Why does the new Dual-Band AirPort Extreme Base Station act as a proxy?
The previous thread
http://discussions.apple.com/thread.jspa?threadID=1531675
has been archived and nothing came of it, but after testing, I'm certain that their findings are true.
The Dual-Band AirPort Extreme Base Station (AEBS) with firmware 7.4.1 acts as a proxy for TCP ports 21, 554, and 7070 when NAT is turned on. This can be verified by using Nmap on any external server known to NOT have the ports open and having Nmap return that the ports are open. You can telnet to these ports to verify that they're "open," even though they are not on the server.
This functionality appears to be undocumented and as far as I can tell, the only way to turn it off is to put the AEBS into bridge mode and having some other device do NAT further upstream.
As a computer professional, this functionality extremely undesirable, particularly since it is not documented and doesn't have an "off switch." I wasted a bunch of time with one of my network engineers because of this, thinking that some network router was spoofing our server. I also wasted a bunch of my time trying to detect whatever "stealthy rootkit" had opened a FTP server and some other botnet related ports on our server, when in reality, it was simply my AEBS tricking me.
Disabling NAT-PMP ("Enable NAT port mapping protocol") does not affect this.
Is it too much to ask to have a checkbox in the "Advanced" section of the AirPort Utility to turn this feature off?
http://discussions.apple.com/thread.jspa?threadID=1531675
has been archived and nothing came of it, but after testing, I'm certain that their findings are true.
The Dual-Band AirPort Extreme Base Station (AEBS) with firmware 7.4.1 acts as a proxy for TCP ports 21, 554, and 7070 when NAT is turned on. This can be verified by using Nmap on any external server known to NOT have the ports open and having Nmap return that the ports are open. You can telnet to these ports to verify that they're "open," even though they are not on the server.
This functionality appears to be undocumented and as far as I can tell, the only way to turn it off is to put the AEBS into bridge mode and having some other device do NAT further upstream.
As a computer professional, this functionality extremely undesirable, particularly since it is not documented and doesn't have an "off switch." I wasted a bunch of time with one of my network engineers because of this, thinking that some network router was spoofing our server. I also wasted a bunch of my time trying to detect whatever "stealthy rootkit" had opened a FTP server and some other botnet related ports on our server, when in reality, it was simply my AEBS tricking me.
Disabling NAT-PMP ("Enable NAT port mapping protocol") does not affect this.
Is it too much to ask to have a checkbox in the "Advanced" section of the AirPort Utility to turn this feature off?
