Helping people with computers... one answer at a time.

Firewall tests can be useful to identify any holes in your security. Rather than relying on simple Pass/Fail, though, examine the results carefully.

How important is it to test your firewall with a firewall test? I've read about many firewall tests like Shields Up, and I've thought about using them. I know that firewall tests check for open ports, so how do ports become open and vulnerable in the first place? Is there really any way to avoid that? I do not use my computer for much other than simple surfing and I never download anything. I have my firewall set on learning mode. Would a firewall test be more important for someone who downloads, plays games, etc? I read that many of these tests are easy to fail for reasons most casuals users would not understand. I do not understand very much about firewalls and do not understand some settings enough to change them. I would not want to take a firewall test for it to tell me I've failed, and then spend days trying to figure out why, when in truth my firewall is fine.

I love Steve Gibson, and his firewall testing utility Shields Up, I really do. Unfortunately, Steve's taken a rather extreme position in how he reports your firewall's status - anything less that total invisibility is labeled with a big red "FAILED".

In my opinion that's both impractical, and unnecessarily alarming for the average user.

But the test itself, which I FAILED right here at home, returns some very valuable information nonetheless.

A firewall works by blocking access to what are called "ports" on your incoming network connection. When a computer is configured to accept incoming connections, it "listens" for those connections on those ports. For example, a web server must, by definition, listen for incoming requests for http connections, which happen on port 80. Your computer at home has no need to respond to http connections, and thus doesn't need to accept incoming connections on port 80.

To "turn off" a port without a firewall requires turning off all software on your machine that might be listening on that port. The fact that you don't run a web server on your desktop means that your computer is already not listening on port 80, because there's no software to do so. Unfortunately, for many other ports, this solution isn't always practical.

Enter the firewall. It sits between your computer and the internet, and controls all incoming requests. When a firewall sees an incoming request, it can take any of several different actions:

  • If it's a router, it could be configured to pass the requests arriving on a specific port to a specific computer on your network. This is called port forwarding. The externally visible behavior of that port, then, is controlled by however that forwarded-to computer us configured.

  • It could respond by saying "closed, nothing to connect to here".

  • It could simply not respond at all.

That last one is the most secure, because not responding is exactly the same as if there were no computer here at all. The remote computer doesn't get any confirmation that your computer even exists.

ShieldsUp refers to this as "Stealth".

Unfortunately, ShieldsUp also considers anything less than stealth on any port as a failure.

Here's my ShieldsUp report:

Shields Up showing a common failure

As you can see I "Fail" the Shields Up test. If you were to look no further, you'd probably panic and not know what to do.

In my case, I do nothing. I'm totally safe. The "failure" is that my router responds to a ping request by saying "this port is closed". You actually can't ping my IP address, but you can determine that my IP address exists.

From a very practical standpoint, my reaction is: so what?

I don't consider this a practical failure, and it's certainly not a hole in my firewall or any kind of serious security flaw. In fact it's exceptionally common, as there have been problems reported with some systems that successfully stealth this port - so they may want it to be discoverable.

And yet, as a result, my test "Failed".

My advice is:

  • Above All: Use A Firewall - I recommend using a NAT router, even if you only have one machine. Regardless of the results from testing services like ShieldsUp, this single device will, be default, protect you from the majority of the threats that they're looking for. In all honesty, if you have a NAT router I don't think you even need to run the tests.

  • Ignore the word FAILED - If you do visit GRC and run Shields Up, ignore the "FAILED" that you're likely get. It may, or may not, indicate that you have an actual security issue. Instead...

  • Look at the Results - After you run ShieldsUp, look at the specific ports that failed, and why. Click through on the details to understand what each failure may, or may not mean. Port 113 being "closed" instead of stealth is no big deal. Port 139 being wide open could easily be an issue, since that's the Windows file-sharing port.

Port/firewall testers are incredibly valuable, but depending on how they display their results they can also be somewhat misleading. Take the time to understand the result you get before you panic.

And yes, use a firewall of some sort.


Article C3681 - March 21, 2009 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

March 21, 2009 5:51 PM

My shields up test reported failed with all ports showing stealth because they responded to ping.

March 24, 2009 9:12 AM

"My shields up test reported failed with all ports showing stealth because they responded to ping."

Mine did the same thing. I am also having trouble at times connecting to web sites. It will take for ever to load then say that they cant connect to the web site, that darn white page. Then I will click diagnosis error and it says its fine. HELP!

March 24, 2009 9:12 AM

Steve , if they responded to the ping they cannot be stealth, they are just closed. It's a good enough result, nothing to worry.

John Williams
March 24, 2009 11:00 AM

lEO you wrote "The "failure" is that my router responds to a ping request by saying "this port is closed". You actually can't ping my IP address, but you can determine that my IP address exists"

My router doen not respond and gives a full stealth? How come? And LEO, would you not be safer still if your router did not respond to a ping?

Why does your router do what it does: hard to say. It just does. There's no need for it to operate one way or another, and there's also often a configuration option.

Would I be safer? Technically, yes. But by what I consider to be a tiny, tiny amount. I'm not so horribly unsafe that "failed" is an appropriate reaction.

- Leo
March 24, 2009 6:54 PM

I am sorry but I have to disagree. I had PC Tools Firewall which I ran in the highest setting possible and it failed. Now I have Comodo Firewall. I installed it with the highest settings they offer and it is in stealth mode on it's highest settings and in safest mode it has. It failed as well. For average user trying to find about the things you say is simply not practical. My opinion? Gibson is a idiot and his Shields Up is garbage!!

Beth G.
March 25, 2009 1:34 AM

I use a router and COMODO (not even set at highest) and mine passed.

daniel adams
March 25, 2009 2:28 AM

my test said I have ports 21,22,26,and 80 open how do I close them ,I have kaspersky internet security windows xp sp3

daniel adams
March 25, 2009 2:29 AM

correction port 26 should be 23 typo

March 25, 2009 4:07 AM

Beth G. I have tried every setting I knew. Comodo has setting that will not allow you access to Internet and so no test. Every other setting failed. Could you please tell me the setting you used to pass? Until then I stand by my original comment.

Cynthia Letellier
March 25, 2009 11:07 PM

I have BitDefender Internet Security 2009 and GRC also shows my ports 21, 22, 23 and 80 open. Previously I had AVG and it showed the same thing on GRC. I would really like to know if this is anything I should be concerned about.

March 26, 2009 6:27 AM

I still use Sygate Personal Firewall from 2003 and I got a clean report except for the Ping Reply failure, which is probably my gateway modem router.

March 26, 2009 6:51 AM

I use zone alarm and threatfire, on Windows XP. I passed the test with flying colors, no leaks anywhere on any of the tests. According to the results, my computer does not exist on the internet!

clyde feldman
April 26, 2010 8:53 PM

I continually pass the "Shields are up" test,BUT I continually fail the "Leak Test",(GRC)! I recently changed my anti-virus suite,but it didn't change "Shields are up test". The settings on my Router continue to put all my ports in stealth. Question: what's the problem? Steve Gibson doesn't accept written questions.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.