rvs4000 open 443 HTTPS port!!!

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by weaver, Oct 18, 2006.

  1. weaver

    weaver LI Guru Member

    RVS4000 fw1.0.15

    Why is the HTTPS port open!!!! (443 HTTPS)

    I would like some help in closing this port. Or some advice as to why it is OK to have this port open, but take so much care in stealthing others?

    If you are going to tell me that it is because the router handles VPN, fine. Then how do I turn off that feature and close this port. Just the fact that the box processes unsolicited packets makes it a target.

    If I need VPN, I will turn it on. If I was using VPN I would know how to set it up, and that I would need to open this port. But, to have it open by default! What happens if I were to turn off the Firewall, wouldn't the packets then just blow right through to my local machine?

    It seems a failing if there is no way to toggle this behaviour off. And especially that it is not off naturally when there are no VPN accounts set up for the router to connect with anyways. Wouldn't be better if the VPN system used the user account settings to determine which ip addresses and such it should respond to as being open?? I mean, the machine knows where packets are coming from, why can;t it respond inteligently to the incoming traffice instead of broadcasting itself to the world.

    Just having this port open makes me a target. I can't 'disable' the HTTPS service under the Firewall tab, then I can't visit ANY https:// addresses. This means not being able to access things as simple as my hotmail account.

    When can we expect a fix for this?? I am sorry for the tone, but I hook up the new piece of hardware and instantly have a liability to worry about. I buy a Firewall with a gaping hole in it. I am a bit frustrated at the moment.
  2. Webmeisterus

    Webmeisterus Network Guru Member

    I do not own an RVS4000, but I do own an RV082. Unless the implementation is different in the RVS4000, disabling HTTPS on the Firewall page will 'stealth' port 443 without preventing your access to SSL web sites (https://).

    Are you saying you've actually disabled the HTTPS feature on the Firewall tab and then discovered that you can't access https:// pages? If not and you're merely assuming that you would lose access to https:// pages, then you need to disable the HTTPS feature on the Firewall tab and see what happens.

    I bet you'll find that disabling HTTPS gives you precisely the result for which you're looking. I know that it does on the RV082.

    Hope it helps!
  3. weaver

    weaver LI Guru Member

    If I add an Internet Access Policy through the Firewall section that:

    a) is enabled for all LAN ip addresses
    b) HTTPS is set as a Blocked Service

    I can no longer access SSL addresses. grc.com uses an SSL address to check port results, so I cannot even verify that the port is even closed. But the bigger problem is that secure sites are longer reachable.

    Unfortunately there is no option for 'Stealth HTTPS Port' or similar anywhere that I have found.

    Maybe there is a way of configuring the VPN section to accomplish this. However my efforts in this regard have failed.
  4. Webmeisterus

    Webmeisterus Network Guru Member


    The RV082 has an option to disable the HTTPS port on the opening page of its Firewall tab (I've attached a screen capture). Evidently, the RVS4000 lacks the option, or has it 'hidden' in some obscure corner of the interface. I would have thought that Linksys would have adopted a more synoptic and feature-consistent approach to its newer routers.

    Have you tried to forward port 443 from the WAN to a nonexistent IP Address on your LAN? This is a standard method of 'stealthing' ports that are otherwise visible from the WAN.

    Hope it helps!

    Attached Files:

  5. weaver

    weaver LI Guru Member

    One would think there would be a direct option for HTTPS since it is so blatantly sitting out there. The one open port in a sea of stealth.

    Setting up a single port forward from port 443 to 443 @ seems to work around the issue. The port scan comes up clean (all stealth) and I seem to be able to navigate to SSL sites alright. Thanks.

    Detail of Single Port Forward:
    HTTPS - 443 - 443 - TCP - - Enabled

    This just doesn't 'feel' right though and should be an issue that is addressed in upcoming firmware releases. The port should have an option, like your model does, to disable what the box is doing behind our backs.

    This reminds me of the whole IDENT port problem from several months back on the BEFSX41's. I am mildly optimistic that this will be added as the mentioned IDENT option was added to recent revisions of that firmware. Instead of the kludge of setting up a manual port redirect. The BEFSX41 didn't get an option for its IDENT port problems until version 1.4xx or 1.5xx. The RVS4000 firmware is still in the 1.0.xx range.

    It looks like from your screenshot that your firmware is around version 1.3.3. There's still hope.
  6. Webmeisterus

    Webmeisterus Network Guru Member


    Glad the port forward did the trick. I agree that having no option within the RVS4000 interface itself to disable the HTTPS 'open' port should be considered a bug.

    On the other hand, I suspect that even though port 443 shows 'open' to a scan from the WAN that it is NOT in fact 'open' in the sense that it allows packets to cross the router and reach the LAN. Rather, I'm almost certain that the 443 traffic is trapped on the router to support the QuickVPN functionality. Thus, although its visibility from the WAN might show a would be attacker that your router is present, the 'open' port does not actually present an open pathway into your LAN.

    In other news, on this exact same RV082 with firmware (the latest/greatest), if I want to 'stealth' port 113 (IDENT), I have to resort to the port forward 'kludge' that you mentioned. Otherwise, it reads as 'closed' on an external port scan. The more things change, the more they stay the same...grin
  7. net_eng

    net_eng Network Guru Member

    If you want to stealth IDENT 113, add an access rule to block incoming tcp port 113 on the WAN. Actually there are other ports that are in the same boat on the RV series. They are blocked but the router sends a destination unreachable back to the originator. That is why they appear as closed and not blocked(depends on the scanner). Nmap finds all of these for me so I add access rules to stealth them.

    TCP 113
    UDP 161
    UDP 32769-33434
    PING(if discard WAN etc is enabled)

    Add access rules to block them and they will be stealthed, you dont need to forward though that works as well.

  8. Toxic

    Toxic Administrator Staff Member

    I doubt it is a bug it is a feature tbh. it is afterall an SSL router. if you block port 443 then SSL connections is are wasted and there is no point in owning an SSL router in the first place.

    if you so worried then just add a firewall rule to block the 443 port on the wan, and you have a fix. the RV and WRV series have far better firewall rules than ordinary soho routers that linksys have set to "stealth everything"
  9. Webmeisterus

    Webmeisterus Network Guru Member

    I disagree. In my opinion, the shipping/default configuration of every firewall should be to drop all unsolicited packets from the WAN -- this is the most secure configuration. The operator should have to then modify this 'drop all' behavior to use other features.

    Just because my RV082 supports an organic PPTP server, for example, I do not expect port 1723 to be open on the WAN. Similarly, just because the RVS4000 supports SSL VPN, I do not expect port 443 to be open. Further, since the RVS4000 does open port 443, it should at least have a means beyond port forwarding or firewall rules to close/stealth it.

    Please also note that the original poster tried blocking port 443 on the firewall only to find he could no longer use SSL-based web sites. Only the port forwarding solution stealthed the port on the WAN without leaving him unable to browse SSL-based web sites.

    It's not a matter of 'worry' on my part, it's a matter of preference.
  10. pablito

    pablito Network Guru Member

    At least on the RV0x this is not true. I have a simple firewall block for port 443 on the WAN port yet I can still SSL to the unit from the LAN and can SSL to any external site. Granted it seems strange that the port is open by default however you can't open the interface from the WAN side unless configured to do so.

    While the default isn't 100% ideal it isn't a huge security issue. I'm happy to add a simple firewall rule.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice