Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Re: How did they get past my NAT?

Reply
Thread Tools

Re: How did they get past my NAT?

 
 
Leythos
Guest
Posts: n/a
 
      10-12-2007
In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> >

> do you consider netfilter to be a firewall (well in essence it's a
> statefull packet filter)
> because iirc there is no smtp or http netfilter module
> and it does its filtering mostly on the data link and transport
> protocol's headers
> like most firewalls do. it would be very costly performance wise to
> implement
> application protocol filters into firewalls and i've yet to see one that
> does
> also implementing complex heuristics because let's face it the higher
> you go up in
> the tcp/ip stack the more complex the headers and payload become, the
> more bugs you'll get
> in the code that does the heuristics --> the more flaws there are to be
> exploited!


Sorry, but I don't consider NAT Routers to be firewalls, they are
routers with some fancy features, not firewalls.

Many "Firewalls" do know the difference between SMTP and traffic over
TCP 25 - so, while you've yet to see one, you just are not working with
the better hardware out there.

As for Bugs, yes, but I only purchase certified appliances, ones from
vendors that have a proven record of staying secure and clean, so I
trust that a LOT more than what most people use in their homes.

--
Leythos - http://www.velocityreviews.com/forums/(E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
 
 
 
Todd H.
Guest
Posts: n/a
 
      10-12-2007
Leythos <(E-Mail Removed)> writes:

> In article <470e921a$0$29265$(E-Mail Removed)>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
> > Leythos wrote:
> > > In article <(E-Mail Removed). com>,
> > > (E-Mail Removed) says...
> > >> not true. the WRT54G can block outgoing connections based on any
> > >> number of specified parameters, and then it has all those extra fancy
> > >> features that I don't understand
> > >
> > > it's a NAT device that can block outbound ports - it has no clue what
> > > those ports are and doesn't know the difference between HTTP and SMTP
> > > except that they use different ports.
> > >

> >
> > just some questions with as goal to learn more
> >
> > so you call a firewall something with complex heuristics ?
> > really does iptables provide more than filtering between protocol, port
> > and state information, and do people actually use it. Because in essence
> > iirc
> > a nat router does the same it opens up a connection if somebody on the
> > inside requests it
> > and after that allows the connection untill it's broken down (FIN or RST)
> > do i have a point here or not ?

>
> Does the device, in the standard/default mode, block traffic in both
> directions?


A cat5 cable cut in half does. Is it a firewall?

> Does the device know the difference between HTTP and SMTP or only
> TCP 80 and TCP 25?


Firewalls in the traditional definition never did, were they not
firewalls? Application-level protocol recognition is only recently on
the scene, yet we've had things people called "firewalls" existing for
quite a while before that. I'd hate to think I didn't get the memo
about someone changing the definition of "firewall" with the
International Standards Organization.

> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?


So when did the definition of "firewall" start requiring it to also
fit the definition of "network intrusion prevention device" or
"network intrusion detection device?"

Just curious.

> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).


Ah, okay here's where we come down to brass tacks--with the use of the
word "I."

Seme folks seem to have their own definition of a firewall that
doesn't match that accepted by over the course of a lot of networking
history inlcluding the present. This view categorically rejects those
devices which don't fit a personally crafted unique definition of
"firewalls."

Unfortunately, it's pedantic and pointless. But then again, so it
much of the banter by the more abusive posters here. To protect their
identity, we won't mention Leythos and Sebastian by name.

Now, that's not to say there isn't something to learn about the range
of functionality one might want to consider in their border protection
in the narrow definition such folks try to paint, but being so prickly
about what to call a "firewall" and what to call a "NAT router" is
just a freakin waste of time. Better to say "corporate grade border
security appliance" which has built into the obvious fact that
functionality and features of corporate grade hardware exceed that of
$70 Linksys gear popular among home and small office users.

And let's not forget that there was a time not very long ago where the
fucntionality packed into your garden variety wrt54g (particularly one
packing the fucntionality of third party firmware) took a HELL of alot
of much more expensive hardware and was certainly considered a
"firewall." And still is for that matter.

Those with what I'll call this "modern purist" view may be shocked to
see the breadth of defintions for our friend the firewall that are in
existence that cast a much bigger net than his own:
http://www.google.com/search?q=define%3Afirewall

We now return you to your regularly scheduled semantic argument.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      10-12-2007
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.


I've not been Abusive to any person here. While I certainly know that
NAT appliances are not firewalls (but firewalls can do NAT), there is a
misconception as to what the public is being told a firewall is.

Yea, you don't like it, you must be one that purchased one of those
BEFSR41 units and fell for the "it's a firewall" crap - did you know
that when the BEFSR41 was introduced it was called a ROUTER with no
mention of firewall - a year later, with no changes, it was being
marketed as a "Firewall" - same box, same firmware.....

So, like it or not Todd H, most residential users are not using
firewalls, they are using ROUTERS.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
Rick Merrill
Guest
Posts: n/a
 
      10-12-2007
Leythos wrote:
> In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> do you consider netfilter to be a firewall (well in essence it's a
>> statefull packet filter)
>> because iirc there is no smtp or http netfilter module
>> and it does its filtering mostly on the data link and transport
>> protocol's headers
>> like most firewalls do. it would be very costly performance wise to
>> implement
>> application protocol filters into firewalls and i've yet to see one that
>> does
>> also implementing complex heuristics because let's face it the higher
>> you go up in
>> the tcp/ip stack the more complex the headers and payload become, the
>> more bugs you'll get
>> in the code that does the heuristics --> the more flaws there are to be
>> exploited!

>
> Sorry, but I don't consider NAT Routers to be firewalls, they are
> routers with some fancy features, not firewalls.


If the router closes all ports and conceals LAN IP addresses
then it's just as good, and in one respect better than, any
software firewall.

 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      10-12-2007
Rick Merrill <(E-Mail Removed)> writes:

> Leythos wrote:
> > In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla
> > <"kevin DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one
> >> that does
> >> also implementing complex heuristics because let's face it the
> >> higher you go up in
> >> the tcp/ip stack the more complex the headers and payload become,
> >> the more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are
> >> to be exploited!

> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.

>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.


Uh oh. Someone said "software firewall."

Brace for the impending ranting about how they aren't firewalls
either.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Rick Merrill
Guest
Posts: n/a
 
      10-13-2007
Todd H. wrote:
> Rick Merrill <(E-Mail Removed)> writes:
>
>> Leythos wrote:
>>> In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla
>>> <"kevin DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one
>>>> that does
>>>> also implementing complex heuristics because let's face it the
>>>> higher you go up in
>>>> the tcp/ip stack the more complex the headers and payload become,
>>>> the more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are
>>>> to be exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.

>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.

>
> Uh oh. Someone said "software firewall."
>
> Brace for the impending ranting about how they aren't firewalls
> either.
>


opps, I didn't expect to get off scott free.

 
Reply With Quote
 
Unruh
Guest
Posts: n/a
 
      10-13-2007
Rick Merrill <(E-Mail Removed)> writes:

>Leythos wrote:
>> In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
>> DOT paulus AT skynet DOT be"> says...
>>> do you consider netfilter to be a firewall (well in essence it's a
>>> statefull packet filter)
>>> because iirc there is no smtp or http netfilter module
>>> and it does its filtering mostly on the data link and transport
>>> protocol's headers
>>> like most firewalls do. it would be very costly performance wise to
>>> implement
>>> application protocol filters into firewalls and i've yet to see one that
>>> does
>>> also implementing complex heuristics because let's face it the higher
>>> you go up in
>>> the tcp/ip stack the more complex the headers and payload become, the
>>> more bugs you'll get
>>> in the code that does the heuristics --> the more flaws there are to be
>>> exploited!

>>
>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>> routers with some fancy features, not firewalls.


>If the router closes all ports and conceals LAN IP addresses
>then it's just as good, and in one respect better than, any
>software firewall.



IF it closes all ports (nat is irrelevant). But the hypothesis of the
thread was that ports were being punched through the router. Note that a
router which refuses to pass on ports IS a firewall. And since it operates
on software loaded on the router, it is a software firewall.

 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      10-13-2007
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> Leythos wrote:
> > In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
> > DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one that
> >> does
> >> also implementing complex heuristics because let's face it the higher
> >> you go up in
> >> the tcp/ip stack the more complex the headers and payload become, the
> >> more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are to be
> >> exploited!

> >
> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.

>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.


Actually, a NAT Router is better than any PERSONAL firewall solution
installed on a non-dedicated computer.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
goarilla
Guest
Posts: n/a
 
      10-13-2007
Leythos wrote:
> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
>> Leythos wrote:
>>> In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
>>> DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one that
>>>> does
>>>> also implementing complex heuristics because let's face it the higher
>>>> you go up in
>>>> the tcp/ip stack the more complex the headers and payload become, the
>>>> more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are to be
>>>> exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.

>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.

>
> Actually, a NAT Router is better than any PERSONAL firewall solution
> installed on a non-dedicated computer.
>

what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
distribution (iptables)
and is there such a big difference between a firewall that has its code
burned in flash (firmware)
and a firewall that hooks into the tcp/ip stack of a a general purpose OS
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      10-13-2007
In article <4710aff1$0$22302$(E-Mail Removed)>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <(E-Mail Removed)>,
> > (E-Mail Removed) says...
> >> Leythos wrote:
> >>> In article <470e9db8$0$22311$(E-Mail Removed)>, goarilla <"kevin
> >>> DOT paulus AT skynet DOT be"> says...
> >>>> do you consider netfilter to be a firewall (well in essence it's a
> >>>> statefull packet filter)
> >>>> because iirc there is no smtp or http netfilter module
> >>>> and it does its filtering mostly on the data link and transport
> >>>> protocol's headers
> >>>> like most firewalls do. it would be very costly performance wise to
> >>>> implement
> >>>> application protocol filters into firewalls and i've yet to see one that
> >>>> does
> >>>> also implementing complex heuristics because let's face it the higher
> >>>> you go up in
> >>>> the tcp/ip stack the more complex the headers and payload become, the
> >>>> more bugs you'll get
> >>>> in the code that does the heuristics --> the more flaws there are to be
> >>>> exploited!
> >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
> >>> routers with some fancy features, not firewalls.
> >> If the router closes all ports and conceals LAN IP addresses
> >> then it's just as good, and in one respect better than, any
> >> software firewall.

> >
> > Actually, a NAT Router is better than any PERSONAL firewall solution
> > installed on a non-dedicated computer.
> >

> what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
> distribution (iptables) and is there such a big difference between
> a firewall that has its code burned in flash (firmware)
> and a firewall that hooks into the tcp/ip stack of a a general purpose OS


As long as it a dedicated computer and not one that users are
playing/working on, then it can easily be a firewall. Checkpoint running
on a Nix OS is a great example of a dedicated server class firewall -
notice the dedicated.

With all that is available at a reasonable cost today, a firewall that
is just a router is not really a firewall. The appliances I install can
tell the difference between SMTP and HTTP or FTP and do a lot more,
that's the least I would install.

This still goes back to these cheap residential units called firewalls
by the marketing department - if you look up NAT, it's routing, simple
and plain, not Firewalling.

--
Leythos - (E-Mail Removed) (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
How did they get behind my NAT? Maniaque Computer Security 56 11-12-2007 01:01 PM
so how the heck did they get google to do this? Peter Huebner NZ Computing 7 11-10-2004 09:18 AM
they turn, they power, they make nice pics Keith and Jenn Z. Digital Photography 0 09-21-2003 04:16 AM
Did you own a Olympus D-510 in the past zxcvar Digital Photography 5 08-14-2003 09:34 PM



Advertisments