INPUT -i eth1 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT 
-A OUTPUT -o eth1 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# ALLOW OUTGOING DNS (some weird issues were happening involving that)
-A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT

#-A INPUT -i br0 -m state --state NEW -j ACCEPT
#-A INPUT -i eth1 -p udp --dport 68 -j DROP
-A INPUT -i br0 -p udp --sport 67 --dport 68 -j ACCEPT
# Custom services/from firmware
-A FORWARD -i br0 -o br0 -j ACCEPT
#-A FORWARD -i eth1 -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-A FORWARD -i eth1 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#-A FORWARD -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Restrict ICMP traffic
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-reply              -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type echo-request            -j ACCEPT
#-A INPUT -i eth1 -p icmp -m icmp --icmp-type time-exceeded           -j ACCEPT
# Log everything else
#-A INPUT -m limit --limit 3 -j LOG
# --- Bad Address tables ---
-A bad_addresses -s 192.168.0.0/255.255.0.0 -j DROP
-A bad_addresses -s 10.0.0.0/255.0.0.0      -j DROP
-A bad_addresses -s 172.16.0.0/12           -j DROP
-A bad_addresses -s 127.0.0.0/8             -j DROP
-A bad_addresses -s 0.0.0.0/8               -j DROP
-A bad_addresses -s 169.254.0.0/16          -j DROP
-A bad_addresses -s 224.0.0.0/4             -j DROP
-A bad_addresses -s 240.0.0.0/5             -j DROP
-A bad_addresses -d 224.0.0.0/4 -p ! udp    -j DROP
-A OUTPUT -m state -p icmp --state INVALID -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

[tomilius]

GEEZE! I'm not sure WHAT I know anymore. But I found the REAL cause of the problem. My ISP does block port 80 but I think it has a strange reaction to port 443 being anything but blocked. At least, when I have the forward rule for port 443 present, port 80 shows up as Closed and not Blocked.

It may even just be a bug with the Sygate scan, and they assume 80 must be Closed if 443 is.

Anyway, I'm done worrying about it. The only reason I got the "Closed" to go away before was because I hadn't put in all those extra forward acceptance rules since I had FORWARD in filters set to ACCEPT anyway. Now I need them.

[Styno]

Yes its known that some ISP's block certain ports because they do not allow customers to setup their own servers (Which is ofcourse easilly beaten by setting the webserver to 81 or 8080 forinstance).

Scanning your ports can also be done by ShieldsUp!: https://grc.com/x/ne.dll?bh0bkyd2

Port 433 has something to do with HTTPS (http protocol over TLS/SSL).

[tomilius]

Thanks for the reply, Styno. Yes, I'm familiar with SSL. It's actually forwarded to my computer for a reason--I serve it in most cases (for access to files remotely and such), but my computer's still getting back on its feet from a reinstallation.