Re: How did they get past my NAT?

Discussion in 'Computer Security' started by Leythos, Oct 11, 2007.

  1. Leythos

    Leythos Guest

    In article <>,
    says...
    > I would need to set up a
    > second router/firewall/NAT device like a linksys wrt54G to sit behind
    > the telecoms-operator-provided Xavi router, forward the appropriate
    > ports through both devices, and make sure that the firewall is turned
    > on on the wrt54g? I can only assume that what was "missing" in my
    > original setup was a firewall (which my adsl router claims to have,
    > but when I turn it on all the port forwarding stops working, which
    > sort of defeats the purpose). Or do you have any other suggestions on
    > how this can be done using home equipment?


    A NAT is not a firewall at all, it's basic routing - Most non-technical
    types call NAT Routers firewalls, they are not.

    a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    inbound traffic, that's all.

    No, port forwarding is what your problem is - if you forward ports then
    you expose your computer/network and that's how people reach your
    computer to do things you don't want.

    You should learn to post in one group or to cross post so that your
    thread is easy to work with for multiple groups that you've done this
    in.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    (remove 999 for proper email address)
    Leythos, Oct 11, 2007
    #1
    1. Advertising

  2. Leythos

    Maniaque Guest

    On Oct 11, 6:31 am, Leythos <> wrote:
    > In article <>,
    > says...
    >
    >
    > A NAT is not a firewall at all, it's basic routing - Most non-technical
    > types call NAT Routers firewalls, they are not.


    That I understand, but I'm always a little confused about what the
    difference Exactly is... a firewall is a device that only allows
    connections that you want to allow - a NAT is a device that allows
    outgoing connections arbitrarily, but normally (or only sometimes? see
    the STUN information Chris mentioned) prevents arbitrary incoming
    connections. Most home routers additionally claim to have a "firewall"
    function that you can turn on / off (including the WRT54G) - when do
    you decide what is and what is not a ffirewall? I really would like to
    know, it's something that's puzled me for years. Some things are
    clearly not a firewall at all, like a "Full-cone" NAT router. Some
    things are clearly a firewall first, and anything else after, like one
    of those Cisco devices. But aren't most home routers somewhere in-
    between?

    >
    > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
    > inbound traffic, that's all.


    not true. the WRT54G can block outgoing connections based on any
    number of specified parameters, and then it has all those extra fancy
    features that I don't understand ;)

    Firewall Protection: Enable Disable
    Additional Filters
    Filter Proxy Filter Cookies
    Filter Java Applets Filter ActiveX
    Block Portscans Filter P2P Applications
    Block WAN Requests
    Block Anonymous Internet Requests
    Filter Multicast
    Filter Internet NAT Redirection
    Filter IDENT(Port 113)

    >
    > No, port forwarding is what your problem is - if you forward ports then
    > you expose your computer/network and that's how people reach your
    > computer to do things you don't want.
    >


    Only if they get past the intended security of the service in
    question, right?

    > You should learn to post in one group or to cross post so that your
    > thread is easy to work with for multiple groups that you've done this
    > in.
    >


    Yep, thanks.

    Tao
    Maniaque, Oct 11, 2007
    #2
    1. Advertising

  3. Leythos

    Leythos Guest

    In article <>,
    says...
    > not true. the WRT54G can block outgoing connections based on any
    > number of specified parameters, and then it has all those extra fancy
    > features that I don't understand ;)


    it's a NAT device that can block outbound ports - it has no clue what
    those ports are and doesn't know the difference between HTTP and SMTP
    except that they use different ports.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 11, 2007
    #3
  4. Leythos

    Maniaque Guest

    Really quick update - Michael Ziegler helped me find the issue on a
    thread I badly cross-posted on alt.comp.networking.connectivity:
    http://groups.google.com/group/alt....ivity/browse_thread/thread/8c6a972156a51e0d/#

    My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
    wrong above) has an Active FTP "NAT Helper" which allows any program
    with TCP-connection-creation priviledges on any of my computers to
    open an incoming port to this machine from a target site on the
    internet. Java Applets, by default, have this functionality enabled.
    You can test for this "feature" or "flaw" at the following site:
    http://bedatec.dyndns.org/ftpnat/dotest_en.html

    On the day this happened, I was browsing on at least a couple of sites
    that could well have had "harmful content", probably including a java
    applet that opened up my port to the attacking site by using the FTP
    NAT helper trick. My VNC server was a flawed version which (I tested
    that) allowed certain well-crafted incoming connections to bypass
    authentication.

    Now - at this point I have no proof that that was the course of
    events, but "Occam's razor" and all that, it is definitely the
    simplest explanation that fits all the facts. I will definitely do a
    more thorough malware check on my machine and I will implement a
    solution that allows be to forward the ports I want without the NAT
    Helper flaw, but in the meantime I will sleep much better knowing that
    chances are 95% that I at least know exactly what the problem was.

    Thanks for all your help!
    Tao
    Maniaque, Oct 11, 2007
    #4
  5. Leythos

    Leythos Guest

    In article <>,
    says...
    > My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
    > wrong above) has an Active FTP "NAT Helper" which allows any program
    > with TCP-connection-creation priviledges on any of my computers to
    > open an incoming port to this machine from a target site on the
    > internet.


    Another reason to never trust the ISP/Vendor supplied hardware.

    Always get your own NAT/Firewall appliance and then you control
    everything and manage it.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 11, 2007
    #5
  6. Leythos

    Sebastian G. Guest

    Maniaque wrote:


    >> A NAT is not a firewall at all, it's basic routing - Most non-technical
    >> types call NAT Routers firewalls, they are not.

    >
    > That I understand, but I'm always a little confused about what the
    > difference Exactly is... a firewall is a device that only allows
    > connections that you want to allow - a NAT is a device that allows
    > outgoing connections arbitrarily, but normally (or only sometimes? see
    > the STUN information Chris mentioned) prevents arbitrary incoming
    > connections.



    NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
    connections might be a particularly useless side effect, depending on the
    implementation. It has nothing to do with security.

    > Most home routers additionally claim to have a "firewall"
    > function that you can turn on / off (including the WRT54G)



    Yes, but this is not related to NAT.
    Sebastian G., Oct 11, 2007
    #6
  7. Leythos

    goarilla Guest

    Leythos wrote:
    > In article <>,
    > says...
    >> not true. the WRT54G can block outgoing connections based on any
    >> number of specified parameters, and then it has all those extra fancy
    >> features that I don't understand ;)

    >
    > it's a NAT device that can block outbound ports - it has no clue what
    > those ports are and doesn't know the difference between HTTP and SMTP
    > except that they use different ports.
    >


    just some questions with as goal to learn more

    so you call a firewall something with complex heuristics ?
    really does iptables provide more than filtering between protocol, port
    and state information, and do people actually use it. Because in essence
    iirc
    a nat router does the same it opens up a connection if somebody on the
    inside requests it
    and after that allows the connection untill it's broken down (FIN or RST)
    do i have a point here or not ?
    goarilla, Oct 11, 2007
    #7
  8. Leythos

    goarilla Guest

    Leythos wrote:
    > In article <>,
    > says...
    >> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
    >> wrong above) has an Active FTP "NAT Helper" which allows any program
    >> with TCP-connection-creation priviledges on any of my computers to
    >> open an incoming port to this machine from a target site on the
    >> internet.

    >
    > Another reason to never trust the ISP/Vendor supplied hardware.
    >
    > Always get your own NAT/Firewall appliance and then you control
    > everything and manage it.
    >

    i wholeheartly agree with you on this one

    the problem is ... some ISP's filter on specific device (MAC), some
    ISP's lent you the router for
    personal usage and some ISP's dissallow other so called 'not supported'
    router and put a
    clause in little lettres on your contract.

    here in belgium it's actually pretty worse in this field. even worse the
    biggest ISP here belgacom
    disallows secured pop (ssl/tls) or imap to non business users, which
    still costs +40 EURO/month.
    goarilla, Oct 11, 2007
    #8
  9. Leythos

    Leythos Guest

    In article <470e921a$0$29265$>, goarilla <"kevin
    DOT paulus AT skynet DOT be"> says...
    > Leythos wrote:
    > > In article <>,
    > > says...
    > >> not true. the WRT54G can block outgoing connections based on any
    > >> number of specified parameters, and then it has all those extra fancy
    > >> features that I don't understand ;)

    > >
    > > it's a NAT device that can block outbound ports - it has no clue what
    > > those ports are and doesn't know the difference between HTTP and SMTP
    > > except that they use different ports.
    > >

    >
    > just some questions with as goal to learn more
    >
    > so you call a firewall something with complex heuristics ?
    > really does iptables provide more than filtering between protocol, port
    > and state information, and do people actually use it. Because in essence
    > iirc
    > a nat router does the same it opens up a connection if somebody on the
    > inside requests it
    > and after that allows the connection untill it's broken down (FIN or RST)
    > do i have a point here or not ?


    Does the device, in the standard/default mode, block traffic in both
    directions?

    Does the device know the difference between HTTP and SMTP or only TCP 80
    and TCP 25?

    Does the device understand being attacked and auto-block sources of
    attacks or unauthorized traffic?

    Does the device use NAT or can it be setup with rules without using NAT?
    If it forces NAT then I don't consider it a firewall unless it can do
    all the others - since MOST of the devices that force NAT are
    residential device (yea, not all inclusive, but you should get the idea
    without us going off the deep end).



    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 11, 2007
    #9
  10. Leythos

    goarilla Guest

    Leythos wrote:
    > In article <470e921a$0$29265$>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    >> Leythos wrote:
    >>> In article <>,
    >>> says...
    >>>> not true. the WRT54G can block outgoing connections based on any
    >>>> number of specified parameters, and then it has all those extra fancy
    >>>> features that I don't understand ;)
    >>> it's a NAT device that can block outbound ports - it has no clue what
    >>> those ports are and doesn't know the difference between HTTP and SMTP
    >>> except that they use different ports.
    >>>

    >> just some questions with as goal to learn more
    >>
    >> so you call a firewall something with complex heuristics ?
    >> really does iptables provide more than filtering between protocol, port
    >> and state information, and do people actually use it. Because in essence
    >> iirc
    >> a nat router does the same it opens up a connection if somebody on the
    >> inside requests it
    >> and after that allows the connection untill it's broken down (FIN or RST)
    >> do i have a point here or not ?

    >
    > Does the device, in the standard/default mode, block traffic in both
    > directions?


    no ok you got me here, it only does this for INBOUND traffic but i myself
    don't block outbound traffic on my box (slackware) as well
    because i consider myself knowledgeable enough to be trusted :D

    > Does the device know the difference between HTTP and SMTP or only TCP 80
    > and TCP 25?
    >
    > Does the device understand being attacked and auto-block sources of
    > attacks or unauthorized traffic?
    >
    > Does the device use NAT or can it be setup with rules without using NAT?
    > If it forces NAT then I don't consider it a firewall unless it can do
    > all the others - since MOST of the devices that force NAT are
    > residential device (yea, not all inclusive, but you should get the idea
    > without us going off the deep end).
    >
    >
    >

    do you consider netfilter to be a firewall (well in essence it's a
    statefull packet filter)
    because iirc there is no smtp or http netfilter module
    and it does its filtering mostly on the data link and transport
    protocol's headers
    like most firewalls do. it would be very costly performance wise to
    implement
    application protocol filters into firewalls and i've yet to see one that
    does
    also implementing complex heuristics because let's face it the higher
    you go up in
    the tcp/ip stack the more complex the headers and payload become, the
    more bugs you'll get
    in the code that does the heuristics --> the more flaws there are to be
    exploited!
    goarilla, Oct 11, 2007
    #10
  11. Leythos

    Leythos Guest

    In article <470e9db8$0$22311$>, goarilla <"kevin
    DOT paulus AT skynet DOT be"> says...
    > >

    > do you consider netfilter to be a firewall (well in essence it's a
    > statefull packet filter)
    > because iirc there is no smtp or http netfilter module
    > and it does its filtering mostly on the data link and transport
    > protocol's headers
    > like most firewalls do. it would be very costly performance wise to
    > implement
    > application protocol filters into firewalls and i've yet to see one that
    > does
    > also implementing complex heuristics because let's face it the higher
    > you go up in
    > the tcp/ip stack the more complex the headers and payload become, the
    > more bugs you'll get
    > in the code that does the heuristics --> the more flaws there are to be
    > exploited!


    Sorry, but I don't consider NAT Routers to be firewalls, they are
    routers with some fancy features, not firewalls.

    Many "Firewalls" do know the difference between SMTP and traffic over
    TCP 25 - so, while you've yet to see one, you just are not working with
    the better hardware out there.

    As for Bugs, yes, but I only purchase certified appliances, ones from
    vendors that have a proven record of staying secure and clean, so I
    trust that a LOT more than what most people use in their homes.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 12, 2007
    #11
  12. Leythos

    Todd H. Guest

    Leythos <> writes:

    > In article <470e921a$0$29265$>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    > > Leythos wrote:
    > > > In article <>,
    > > > says...
    > > >> not true. the WRT54G can block outgoing connections based on any
    > > >> number of specified parameters, and then it has all those extra fancy
    > > >> features that I don't understand ;)
    > > >
    > > > it's a NAT device that can block outbound ports - it has no clue what
    > > > those ports are and doesn't know the difference between HTTP and SMTP
    > > > except that they use different ports.
    > > >

    > >
    > > just some questions with as goal to learn more
    > >
    > > so you call a firewall something with complex heuristics ?
    > > really does iptables provide more than filtering between protocol, port
    > > and state information, and do people actually use it. Because in essence
    > > iirc
    > > a nat router does the same it opens up a connection if somebody on the
    > > inside requests it
    > > and after that allows the connection untill it's broken down (FIN or RST)
    > > do i have a point here or not ?

    >
    > Does the device, in the standard/default mode, block traffic in both
    > directions?


    A cat5 cable cut in half does. Is it a firewall?

    > Does the device know the difference between HTTP and SMTP or only
    > TCP 80 and TCP 25?


    Firewalls in the traditional definition never did, were they not
    firewalls? Application-level protocol recognition is only recently on
    the scene, yet we've had things people called "firewalls" existing for
    quite a while before that. I'd hate to think I didn't get the memo
    about someone changing the definition of "firewall" with the
    International Standards Organization.

    > Does the device understand being attacked and auto-block sources of
    > attacks or unauthorized traffic?


    So when did the definition of "firewall" start requiring it to also
    fit the definition of "network intrusion prevention device" or
    "network intrusion detection device?"

    Just curious.

    > Does the device use NAT or can it be setup with rules without using NAT?
    > If it forces NAT then I don't consider it a firewall unless it can do
    > all the others - since MOST of the devices that force NAT are
    > residential device (yea, not all inclusive, but you should get the idea
    > without us going off the deep end).


    Ah, okay here's where we come down to brass tacks--with the use of the
    word "I."

    Seme folks seem to have their own definition of a firewall that
    doesn't match that accepted by over the course of a lot of networking
    history inlcluding the present. This view categorically rejects those
    devices which don't fit a personally crafted unique definition of
    "firewalls."

    Unfortunately, it's pedantic and pointless. But then again, so it
    much of the banter by the more abusive posters here. To protect their
    identity, we won't mention Leythos and Sebastian by name.

    Now, that's not to say there isn't something to learn about the range
    of functionality one might want to consider in their border protection
    in the narrow definition such folks try to paint, but being so prickly
    about what to call a "firewall" and what to call a "NAT router" is
    just a freakin waste of time. Better to say "corporate grade border
    security appliance" which has built into the obvious fact that
    functionality and features of corporate grade hardware exceed that of
    $70 Linksys gear popular among home and small office users.

    And let's not forget that there was a time not very long ago where the
    fucntionality packed into your garden variety wrt54g (particularly one
    packing the fucntionality of third party firmware) took a HELL of alot
    of much more expensive hardware and was certainly considered a
    "firewall." And still is for that matter.

    Those with what I'll call this "modern purist" view may be shocked to
    see the breadth of defintions for our friend the firewall that are in
    existence that cast a much bigger net than his own:
    http://www.google.com/search?q=define:firewall

    We now return you to your regularly scheduled semantic argument.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
    Todd H., Oct 12, 2007
    #12
  13. Leythos

    Leythos Guest

    In article <>, says...
    > Unfortunately, it's pedantic and pointless. But then again, so it
    > much of the banter by the more abusive posters here. To protect their
    > identity, we won't mention Leythos and Sebastian by name.


    I've not been Abusive to any person here. While I certainly know that
    NAT appliances are not firewalls (but firewalls can do NAT), there is a
    misconception as to what the public is being told a firewall is.

    Yea, you don't like it, you must be one that purchased one of those
    BEFSR41 units and fell for the "it's a firewall" crap - did you know
    that when the BEFSR41 was introduced it was called a ROUTER with no
    mention of firewall - a year later, with no changes, it was being
    marketed as a "Firewall" - same box, same firmware.....

    So, like it or not Todd H, most residential users are not using
    firewalls, they are using ROUTERS.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 12, 2007
    #13
  14. Leythos

    Rick Merrill Guest

    Leythos wrote:
    > In article <470e9db8$0$22311$>, goarilla <"kevin
    > DOT paulus AT skynet DOT be"> says...
    >> do you consider netfilter to be a firewall (well in essence it's a
    >> statefull packet filter)
    >> because iirc there is no smtp or http netfilter module
    >> and it does its filtering mostly on the data link and transport
    >> protocol's headers
    >> like most firewalls do. it would be very costly performance wise to
    >> implement
    >> application protocol filters into firewalls and i've yet to see one that
    >> does
    >> also implementing complex heuristics because let's face it the higher
    >> you go up in
    >> the tcp/ip stack the more complex the headers and payload become, the
    >> more bugs you'll get
    >> in the code that does the heuristics --> the more flaws there are to be
    >> exploited!

    >
    > Sorry, but I don't consider NAT Routers to be firewalls, they are
    > routers with some fancy features, not firewalls.


    If the router closes all ports and conceals LAN IP addresses
    then it's just as good, and in one respect better than, any
    software firewall.
    Rick Merrill, Oct 12, 2007
    #14
  15. Leythos

    Todd H. Guest

    Rick Merrill <> writes:

    > Leythos wrote:
    > > In article <470e9db8$0$22311$>, goarilla
    > > <"kevin DOT paulus AT skynet DOT be"> says...
    > >> do you consider netfilter to be a firewall (well in essence it's a
    > >> statefull packet filter)
    > >> because iirc there is no smtp or http netfilter module
    > >> and it does its filtering mostly on the data link and transport
    > >> protocol's headers
    > >> like most firewalls do. it would be very costly performance wise to
    > >> implement
    > >> application protocol filters into firewalls and i've yet to see one
    > >> that does
    > >> also implementing complex heuristics because let's face it the
    > >> higher you go up in
    > >> the tcp/ip stack the more complex the headers and payload become,
    > >> the more bugs you'll get
    > >> in the code that does the heuristics --> the more flaws there are
    > >> to be exploited!

    > > Sorry, but I don't consider NAT Routers to be firewalls, they are
    > > routers with some fancy features, not firewalls.

    >
    > If the router closes all ports and conceals LAN IP addresses
    > then it's just as good, and in one respect better than, any
    > software firewall.


    Uh oh. Someone said "software firewall."

    Brace for the impending ranting about how they aren't firewalls
    either.

    --
    Todd H.
    http://www.toddh.net/
    Todd H., Oct 12, 2007
    #15
  16. Leythos

    Rick Merrill Guest

    Todd H. wrote:
    > Rick Merrill <> writes:
    >
    >> Leythos wrote:
    >>> In article <470e9db8$0$22311$>, goarilla
    >>> <"kevin DOT paulus AT skynet DOT be"> says...
    >>>> do you consider netfilter to be a firewall (well in essence it's a
    >>>> statefull packet filter)
    >>>> because iirc there is no smtp or http netfilter module
    >>>> and it does its filtering mostly on the data link and transport
    >>>> protocol's headers
    >>>> like most firewalls do. it would be very costly performance wise to
    >>>> implement
    >>>> application protocol filters into firewalls and i've yet to see one
    >>>> that does
    >>>> also implementing complex heuristics because let's face it the
    >>>> higher you go up in
    >>>> the tcp/ip stack the more complex the headers and payload become,
    >>>> the more bugs you'll get
    >>>> in the code that does the heuristics --> the more flaws there are
    >>>> to be exploited!
    >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
    >>> routers with some fancy features, not firewalls.

    >> If the router closes all ports and conceals LAN IP addresses
    >> then it's just as good, and in one respect better than, any
    >> software firewall.

    >
    > Uh oh. Someone said "software firewall."
    >
    > Brace for the impending ranting about how they aren't firewalls
    > either.
    >


    opps, I didn't expect to get off scott free.
    Rick Merrill, Oct 13, 2007
    #16
  17. Leythos

    Unruh Guest

    Rick Merrill <> writes:

    >Leythos wrote:
    >> In article <470e9db8$0$22311$>, goarilla <"kevin
    >> DOT paulus AT skynet DOT be"> says...
    >>> do you consider netfilter to be a firewall (well in essence it's a
    >>> statefull packet filter)
    >>> because iirc there is no smtp or http netfilter module
    >>> and it does its filtering mostly on the data link and transport
    >>> protocol's headers
    >>> like most firewalls do. it would be very costly performance wise to
    >>> implement
    >>> application protocol filters into firewalls and i've yet to see one that
    >>> does
    >>> also implementing complex heuristics because let's face it the higher
    >>> you go up in
    >>> the tcp/ip stack the more complex the headers and payload become, the
    >>> more bugs you'll get
    >>> in the code that does the heuristics --> the more flaws there are to be
    >>> exploited!

    >>
    >> Sorry, but I don't consider NAT Routers to be firewalls, they are
    >> routers with some fancy features, not firewalls.


    >If the router closes all ports and conceals LAN IP addresses
    >then it's just as good, and in one respect better than, any
    >software firewall.



    IF it closes all ports (nat is irrelevant). But the hypothesis of the
    thread was that ports were being punched through the router. Note that a
    router which refuses to pass on ports IS a firewall. And since it operates
    on software loaded on the router, it is a software firewall.
    Unruh, Oct 13, 2007
    #17
  18. Leythos

    Leythos Guest

    In article <>,
    says...
    > Leythos wrote:
    > > In article <470e9db8$0$22311$>, goarilla <"kevin
    > > DOT paulus AT skynet DOT be"> says...
    > >> do you consider netfilter to be a firewall (well in essence it's a
    > >> statefull packet filter)
    > >> because iirc there is no smtp or http netfilter module
    > >> and it does its filtering mostly on the data link and transport
    > >> protocol's headers
    > >> like most firewalls do. it would be very costly performance wise to
    > >> implement
    > >> application protocol filters into firewalls and i've yet to see one that
    > >> does
    > >> also implementing complex heuristics because let's face it the higher
    > >> you go up in
    > >> the tcp/ip stack the more complex the headers and payload become, the
    > >> more bugs you'll get
    > >> in the code that does the heuristics --> the more flaws there are to be
    > >> exploited!

    > >
    > > Sorry, but I don't consider NAT Routers to be firewalls, they are
    > > routers with some fancy features, not firewalls.

    >
    > If the router closes all ports and conceals LAN IP addresses
    > then it's just as good, and in one respect better than, any
    > software firewall.


    Actually, a NAT Router is better than any PERSONAL firewall solution
    installed on a non-dedicated computer.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 13, 2007
    #18
  19. Leythos

    goarilla Guest

    Leythos wrote:
    > In article <>,
    > says...
    >> Leythos wrote:
    >>> In article <470e9db8$0$22311$>, goarilla <"kevin
    >>> DOT paulus AT skynet DOT be"> says...
    >>>> do you consider netfilter to be a firewall (well in essence it's a
    >>>> statefull packet filter)
    >>>> because iirc there is no smtp or http netfilter module
    >>>> and it does its filtering mostly on the data link and transport
    >>>> protocol's headers
    >>>> like most firewalls do. it would be very costly performance wise to
    >>>> implement
    >>>> application protocol filters into firewalls and i've yet to see one that
    >>>> does
    >>>> also implementing complex heuristics because let's face it the higher
    >>>> you go up in
    >>>> the tcp/ip stack the more complex the headers and payload become, the
    >>>> more bugs you'll get
    >>>> in the code that does the heuristics --> the more flaws there are to be
    >>>> exploited!
    >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
    >>> routers with some fancy features, not firewalls.

    >> If the router closes all ports and conceals LAN IP addresses
    >> then it's just as good, and in one respect better than, any
    >> software firewall.

    >
    > Actually, a NAT Router is better than any PERSONAL firewall solution
    > installed on a non-dedicated computer.
    >

    what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
    distribution (iptables)
    and is there such a big difference between a firewall that has its code
    burned in flash (firmware)
    and a firewall that hooks into the tcp/ip stack of a a general purpose OS
    goarilla, Oct 13, 2007
    #19
  20. Leythos

    Leythos Guest

    In article <4710aff1$0$22302$>, goarilla <"kevin
    DOT paulus AT skynet DOT be"> says...
    > Leythos wrote:
    > > In article <>,
    > > says...
    > >> Leythos wrote:
    > >>> In article <470e9db8$0$22311$>, goarilla <"kevin
    > >>> DOT paulus AT skynet DOT be"> says...
    > >>>> do you consider netfilter to be a firewall (well in essence it's a
    > >>>> statefull packet filter)
    > >>>> because iirc there is no smtp or http netfilter module
    > >>>> and it does its filtering mostly on the data link and transport
    > >>>> protocol's headers
    > >>>> like most firewalls do. it would be very costly performance wise to
    > >>>> implement
    > >>>> application protocol filters into firewalls and i've yet to see one that
    > >>>> does
    > >>>> also implementing complex heuristics because let's face it the higher
    > >>>> you go up in
    > >>>> the tcp/ip stack the more complex the headers and payload become, the
    > >>>> more bugs you'll get
    > >>>> in the code that does the heuristics --> the more flaws there are to be
    > >>>> exploited!
    > >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
    > >>> routers with some fancy features, not firewalls.
    > >> If the router closes all ports and conceals LAN IP addresses
    > >> then it's just as good, and in one respect better than, any
    > >> software firewall.

    > >
    > > Actually, a NAT Router is better than any PERSONAL firewall solution
    > > installed on a non-dedicated computer.
    > >

    > what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
    > distribution (iptables) and is there such a big difference between
    > a firewall that has its code burned in flash (firmware)
    > and a firewall that hooks into the tcp/ip stack of a a general purpose OS


    As long as it a dedicated computer and not one that users are
    playing/working on, then it can easily be a firewall. Checkpoint running
    on a Nix OS is a great example of a dedicated server class firewall -
    notice the dedicated.

    With all that is available at a reasonable cost today, a firewall that
    is just a router is not really a firewall. The appliances I install can
    tell the difference between SMTP and HTTP or FTP and do a lot more,
    that's the least I would install.

    This still goes back to these cheap residential units called firewalls
    by the marketing department - if you look up NAT, it's routing, simple
    and plain, not Firewalling.

    --
    Leythos - (remove 999 to email me)

    Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
    create filth and put it on the web for any kid to see: Just take a look
    at some of the FILTH he's created and put on his website:
    http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
    to children (the link I've include does not directly display his filth).
    You can find the same information by googling for 'PCBUTTS1' and
    'exposed to kids'.
    Leythos, Oct 13, 2007
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joseph Finley

    NAT translate past 2 hops?

    Joseph Finley, Jan 15, 2004, in forum: Cisco
    Replies:
    3
    Views:
    877
    Joseph Finley
    Jan 15, 2004
  2. zxcvar

    Did you own a Olympus D-510 in the past

    zxcvar, Aug 12, 2003, in forum: Digital Photography
    Replies:
    5
    Views:
    357
    Andrei Ivanov
    Aug 14, 2003
  3. Maniaque

    How did they get behind my NAT?

    Maniaque, Oct 10, 2007, in forum: Computer Security
    Replies:
    56
    Views:
    2,128
    Maniaque
    Nov 12, 2007
  4. Peter Huebner

    so how the heck did they get google to do this?

    Peter Huebner, Nov 7, 2004, in forum: NZ Computing
    Replies:
    7
    Views:
    310
    Warwick
    Nov 10, 2004
  5. RichA
    Replies:
    1
    Views:
    255
    John Turco
    Feb 28, 2011
Loading...

Share This Page