Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I can't pass a firewall test, what should I do?

How important is it to test your firewall with a firewall test? I’ve
read about many firewall tests like Shields Up, and I’ve thought about
using them. I know that firewall tests check for open ports, so how do
ports become open and vulnerable in the first place? Is there really
any way to avoid that? I do not use my computer for much other than
simple surfing and I never download anything. I have my firewall set on
learning mode. Would a firewall test be more important for someone who
downloads, plays games, etc? I read that many of these tests are easy
to fail for reasons most casuals users would not understand. I do not
understand very much about firewalls and do not understand some
settings enough to change them. I would not want to take a firewall
test for it to tell me I’ve failed, and then spend days trying to
figure out why, when in truth my firewall is fine.

I love Steve Gibson, and his firewall testing utility Shields Up, I
really do. Unfortunately, Steve’s taken a rather extreme position in how
he reports your firewall’s status – anything less that total
invisibility is labeled with a big red “FAILED“.

In my opinion that’s both impractical, and unnecessarily alarming
for the average user.

But the test itself, which I FAILED right here at home, returns some
very valuable information nonetheless.

]]>

A firewall works by blocking access to what are called “ports” on your incoming network connection. When a computer is configured to accept incoming connections, it “listens” for those connections on those ports. For example, a web server must, by definition, listen for incoming requests for http connections, which happen on port 80. Your computer at home has no need to respond to http connections, and thus doesn’t need to accept incoming connections on port 80.

To “turn off” a port without a firewall requires turning off all software on your machine that might be listening on that port. The fact that you don’t run a web server on your desktop means that your computer is already not listening on port 80, because there’s no software to do so. Unfortunately, for many other ports, this solution isn’t always practical.

Enter the firewall. It sits between your computer and the internet, and controls all incoming requests. When a firewall sees an incoming request, it can take any of several different actions:

  • If it’s a router, it could be configured to pass the requests arriving on a specific port to a specific computer on your network. This is called port forwarding. The externally visible behavior of that port, then, is controlled by however that forwarded-to computer us configured.

  • It could respond by saying “closed, nothing to connect to here”.

  • It could simply not respond at all.

That last one is the most secure, because not responding is exactly the same as if there were no computer here at all. The remote computer doesn’t get any confirmation that your computer even exists.

ShieldsUp refers to this as “Stealth”.

Unfortunately, ShieldsUp also considers anything less than stealth on any port as a failure.

Here’s my ShieldsUp report:

Shields Up showing a common failure

As you can see I “Fail” the Shields Up test. If you were to look no further, you’d probably panic and not know what to do.

In my case, I do nothing. I’m totally safe. The “failure” is that my router responds to a ping request by saying “this port is closed”. You actually can’t ping my IP address, but you can determine that my IP address exists.

From a very practical standpoint, my reaction is: so what?

I don’t consider this a practical failure, and it’s certainly not a hole in my firewall or any kind of serious security flaw. In fact it’s exceptionally common, as there have been problems reported with some systems that successfully stealth this port – so they may want it to be discoverable.

And yet, as a result, my test “Failed”.

My advice is:

  • Above All: Use A Firewall – I recommend using a NAT router, even if you only have one machine. Regardless of the results from testing services like ShieldsUp, this single device will, be default, protect you from the majority of the threats that they’re looking for. In all honesty, if you have a NAT router I don’t think you even need to run the tests.

  • Ignore the word FAILED – If you do visit GRC and run Shields Up, ignore the “FAILED” that you’re likely get. It may, or may not, indicate that you have an actual security issue. Instead…

  • Look at the Results – After you run ShieldsUp, look at the specific ports that failed, and why. Click through on the details to understand what each failure may, or may not mean. Port 113 being “closed” instead of stealth is no big deal. Port 139 being wide open could easily be an issue, since that’s the Windows file-sharing port.

Port/firewall testers are incredibly valuable, but depending on how they display their results they can also be somewhat misleading. Take the time to understand the result you get before you panic.

And yes, use a firewall of some sort.

Related:

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

13 comments on “I can't pass a firewall test, what should I do?”

  1. “My shields up test reported failed with all ports showing stealth because they responded to ping.”

    Mine did the same thing. I am also having trouble at times connecting to web sites. It will take for ever to load then say that they cant connect to the web site, that darn white page. Then I will click diagnosis error and it says its fine. HELP!

    Reply
  2. Steve , if they responded to the ping they cannot be stealth, they are just closed. It’s a good enough result, nothing to worry.

    Reply
  3. lEO you wrote “The “failure” is that my router responds to a ping request by saying “this port is closed”. You actually can’t ping my IP address, but you can determine that my IP address exists”

    My router doen not respond and gives a full stealth? How come? And LEO, would you not be safer still if your router did not respond to a ping?

    Why does your router do what it does: hard to say. It just does. There’s no need for it to operate one way or another, and there’s also often a configuration option.

    Would I be safer? Technically, yes. But by what I consider to be a tiny, tiny amount. I’m not so horribly unsafe that “failed” is an appropriate reaction.

    – Leo
    25-Mar-2009
    Reply
  4. I am sorry but I have to disagree. I had PC Tools Firewall which I ran in the highest setting possible and it failed. Now I have Comodo Firewall. I installed it with the highest settings they offer and it is in stealth mode on it’s highest settings and in safest mode it has. It failed as well. For average user trying to find about the things you say is simply not practical. My opinion? Gibson is a idiot and his Shields Up is garbage!!

    Reply
  5. my test said I have ports 21,22,26,and 80 open how do I close them ,I have kaspersky internet security 8.0.0.357 windows xp sp3

    Reply
  6. Beth G. I have tried every setting I knew. Comodo has setting that will not allow you access to Internet and so no test. Every other setting failed. Could you please tell me the setting you used to pass? Until then I stand by my original comment.

    Reply
  7. I have BitDefender Internet Security 2009 and GRC also shows my ports 21, 22, 23 and 80 open. Previously I had AVG and it showed the same thing on GRC. I would really like to know if this is anything I should be concerned about.

    Reply
  8. I still use Sygate Personal Firewall from 2003 and I got a clean report except for the Ping Reply failure, which is probably my gateway modem router.

    Reply
  9. I use zone alarm and threatfire, on Windows XP. I passed the test with flying colors, no leaks anywhere on any of the tests. According to the results, my computer does not exist on the internet!

    Reply
  10. I continually pass the “Shields are up” test,BUT I continually fail the “Leak Test”,(GRC)! I recently changed my anti-virus suite,but it didn’t change “Shields are up test”. The settings on my Router continue to put all my ports in stealth. Question: what’s the problem? Steve Gibson doesn’t accept written questions.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.