Every portscan I run from behind my AEBS to hosts on the outside shows ports 21 (ftp), 554 (rtsp) and 7070 (realserver) open on the destination, even when I know these ports are closed. Is the AEBS spoofing the connects? Wireshark shows a normal 3-way handshake which is very troubling.
Curious... I'll have to set that up in my lab to try that. I'm guessing the AEBS is functioning in a proxy mode to make NATing FTP and Real Media easier, and the AEBS just responds before it has even checked with the remote host to see if those protocols are even running.
It could be harmless and something you're only going see doing port scanning. On the other hand, it might be the toe hold for launching some sort of bounce attack. My approach to security is to only do the minimum necessary to achieve functionality, so the AEBS would be violating that precept.
1. Does the AEBS do this for other hosts on the LAN side?
2. Does the the AEBS do this when it is in bridge mode?
Sounds like you and I have the same philosophy re: security.
1) The AEBS does this for all hosts on the LAN side. Windows, UNIX, ... doesn't matter. FTP connects always succeed, even when there's no FTP server running on the remote host.