# Solved: Shields Up showing first 2 ports closed



## DKTaber (Oct 26, 2001)

I have used Steve Gibson's "Shields Up!" for many years to test my firewall. It has ALWAYS shown all ports in stealth mode. However, I ran it today on both my XP desktop and my Win 7 laptop, and on both, the first 2 ports show as "open" (blue). Since I was using only the Windows firewall, I tried installing the top-rated Comodo firewall, then retested with Shields Up. Same result: First 2 ports are still only closed, and the system fails the test.

The only change I've made recently is to add a router to my cable modem so I would connect the laptop to the Internet wirelessly. Does that have anything to do with the first two ports being just closed?


----------



## cwwozniak (Nov 29, 2005)

What are the port numbers?

Yes, it is possible that the router is causing ports to appear as open.


----------



## DKTaber (Oct 26, 2001)

cwwozniak said:


> What are the port numbers?
> 
> Yes, it is possible that the router is causing ports to appear as open.


Ports are 0 and 1. 0 is described as "nil/reserved". 1 is described at "tcpmux TCP Port Service Multiplexer".

BTW, neither is "open"; they're closed (blue, not red), but a closed port reports back to the pinging server that it's closed and in so doing, reveals the existence of my computer on the Web. Stealthed ports (green) are not only closed, but do not respond, so if all ports are in stealth mode, my presence on the Web is invisible.


----------



## cwwozniak (Nov 29, 2005)

I just read the explanations of port #0 and port #1 and have to admit I am mystified. I could make some guesses but would rather wait to see if a much more knowledgeable member can explain them and suggest how to stealth them in the modem, router or computer.

EDIT: Just ran a ShieldsUP scan on our company connection for ports 0-50 and both ports #0 and #1 are listed as closed with all others in that range listed as stealth.


----------



## DKTaber (Oct 26, 2001)

cwwozniak said:


> I just read the explanations of port #0 and port #1 and have to admit I am mystified. I could make some guesses but would rather wait to see if a much more knowledgeable member can explain them and suggest how to stealth them in the modem, router or computer.
> 
> EDIT: Just ran a ShieldsUP scan on our company connection for ports 0-50 and both ports #0 and #1 are listed as closed with all others in that range listed as stealth.


Well, it does appear that it has something to do with having a wireless connection. If that's so, I can understand why it can't be stealthed; the computers that connect wirelessly HAVE to know the router exists (can't be invisible to them) in order to connect. I have doubts that a hacker can use the first two ports to get into the computer, partly because port 0 is "reserved", but because they're not stealthed, it makes the computer visible to them, which bothers me.


----------



## cwwozniak (Nov 29, 2005)

DKTaber said:


> Well, it does appear that it has something to do with having a wireless connection. If that's so, I can understand why it can't be stealthed; the computers that connect wirelessly HAVE to know the router exists (can't be invisible to them) in order to connect.


I don't think that visible ports on the Internet side of the router have anything to do with computers being able to connect to the wireless LAN side of the router. The wireless computers need to know the correct SSID of the wireless access point in the router and any wireless encryption key that is being used. Unless you have a computer in the router's DMZ, I suspect that any connection attempts on ports #0 and #1 on the Internet side of the router do not go past the router.


----------



## Davec (Jan 27, 2001)

DKTaber said:


> The only change I've made recently is to add a router to my cable modem so I would connect the laptop to the Internet wirelessly. Does that have anything to do with the first two ports being just closed?


As explained on the site, you're testing the router and not the firewall on your computer.


----------



## DKTaber (Oct 26, 2001)

Davec said:


> As explained on the site, you're testing the router and not the firewall on your computer.


I have to rush off for an appointment, but took a very fast scan of Shield Up and could not find anything that said this. Where is it?


----------



## Davec (Jan 27, 2001)

Apparently it's not explained on the site anymore, but you can deduce it from the IP address it says it's scanning. That is the address of your router. If you run ipconfig /all at the command prompt, it will give you the IP address of your computer.


----------



## DKTaber (Oct 26, 2001)

Davec said:


> Apparently it's not explained on the site anymore, but you can deduce it from the IP address it says it's scanning. That is the address of your router. If you run ipconfig /all at the command prompt, it will give you the IP address of your computer.


The IP address it says it's scanning *looks like the one I remember* for my computer. Comcast changes it periodically, but it always starts with "68." The address from www.whatismyip.com and the Shields Up screen show the same number. However, if I check the IP address of my laptop -- which gets its Internet connection wirelessly from the same router that my desktop is connected to by Ethernet cable -- it reports the same address. So if different computers are connected to the same modem (wired or wireless), are they supposed to have the same IP address? IOW, that address is not really either computer's; it's the address of my cable modem. Yes? No?

FYI, ipconfig /all does not display that address *anywhere*! Why?


----------



## cwwozniak (Nov 29, 2005)

IPCONFIG /ALL only shows the connection information for your computer to the router. It knows nothing of the connection of the router to the modem or the modem to the Internet.

Your router uses a function called Network Address Translation (NAT) to map multiple private IP addresses on your LAN to the single public IP address of your Internet connection. Depending on how your modem is configured, the public IP address reported by Whatismyip and GRC.com is either for the modem or for the WAN side of your router


----------



## DKTaber (Oct 26, 2001)

cwwozniak said:


> IPCONFIG /ALL only shows the connection information for your computer to the router. It knows nothing of the connection of the router to the modem or the modem to the Internet.
> 
> Your router uses a function called Network Address Translation (NAT) to map multiple private IP addresses on your LAN to the single public IP address of your Internet connection. Depending on how your modem is configured, the public IP address reported by Whatismyip and GRC.com is either for the modem or for the WAN side of your router


I'm pretty computer literate and have provided tech support to several friends for many years. However, I'm a complete novice when it comes to routers and wireless connections. I've had my first and only router -- a D-Link N 150 -- for (hold onto your hat...) 1 week. I bought it only because I acquired my first-ever laptop (hold onto your hat again) 3 weeks ago. Despite that, I had 0 problems setting up the wireless network, and 0 problems with the laptop connecting to the Web through the router.

But all this 'stuff' about the actual IP address being scanned by Shields Up is new... and confusing. If the IP address is the one for my modem (i.e., the "place" from which all data are down- and uploaded), it has *always *been the "place" Shields Up scanned, and never showed any ports other than stealthed. Why, therefore, when you simply connect a router to that modem does it show the first 2 ports as "closed", not stealthed? The collection point for all downloaded data and distribution point for all uploaded data has not changed; it's still my cable modem. And is it a fact that adding a router that is used to provide a wireless connection only within ~50' around my home office somehow makes my connection to the Web *visible *when it was *invisible *before adding the router?


----------



## calvin-c (May 17, 2006)

Your cable modem might, or might not, get an IP address. From your description it sounds like it doesn't-it's a 'pass-thru' device the IP address provided by your ISP gets assigned to whichever device is connected to it. (Directly, that is. Previously that was your PC, now it's your router.) Your PC(s) get an IP address assigned by the router from the pool of addresses it 'owns'. Typically these are in the 192.168.x.x range which is reserved for internal network use only-I don't think you'll ever get one of these addresses assigned by your ISP.

As for why adding a router makes your ports visible when they were previously stealthed, that's a function of the firewall-and your router obviously uses a different firewall than your PC. I'll bet that if you could implement a Shields Up function on your router you'd find that your PC's ports are stealthed-it's the router's ports (not protected by your PC's firewall) that aren't.

I'd talk to D-Link about closing the ports, but I'm not too hopeful about their response. In my experience most vendors claim that having ports closed is good enough. I might disagree, but they're the ones setting the router's capabilities. About all you can do if that happens is get a different router. I do now that it's not necessary to have those ports simply closed for network operation. I have a Belkin N+ router & Shields Up shows me as totally green. Note that I don't recommend the Belkin router in spite of that-I'm experiencing slow performance and suspect it's the router although I haven't yet pinned it down. So I can't recommend what router gives you both good performance & stealthed ports, but I do know that it's possible-just a matter of finding the right router.


----------



## DKTaber (Oct 26, 2001)

calvin-c said:


> I'd talk to D-Link about closing the ports, but I'm not too hopeful about their response. In my experience most vendors claim that having ports closed is good enough. . .


It took a few days, but I e-mailed D-Link tech support. They responded the next day saying that the issue was too complex to do via e-mail and that I needed to CALL tech support, which I did today and got them immediately (no hold time). Of course, the tech support was coming from Hyderabad and I had a little trouble with "Rita's" accent, but she was very knowledgable.

She had me log onto a site (www.yougetsignal.com) that allows you to test the status of any port. When I entered 0 for the port, it said *there is no such port; ports are numbered between 1 and 65535*. I had wondered about that when Shields Up said my closed ports were "0" and 1, because in my 25+ years of owning a computer, I always thought all ports had a positive number from 1 to (64 x 1024) = 6553*6*. Not sure why there is no port 6553*6*. In any case, I then entered port 1: *Closed*. Port 2: *Closed*. Port 537: *Closed*. In short, this site shows *all* the ports as closed. I don't think the site can differentiate between a closed port and one that's stealthed (i.e., doesn't respond to pings).

Bottom line: I think Shields Up does not always provide an accurate description of the status of ports when routers are involved, and I no longer think having the router makes my computer more vulnerable to hacker attacks that it was absent the router. I will mark this thread as "solved".


----------



## calvin-c (May 17, 2006)

Here's a link about Port 0: http://compnetworking.about.com/od/tcpip/p/port-numbers-0.htm Note that it says


> network programmers can instead specify port 0 as a connection parameter. That triggers the operating system to automatically search for and return the next available port in the dynamic port number range. Unix, Windows and other operating systems vary slightly in their handling of port 0


I think it's more an annoyance than a problem, but what I think you ran into is what I call the "good enough" approach to customer support. In this scenario D-Link decides for you that Closed is 'good enough' and doesn't go the extra step to distinguish between that and Stealth.


----------



## DKTaber (Oct 26, 2001)

You're probably right, Calvin. I have the feeling that the issue is beyond the reach of normal D-Link support techs in Hyderabad, and not important enough to get a real pro on the phone.


----------

