Linksys Router and BlackICE - Confused!!

Discussion in 'Computer Security' started by Beauford, Sep 24, 2004.

  1. Beauford

    Beauford Guest

    Hi,

    I have a Linksys BEFSR41 router with 6 computers connected to it as
    outlined below.

    Win2000 - Domain Controller and Mail Server - BlackIce installed
    Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
    XP Pro - Workstation
    XP Pro - Workstation
    Linux Slackware - Stand alone - Apache webserver running
    Windows NT 4.0 - Workstation

    I have my Linksys Router set up to forward port 25 traffic to my mail
    server and to forward port 80 web traffic to my Linux box.

    Since I installed the mail server it is being hammered by these Asian
    IP blocks trying to relay through it - so I installed BlackIce to
    block this - and that is working fine.

    Here's the part where I'm confused. On the other Win2k PC BlackICE is
    also picking up traffic to port 25 - and when you look at the logs it
    says the victim IP is that of my mail server.

    I contacted Linksys and they said this is normal. Well it doesn't seem
    normal to me. If port 25 is not being forwarded to this machine then
    does it not make sense that this machine should not be seeing any
    traffic to this port.

    This is what I got from Linksys

    "Since the computer is hooked up to the router and the firewall
    detects the traffic, even though the port is not forwarded to that
    computer, since it is an activity on the router, it would still detect
    the traffic for that port but that doesn't mean that it is going
    through it."

    My understanding was that any traffic that is not forwarded to a
    specific machine should be dropped. So BlackICE should never see this
    traffic. Am I missing something here.....

    Thanks
    Beauford, Sep 24, 2004
    #1
    1. Advertising

  2. Beauford

    Leythos Guest

    In article <>,
    says...
    > Hi,
    >
    > I have a Linksys BEFSR41 router with 6 computers connected to it as
    > outlined below.
    >
    > Win2000 - Domain Controller and Mail Server - BlackIce installed
    > Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
    > XP Pro - Workstation
    > XP Pro - Workstation
    > Linux Slackware - Stand alone - Apache webserver running
    > Windows NT 4.0 - Workstation
    >
    > I have my Linksys Router set up to forward port 25 traffic to my mail
    > server and to forward port 80 web traffic to my Linux box.
    >
    > Since I installed the mail server it is being hammered by these Asian
    > IP blocks trying to relay through it - so I installed BlackIce to
    > block this - and that is working fine.


    Here is the root of your problem, if you want to firewall your
    applications and servers you need to purchase a firewall, not a NAT
    device. In this case, you want to block outsiders based on IP subnets,
    and a real firewall can do this for you. I have 83 Class C subnets
    blocked in my firewall, and several Class A subnets - these are
    permanent blocks. I also have the firewall detect probes on 135 through
    139 and 445 (and 1433/1434) and block those addresses for 20 minutes.

    You do NOT want to rely on something BI (which was just IDS when it
    started) to secure your servers, never trust something running on the
    server offering services to protect itself.

    > Here's the part where I'm confused. On the other Win2k PC BlackICE is
    > also picking up traffic to port 25 - and when you look at the logs it
    > says the victim IP is that of my mail server.
    >
    > I contacted Linksys and they said this is normal. Well it doesn't seem
    > normal to me. If port 25 is not being forwarded to this machine then
    > does it not make sense that this machine should not be seeing any
    > traffic to this port.
    >
    > This is what I got from Linksys
    >
    > "Since the computer is hooked up to the router and the firewall
    > detects the traffic, even though the port is not forwarded to that
    > computer, since it is an activity on the router, it would still detect
    > the traffic for that port but that doesn't mean that it is going
    > through it."
    >
    > My understanding was that any traffic that is not forwarded to a
    > specific machine should be dropped. So BlackICE should never see this
    > traffic. Am I missing something here.....


    None of the traffic that is inbound, unless invited or forwarded, makes
    it from the WAN side to the LAN side. If you install Wall Watcher (free)
    you can see when something hits the WAN port and fails to get to the LAN
    side - the local address will show the public IP - indicating that the
    probe didn't make it into your LAN.

    We run hundreds of linksys units across the country, various levels of
    firmware, and never see the problem you describe.

    You need to check the forwarding rules in the Linksys and see what
    you've configured.

    You best bet is to purchase a WatchGuard Firebox or a SOHO unit and set
    it up to firewall your devices. A SOHO unit is about $500, a Firebox
    (that can do the things I described above) is a lot more, but it's worth
    it.

    --
    --

    (Remove 999 to reply to me)
    Leythos, Sep 24, 2004
    #2
    1. Advertising

  3. In article <>,
    says...
    > Hi,
    >
    > I have a Linksys BEFSR41 router with 6 computers connected to it as
    > outlined below.
    >
    > Win2000 - Domain Controller and Mail Server - BlackIce installed
    > Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
    > XP Pro - Workstation
    > XP Pro - Workstation
    > Linux Slackware - Stand alone - Apache webserver running
    > Windows NT 4.0 - Workstation
    >


    Tell us a bit more before we can help you. How did you connect 6
    computers into a 4-port switch?
    Zaphod Beelblebrox, Sep 24, 2004
    #3
  4. Beauford

    David Shaw Guest

    Zaphod Beelblebrox <> wrote
    > Tell us a bit more before we can help you. How did you connect 6
    > computers into a 4-port switch?


    I'm gonna assume he has a 6 port switch.

    The reason BlackICE is picking stuff up on port 25 is because it's
    acting as a sniffer in promiscuous mode and sniffing the entire
    network. Just as if you were running ethereal on it, how it could pick
    up traffic on other computers. My guess is that your router is working
    just fine, and BlackICE is just trying to all around protect you.

    Don't worry about it :)


    - ds
    David Shaw, Sep 26, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Preesi

    NEW.NET/ BlackIce ETC

    Preesi, Dec 29, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    409
    bigjon
    Dec 29, 2004
  2. Boy Meets Web

    BlackIce Firewall Question

    Boy Meets Web, Aug 13, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    839
  3. Boy Meets Web

    BlackIce Firewall Question

    Boy Meets Web, Aug 13, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    405
  4. Dan

    BlackIce. How good? ie idiot friendly

    Dan, Oct 1, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    504
  5. General Specific

    BlackIce

    General Specific, Oct 26, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    532
    Voodoo
    Nov 10, 2004
Loading...

Share This Page