1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port Triggering Port 113

Discussion in 'HyperWRT Firmware' started by Corvette, Jan 26, 2005.

  1. Corvette

    Corvette Network Guru Member

    I have a Linksys Wrt54gs with Firmware Version: v3.37.2 - HyperWRT 2.0b4 and when I try to port trigger a port such that it port forwards port 113 it doesn't work properly. I would port trigger a port such that it would port forward port 113 and send information from the triggered port and when I go to www.grc.com it shows port 113 is stealth. When I try to set the port forward port to any other port (after the same port trigger) it'll show the port as closed. I tried this with the, “Filter IDENT(Port 113)†both checked and unchecked (under security - firewall) and I would get the same results. For some strange reason, it appears port triggering / forwarding works for all other ports except port 113 (that is when I try to port forwards port 113 after port triggering another port it doesn’t work).
     
  2. fixmacs

    fixmacs Network Guru Member

    Ident Port 113

    Okay, you want to enable ident for IRC behind your WRT.

    I've enabled this feature using port forwarding. Be sure to disable any port triggering you have setup for port 113.

    Port triggering will not work with IRC ident because port triggering works from the inside out. Port 113 will be "triggered" to open only when the router gets a request for port 113 from the LAN side. Any request for port 113 from the Internet will be rejected unless it's triggered from your computer first. IRC ident is initiated by the IRC server, not from your IRC application, thus, the IRC server can hammer on the router forever but the port is closed.

    Enable port forwarding. Unfortunately, only one machine behind the router can gain IRC ident.
     
  3. Corvette

    Corvette Network Guru Member

    Re: Ident Port 113

    The point I'm trying to get across is that, regardless of IRC, port triggering does not work when trying to port forward port 113. I've tested this with other applications. I would set the triggered port to a random port, set the forwarded port to port 113 and trigger the triggered port. When port scanning from www.grc.com it would show that port 113 is stealth. If I change the forward port to another port, it would show the port as closed. The problem isn't with IRC, it's with the firmware.
     
  4. koitsu

    koitsu Network Guru Member

    This thread doesn't make any sense no matter which way I try to look at it.

    Port triggering works as follows (and the only reason I'm describing this is because it seems some people just don't understand how it works):

    An application running on a PC on your LAN sends an outgoing TCP or UDP packet on a specific port (for sake of example, port 12345). The router (gateway) is configured to trigger off of port 12345, and is configured to automatically port forward port 999 to the PC which sent the trigger (via port 12345). Port 999 is then transparently forwarded to the PC which sent the trigger.

    This works great for games which do things like send an initial TCP control request to a server on (for example) port 12345, and the gaming server attempts to connect to the client/player on port 999. However, a LOT of games don't use this methodology, so it's somewhat pointless.

    Now, with that said, let me explain how ident (RFC931/1413) works:

    A client on your LAN makes a connection to a service (could be anything -- IRC, SMTP, FTP, etc.) on a remote server. The server sees the incoming request to the service in question, and is configured to do a ident lookup. The server then attempts to connect to port 113 on the client's end. Once the connection is made, it provides a pair of port numbers (sent in plaintext) describing the connection which was just made to it. The client running the ident service uses these port numbers to look up in its local network allocation table if a connection was made from the local port on the PC to the remote port (service) on the server. If the ports match, the client sends back an ASCII string with a username, as well as an operating system type ("UNIX", "Windows", etc.).

    Why port triggering with ident, in theory, won't work:

    You would have to configure every service (port range) you plan on connecting to which relies on ident to work. For IRC, ports 6660-6669 as trigger ports and ports 113-113 forwarded "should" work, but there's no guarantee: IRC servers do not always use ports 6660-6669. Some will listen on arbitrary port numbers such as 12000, 31337, or any other port number the IRC server administrator chooses. It's up to you to configure your router (gateway) appropriately.

    As I mentioned, many services do ident lookups when a client connects to them. SMTP, FTP, POP3 -- and even HTTP in some cases -- are configured to do this. IRC is the only one which is "incredibly anal" about getting an ident response -- but of course, it's entirely up to the server administrator, as IRC servers _can_ be tuned to not bother with ident lookups.

    If you want a solution that works 24x7x365, simply port forward port 113 to a PC on your LAN which always runs an ident server.

    However, keep something in mind: although this simply forwards the TCP request to a client PC, remember that NAT plays a big role in regards to your LAN topology. Apply this knowledge to what I said about how ident works (re: port combination/pairs). Depending upon the ident server you're using, the port numbers **WILL NOT** match, and the ident server will send back an "ERROR" response -- resulting in the IRC server saying "Could not look up username" or something along those lines.

    The workaround for THIS problem is to use an ident service which is "blind" about its responses (i.e. does not do a port comparison; it blindly spits back a response) -- mIRC's built-in ident does this, and therefore works great with NAT. Proper RFC931/1413 adhering ident servers will NOT work.

    I hope this helps educate everyone a bit. :)
     
  5. Corvette

    Corvette Network Guru Member

    "An application running on a PC on your LAN sends an outgoing TCP or UDP packet on a specific port (for sake of example, port 12345). The router (gateway) is configured to trigger off of port 12345, and is configured to automatically port forward port 999 to the PC which sent the trigger (via port 12345). Port 999 is then transparently forwarded to the PC which sent the trigger."

    Ok, this is the problem. Say, “An application running on a PC on†my “LAN sends an outgoing TCP or UDP packet on a specific port (for sake of example, port 12345). The router (gateway) is configured to trigger off of port 12345, and is configured to automatically port forward port 999 to the PC which sent the trigger (via port 12345). Port 999 is then transparently forwarded to the PC which sent the trigger." However, Say, “An application running on a PC on†my “LAN sends an outgoing TCP or UDP packet on a specific port (for sake of example, port 12345). The router (gateway) is configured to trigger off of port 12345, and is configured to automatically port forward port†113 “to the PC which sent the trigger (via port 12345). Port 113 is†NOT “transparently forwarded to the PC which sent the trigger." It works fine when trying to port forward any other port (when triggering port 12345), just not port 113. The problem is with the firmware.

    “Now, with that said, let me explain how ident (RFC931/1413) works:

    A client on your LAN makes a connection to a service (could be anything -- IRC, SMTP, FTP, etc.) on a remote server.â€

    This has nothing to do with ident or IRC. The problem is the firmware itself. Port triggering works fine when port forwarding any other port other than port 113. I’ve tested this with other applications other than IRC and different applications yield the same results. I am simply reporting a bug. I would even port forward ports 112 – 114 and port trigger any random port (say 12345). When port scanning (after triggering the random port), ports 112 and 114 would show as closed (meaning the proper port was triggered) but port 113 would show as stealth. However, if I port forward port 113 (on the port forward section, not the port trigger section) port 113 would show closed when scanning. The problem is with the firmware.
     
  6. fixmacs

    fixmacs Network Guru Member

    Firewall

    The Security tab indicates a checkbox for Filter IDENT (Port 113). The default condition is checked. You might try unchecking it.

    I appreciate koitsu's contribution.
     
  7. Corvette

    Corvette Network Guru Member

    Re: Firewall

    As stated in my first post,

    "I tried this with the, “Filter IDENT(Port 113)†both checked and unchecked (under security - firewall) and I would get the same results."

    BTW, thanks everyone for trying to help me solve the problem, but as I said before, the problem is with the firmware. I'm simply reporting a bug in the firmware in hopes that someone would fix it.
     
  8. Corvette

    Corvette Network Guru Member

    Uhm.... The problem still appears to exist with "Firmware Version: v3.37.2 - HyperWRT 2.0" . If I port trigger ports 1 - 65000 and set it to port forward ports 112 - 114 it will show that ports 112 and 114 are closed and port 113 is stealth. If I uncheck the port trigger box and re - scan the same ports, it shows that ports 112 - 114 are stealth. If I port forward port 113 (in the port forward section) and then scan ports 112 - 114 it shows ports 112 and 114 as stealth and port 113 as closed (when not port triggering any ports). I tried this with the "Filter IDENT(Port 113)" (in security -> firewall) both checked and unchecked and I get similar results (the only difference is when the, "Filter IDENT(Port 113)" is unchecked, it'll show it as closed whether or not you port trigger or port forward anything but I think it won't let any packets past the router via port 113 unless you port forward it). Apparently port triggering doesn't work when trying to port forward port 113 (port triggering has no effect on port 113 when port forwarding port 113) and I believe (without looking at the source code) the, "Filter IDENT(Port 113)" option might have something to do with it.
     
  9. Corvette

    Corvette Network Guru Member

    "What is an example of Port Triggering use?
    Connecting to an IRC server that needs an IDENT reply from you.

    When you connect to an IRC server you use a port in the range 6660-6670. This connection is an ideal trigger because shortly after connecting the server will try and connect to your IDENT server to get a reply. Your end has to become an IDENT server and popular IRC client programs like mIRC have this server built in. But to make that PC an IDENT server it needs IDENT (port 113) forwarded to it."

    http://www.dslreports.com/forum/remark,1020195;root=equip,16;mode=flat

    Unfortunately, Hyperwrt (don't know if the Linksys standard firmware has this bug) has a "feature" under security -> firewall called, "Filter IDENT(Port 113)" When unchecked, this feature has the router automatically reply that the port is closed without letting the packet pass through the router. Well, for some reason, this won't let me ident. When I try to ident (with this box unchecked), even though the port replies that it's closed, Efnet still doesn't say I'm idented (I think my IRC client actually opens the port for a split second when identing, not sure. The reason is because sometimes, after logging onto IRC, I find that port randomly open by my IRC client for no reason. After investigating the issue I believe it's a bug in my IRC client where the port doesn't always close after identing when it should). The only practical way (other than DMZ, writing IPtables, or other unpractical methods) that I can get ident to work is by port forwarding port 113. This kinda cancels out the whole idea behind the, "Filter IDENT(Port 113)" checkbox (since, whether or not it's checked, some IRC servers won't ident you) and since this "feature" seems to cause a bug causing port triggering not to port forward port 113 when triggering any other port, it actually makes things more insecure (since now I must port forward port 113 instead of port triggering the appropriate port(s) and then have it automatically port forward port 113 for a short period of time). Does anyone know where I can report this bug to the authors of Hyperwrt (I looked on their site and can't find an E - Mail address)? Thanks a lot, help would be appreciated.
     
  10. Corvette

    Corvette Network Guru Member

    Thanks for fixing the port triggering problem in "Firmware Version: v3.37.6 - HyperWRT 2.1b1" . It doesn't work exactly like I wanted it to. Seems like (at least with port 113, I haven't tested it on any other ports) now when you set it to port trigger a port, when the port is triggered and a packet comes to the forwarded port, the router automatically replies that the port is closed (without letting the packet through to the computer). I viewed it with Ethereal and that seems to be what's happening. So I still must ident with port forward (since that's the only way I can get the packets to pass through the router. Seems like it was purposely designed to work like this for security reasons). Thanks for fixing it anyway.
     

Share This Page