4 Replies Latest reply: Sep 10, 2013 9:54 AM by Tesserax
theosib Level 1 Level 1 (10 points)

I have to use my Time Capsule as my internet gateway for NAT and DHCP.  (I used to use the Cable Modem, but Time Warner wants to nickle-and-dime me for basic features like port forwarding.)


Anyhow, I'm noticing something peculiar about the built-in firewall.  Normally, with a firewall disabled, if someone tries to connect to a port with no listener, they'll get connection refused.  If the firewall is enabled, then the device with the firewall simply doesn't even respond, and the connection attempt eventually times out.  The reason for this is that by dropping unauthorized connection attempts silently, it makes it harder to do port scanning.  If you try to connect, and there's no response, you don't know that the device is there; if it refuses the connection, then you can start wardialing to see what ports are open.


I tested this with my Time Capsule.  With forwarding set up, if I make an external connection to a forwarded port, it works correctly.  If I make an external connection to a port not being forwarded, there is an explicit refusal ("No route to host", it says). This makes me really nervous.


Is there a way to set up the TC so that its firewall silently ignores anything unauthorized, like a normal firewall does?