In article <1192088852.392958.21220@r29g2000hsg.googlegroups.com>,
maniaque27@gmail.com says...
> I would need to set up a
> second router/firewall/NAT device like a linksys wrt54G to sit behind
> the telecoms-operator-provided Xavi router, forward the appropriate
> ports through both devices, and make sure that the firewall is turned
> on on the wrt54g? I can only assume that what was "missing" in my
> original setup was a firewall (which my adsl router claims to have,
> but when I turn it on all the port forwarding stops working, which
> sort of defeats the purpose). Or do you have any other suggestions on
> how this can be done using home equipment?

A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.

You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> maniaqu...@gmail.com says...
>
>
> A NAT is not a firewall at all, it's basic routing - Most non-technical
> types call NAT Routers firewalls, they are not.

That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?

>
> a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> inbound traffic, that's all.

not true. the WRT54G can block outgoing connections based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)

Firewall Protection: Enable Disable
Additional Filters
Filter Proxy Filter Cookies
Filter Java Applets Filter ActiveX
Block Portscans Filter P2P Applications
Block WAN Requests
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)

>
> No, port forwarding is what your problem is - if you forward ports then
> you expose your computer/network and that's how people reach your
> computer to do things you don't want.
>

Only if they get past the intended security of the service in
question, right?

> You should learn to post in one group or to cross post so that your
> thread is easy to work with for multiple groups that you've done this
> in.
>

Yep, thanks.

Tao

In article <1192120303.414117.236860@g4g2000hsf.googlegroups.com>,
maniaque27@gmail.com says...
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)

it's a NAT device that can block outbound ports - it has no clue what
those ports are and doesn't know the difference between HTTP and SMTP
except that they use different ports.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Really quick update - Michael Ziegler helped me find the issue on a
thread I badly cross-posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.comp.networking.connectivity/browse_thread/thread/8c6a972156a51e0d/#

My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html

On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.

Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was.

Thanks for all your help!
Tao

In article <1192128212.845454.45420@22g2000hsm.googlegroups.com>,
maniaque27@gmail.com says...
> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
> wrong above) has an Active FTP "NAT Helper" which allows any program
> with TCP-connection-creation priviledges on any of my computers to
> open an incoming port to this machine from a target site on the
> internet.

Another reason to never trust the ISP/Vendor supplied hardware.

Always get your own NAT/Firewall appliance and then you control
everything and manage it.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Maniaque wrote:


>> A NAT is not a firewall at all, it's basic routing - Most non-technical
>> types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections.


NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
connections might be a particularly useless side effect, depending on the
implementation. It has nothing to do with security.

> Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G)


Yes, but this is not related to NAT.

Leythos wrote:
> In article <1192120303.414117.236860@g4g2000hsf.googlegroups.com>,
> maniaque27@gmail.com says...
>> not true. the WRT54G can block outgoing connections based on any
>> number of specified parameters, and then it has all those extra fancy
>> features that I don't understand ;)
>
> it's a NAT device that can block outbound ports - it has no clue what
> those ports are and doesn't know the difference between HTTP and SMTP
> except that they use different ports.
>

just some questions with as goal to learn more

so you call a firewall something with complex heuristics ?
really does iptables provide more than filtering between protocol, port
and state information, and do people actually use it. Because in essence
iirc
a nat router does the same it opens up a connection if somebody on the
inside requests it
and after that allows the connection untill it's broken down (FIN or RST)
do i have a point here or not ?

Leythos wrote:
> In article <1192128212.845454.45420@22g2000hsm.googlegroups.com>,
> maniaque27@gmail.com says...
>> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
>> wrong above) has an Active FTP "NAT Helper" which allows any program
>> with TCP-connection-creation priviledges on any of my computers to
>> open an incoming port to this machine from a target site on the
>> internet.
>
> Another reason to never trust the ISP/Vendor supplied hardware.
>
> Always get your own NAT/Firewall appliance and then you control
> everything and manage it.
>
i wholeheartly agree with you on this one

the problem is ... some ISP's filter on specific device (MAC), some
ISP's lent you the router for
personal usage and some ISP's dissallow other so called 'not supported'
router and put a
clause in little lettres on your contract.

here in belgium it's actually pretty worse in this field. even worse the
biggest ISP here belgacom
disallows secured pop (ssl/tls) or imap to non business users, which
still costs +40 EURO/month.

In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <1192120303.414117.236860@g4g2000hsf.googlegroups.com>,
> > maniaque27@gmail.com says...
> >> not true. the WRT54G can block outgoing connections based on any
> >> number of specified parameters, and then it has all those extra fancy
> >> features that I don't understand ;)
> >
> > it's a NAT device that can block outbound ports - it has no clue what
> > those ports are and doesn't know the difference between HTTP and SMTP
> > except that they use different ports.
> >
>
> just some questions with as goal to learn more
>
> so you call a firewall something with complex heuristics ?
> really does iptables provide more than filtering between protocol, port
> and state information, and do people actually use it. Because in essence
> iirc
> a nat router does the same it opens up a connection if somebody on the
> inside requests it
> and after that allows the connection untill it's broken down (FIN or RST)
> do i have a point here or not ?

Does the device, in the standard/default mode, block traffic in both
directions?

Does the device know the difference between HTTP and SMTP or only TCP 80
and TCP 25?

Does the device understand being attacked and auto-block sources of
attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT?
If it forces NAT then I don't consider it a firewall unless it can do
all the others - since MOST of the devices that force NAT are
residential device (yea, not all inclusive, but you should get the idea
without us going off the deep end).



--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>>> In article <1192120303.414117.236860@g4g2000hsf.googlegroups.com>,
>>> maniaque27@gmail.com says...
>>>> not true. the WRT54G can block outgoing connections based on any
>>>> number of specified parameters, and then it has all those extra fancy
>>>> features that I don't understand ;)
>>> it's a NAT device that can block outbound ports - it has no clue what
>>> those ports are and doesn't know the difference between HTTP and SMTP
>>> except that they use different ports.
>>>
>> just some questions with as goal to learn more
>>
>> so you call a firewall something with complex heuristics ?
>> really does iptables provide more than filtering between protocol, port
>> and state information, and do people actually use it. Because in essence
>> iirc
>> a nat router does the same it opens up a connection if somebody on the
>> inside requests it
>> and after that allows the connection untill it's broken down (FIN or RST)
>> do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?

no ok you got me here, it only does this for INBOUND traffic but i myself
don't block outbound traffic on my box (slackware) as well
because i consider myself knowledgeable enough to be trusted :D

> Does the device know the difference between HTTP and SMTP or only TCP 80
> and TCP 25?
>
> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?
>
> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).
>
>
>
do you consider netfilter to be a firewall (well in essence it's a
statefull packet filter)
because iirc there is no smtp or http netfilter module
and it does its filtering mostly on the data link and transport
protocol's headers
like most firewalls do. it would be very costly performance wise to
implement
application protocol filters into firewalls and i've yet to see one that
does
also implementing complex heuristics because let's face it the higher
you go up in
the tcp/ip stack the more complex the headers and payload become, the
more bugs you'll get
in the code that does the heuristics --> the more flaws there are to be
exploited!

In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> >
> do you consider netfilter to be a firewall (well in essence it's a
> statefull packet filter)
> because iirc there is no smtp or http netfilter module
> and it does its filtering mostly on the data link and transport
> protocol's headers
> like most firewalls do. it would be very costly performance wise to
> implement
> application protocol filters into firewalls and i've yet to see one that
> does
> also implementing complex heuristics because let's face it the higher
> you go up in
> the tcp/ip stack the more complex the headers and payload become, the
> more bugs you'll get
> in the code that does the heuristics --> the more flaws there are to be
> exploited!

Sorry, but I don't consider NAT Routers to be firewalls, they are
routers with some fancy features, not firewalls.

Many "Firewalls" do know the difference between SMTP and traffic over
TCP 25 - so, while you've yet to see one, you just are not working with
the better hardware out there.

As for Bugs, yes, but I only purchase certified appliances, ones from
vendors that have a proven record of staying secure and clean, so I
trust that a LOT more than what most people use in their homes.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

> In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
> > Leythos wrote:
> > > In article <1192120303.414117.236860@g4g2000hsf.googlegroups.com>,
> > > maniaque27@gmail.com says...
> > >> not true. the WRT54G can block outgoing connections based on any
> > >> number of specified parameters, and then it has all those extra fancy
> > >> features that I don't understand ;)
> > >
> > > it's a NAT device that can block outbound ports - it has no clue what
> > > those ports are and doesn't know the difference between HTTP and SMTP
> > > except that they use different ports.
> > >
> >
> > just some questions with as goal to learn more
> >
> > so you call a firewall something with complex heuristics ?
> > really does iptables provide more than filtering between protocol, port
> > and state information, and do people actually use it. Because in essence
> > iirc
> > a nat router does the same it opens up a connection if somebody on the
> > inside requests it
> > and after that allows the connection untill it's broken down (FIN or RST)
> > do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?

A cat5 cable cut in half does. Is it a firewall?

> Does the device know the difference between HTTP and SMTP or only
> TCP 80 and TCP 25?

Firewalls in the traditional definition never did, were they not
firewalls? Application-level protocol recognition is only recently on
the scene, yet we've had things people called "firewalls" existing for
quite a while before that. I'd hate to think I didn't get the memo
about someone changing the definition of "firewall" with the
International Standards Organization.

> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?

So when did the definition of "firewall" start requiring it to also
fit the definition of "network intrusion prevention device" or
"network intrusion detection device?"

Just curious.

> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).

Ah, okay here's where we come down to brass tacks--with the use of the
word "I."

Seme folks seem to have their own definition of a firewall that
doesn't match that accepted by over the course of a lot of networking
history inlcluding the present. This view categorically rejects those
devices which don't fit a personally crafted unique definition of
"firewalls."

Unfortunately, it's pedantic and pointless. But then again, so it
much of the banter by the more abusive posters here. To protect their
identity, we won't mention Leythos and Sebastian by name.

Now, that's not to say there isn't something to learn about the range
of functionality one might want to consider in their border protection
in the narrow definition such folks try to paint, but being so prickly
about what to call a "firewall" and what to call a "NAT router" is
just a freakin waste of time. Better to say "corporate grade border
security appliance" which has built into the obvious fact that
functionality and features of corporate grade hardware exceed that of
$70 Linksys gear popular among home and small office users.

And let's not forget that there was a time not very long ago where the
fucntionality packed into your garden variety wrt54g (particularly one
packing the fucntionality of third party firmware) took a HELL of alot
of much more expensive hardware and was certainly considered a
"firewall." And still is for that matter.

Those with what I'll call this "modern purist" view may be shocked to
see the breadth of defintions for our friend the firewall that are in
existence that cast a much bigger net than his own:
http://www.google.com/search?q=define%3Afirewall

We now return you to your regularly scheduled semantic argument.

Best Regards,
--
Todd H.
http://www.toddh.net/

In article <848x69vui9.fsf@ripco.com>, comphelp@toddh.net says...
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.

I've not been Abusive to any person here. While I certainly know that
NAT appliances are not firewalls (but firewalls can do NAT), there is a
misconception as to what the public is being told a firewall is.

Yea, you don't like it, you must be one that purchased one of those
BEFSR41 units and fell for the "it's a firewall" crap - did you know
that when the BEFSR41 was introduced it was called a ROUTER with no
mention of firewall - a year later, with no changes, it was being
marketed as a "Firewall" - same box, same firmware.....

So, like it or not Todd H, most residential users are not using
firewalls, they are using ROUTERS.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> do you consider netfilter to be a firewall (well in essence it's a
>> statefull packet filter)
>> because iirc there is no smtp or http netfilter module
>> and it does its filtering mostly on the data link and transport
>> protocol's headers
>> like most firewalls do. it would be very costly performance wise to
>> implement
>> application protocol filters into firewalls and i've yet to see one that
>> does
>> also implementing complex heuristics because let's face it the higher
>> you go up in
>> the tcp/ip stack the more complex the headers and payload become, the
>> more bugs you'll get
>> in the code that does the heuristics --> the more flaws there are to be
>> exploited!
>
> Sorry, but I don't consider NAT Routers to be firewalls, they are
> routers with some fancy features, not firewalls.

If the router closes all ports and conceals LAN IP addresses
then it's just as good, and in one respect better than, any
software firewall.

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

> Leythos wrote:
> > In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla
> > <"kevin DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one
> >> that does
> >> also implementing complex heuristics because let's face it the
> >> higher you go up in
> >> the tcp/ip stack the more complex the headers and payload become,
> >> the more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are
> >> to be exploited!
> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.
>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.

Uh oh. Someone said "software firewall."

Brace for the impending ranting about how they aren't firewalls
either.

--
Todd H.
http://www.toddh.net/

Todd H. wrote:
> Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:
>
>> Leythos wrote:
>>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla
>>> <"kevin DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one
>>>> that does
>>>> also implementing complex heuristics because let's face it the
>>>> higher you go up in
>>>> the tcp/ip stack the more complex the headers and payload become,
>>>> the more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are
>>>> to be exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.
>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.
>
> Uh oh. Someone said "software firewall."
>
> Brace for the impending ranting about how they aren't firewalls
> either.
>

opps, I didn't expect to get off scott free.

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

>Leythos wrote:
>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>> DOT paulus AT skynet DOT be"> says...
>>> do you consider netfilter to be a firewall (well in essence it's a
>>> statefull packet filter)
>>> because iirc there is no smtp or http netfilter module
>>> and it does its filtering mostly on the data link and transport
>>> protocol's headers
>>> like most firewalls do. it would be very costly performance wise to
>>> implement
>>> application protocol filters into firewalls and i've yet to see one that
>>> does
>>> also implementing complex heuristics because let's face it the higher
>>> you go up in
>>> the tcp/ip stack the more complex the headers and payload become, the
>>> more bugs you'll get
>>> in the code that does the heuristics --> the more flaws there are to be
>>> exploited!
>>
>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>> routers with some fancy features, not firewalls.

>If the router closes all ports and conceals LAN IP addresses
>then it's just as good, and in one respect better than, any
>software firewall.


IF it closes all ports (nat is irrelevant). But the hypothesis of the
thread was that ports were being punched through the router. Note that a
router which refuses to pass on ports IS a firewall. And since it operates
on software loaded on the router, it is a software firewall.

In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
rick0.merrill@NOSPAM.gmail.com says...
> Leythos wrote:
> > In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> > DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one that
> >> does
> >> also implementing complex heuristics because let's face it the higher
> >> you go up in
> >> the tcp/ip stack the more complex the headers and payload become, the
> >> more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are to be
> >> exploited!
> >
> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.
>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.

Actually, a NAT Router is better than any PERSONAL firewall solution
installed on a non-dedicated computer.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
> rick0.merrill@NOSPAM.gmail.com says...
>> Leythos wrote:
>>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>>> DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one that
>>>> does
>>>> also implementing complex heuristics because let's face it the higher
>>>> you go up in
>>>> the tcp/ip stack the more complex the headers and payload become, the
>>>> more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are to be
>>>> exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.
>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.
>
> Actually, a NAT Router is better than any PERSONAL firewall solution
> installed on a non-dedicated computer.
>
what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
distribution (iptables)
and is there such a big difference between a firewall that has its code
burned in flash (firmware)
and a firewall that hooks into the tcp/ip stack of a a general purpose OS

In article <4710aff1$0$22302$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
> > rick0.merrill@NOSPAM.gmail.com says...
> >> Leythos wrote:
> >>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> >>> DOT paulus AT skynet DOT be"> says...
> >>>> do you consider netfilter to be a firewall (well in essence it's a
> >>>> statefull packet filter)
> >>>> because iirc there is no smtp or http netfilter module
> >>>> and it does its filtering mostly on the data link and transport
> >>>> protocol's headers
> >>>> like most firewalls do. it would be very costly performance wise to
> >>>> implement
> >>>> application protocol filters into firewalls and i've yet to see one that
> >>>> does
> >>>> also implementing complex heuristics because let's face it the higher
> >>>> you go up in
> >>>> the tcp/ip stack the more complex the headers and payload become, the
> >>>> more bugs you'll get
> >>>> in the code that does the heuristics --> the more flaws there are to be
> >>>> exploited!
> >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
> >>> routers with some fancy features, not firewalls.
> >> If the router closes all ports and conceals LAN IP addresses
> >> then it's just as good, and in one respect better than, any
> >> software firewall.
> >
> > Actually, a NAT Router is better than any PERSONAL firewall solution
> > installed on a non-dedicated computer.
> >
> what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
> distribution (iptables) and is there such a big difference between
> a firewall that has its code burned in flash (firmware)
> and a firewall that hooks into the tcp/ip stack of a a general purpose OS

As long as it a dedicated computer and not one that users are
playing/working on, then it can easily be a firewall. Checkpoint running
on a Nix OS is a great example of a dedicated server class firewall -
notice the dedicated.

With all that is available at a reasonable cost today, a firewall that
is just a router is not really a firewall. The appliances I install can
tell the difference between SMTP and HTTP or FTP and do a lot more,
that's the least I would install.

This still goes back to these cheap residential units called firewalls
by the marketing department - if you look up NAT, it's routing, simple
and plain, not Firewalling.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

> This still goes back to these cheap residential units called firewalls
> by the marketing department - if you look up NAT, it's routing, simple
> and plain, not Firewalling.

And if you look up firewalling um... it can be implemented by.... wait
for it.....


ROUTERS!


I don't dispute marketing departments being very prone to overblowing
capabilities of many devices, but show me a good citation from a
widely known source for "firewall" implying or requiring all the
things you include in your definition.

Point is, it's not nearly as narrowly defined as you seem to require.

No doubt a "firewall" appliance that implements IPS, IDS, allows
no traffic by default, has the ability to provide a higher level of
security than your garden variety broadband router for the home office
market, but... that does not mean the latter class of devices don't
also fit the definition of firewall. They're just lesser firewall
appliances.

--
Todd H.
http://www.toddh.net/

In article <84odf383od.fsf@ripco.com>, comphelp@toddh.net says...
> Leythos <void@nowhere.lan> writes:
>
> > This still goes back to these cheap residential units called firewalls
> > by the marketing department - if you look up NAT, it's routing, simple
> > and plain, not Firewalling.
>
> And if you look up firewalling um... it can be implemented by.... wait
> for it.....
>
> ROUTERS!

Firewalls can route, routers are not firewalls.

> I don't dispute marketing departments being very prone to overblowing
> capabilities of many devices, but show me a good citation from a
> widely known source for "firewall" implying or requiring all the
> things you include in your definition.
>
> Point is, it's not nearly as narrowly defined as you seem to require.
>
> No doubt a "firewall" appliance that implements IPS, IDS, allows
> no traffic by default, has the ability to provide a higher level of
> security than your garden variety broadband router for the home office
> market, but... that does not mean the latter class of devices don't
> also fit the definition of firewall. They're just lesser firewall
> appliances.

I'll give you that, but people seem to think a firewall will protect
them from many things that these NAT Routers don't protect them from,
and a firewall appliance can and does protect them from.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

>In article <4710aff1$0$22302$ba620e4c@news.skynet.be>, goarilla <"kevin
>DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>> > In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
>> > rick0.merrill@NOSPAM.gmail.com says...
>> >> Leythos wrote:
>> >>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>> >>> DOT paulus AT skynet DOT be"> says...
>> >>>> do you consider netfilter to be a firewall (well in essence it's a
>> >>>> statefull packet filter)
>> >>>> because iirc there is no smtp or http netfilter module
>> >>>> and it does its filtering mostly on the data link and transport
>> >>>> protocol's headers
>> >>>> like most firewalls do. it would be very costly performance wise to
>> >>>> implement
>> >>>> application protocol filters into firewalls and i've yet to see one that
>> >>>> does
>> >>>> also implementing complex heuristics because let's face it the higher
>> >>>> you go up in
>> >>>> the tcp/ip stack the more complex the headers and payload become, the
>> >>>> more bugs you'll get
>> >>>> in the code that does the heuristics --> the more flaws there are to be
>> >>>> exploited!
>> >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>> >>> routers with some fancy features, not firewalls.
>> >> If the router closes all ports and conceals LAN IP addresses
>> >> then it's just as good, and in one respect better than, any
>> >> software firewall.
>> >
>> > Actually, a NAT Router is better than any PERSONAL firewall solution
>> > installed on a non-dedicated computer.
>> >
>> what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
>> distribution (iptables) and is there such a big difference between
>> a firewall that has its code burned in flash (firmware)
>> and a firewall that hooks into the tcp/ip stack of a a general purpose OS

>As long as it a dedicated computer and not one that users are
>playing/working on, then it can easily be a firewall. Checkpoint running
>on a Nix OS is a great example of a dedicated server class firewall -
>notice the dedicated.

>With all that is available at a reasonable cost today, a firewall that
>is just a router is not really a firewall. The appliances I install can
>tell the difference between SMTP and HTTP or FTP and do a lot more,
>that's the least I would install.

>This still goes back to these cheap residential units called firewalls
>by the marketing department - if you look up NAT, it's routing, simple
>and plain, not Firewalling.

And now you are going to tell us what the difference is between a NAT
router that rejects all incoming unsolicited connections, and a firewall
that rejects all unsolicited incoming connections.
It is certainly true that a firewall can be a slightly less blunt
instrument, and can reject or accept more subtly that a NAT router can, but
IF that router is set up not to do any port forwarding, then it is also a
firewall set up to reject all incoming connections.

> It is certainly true that a firewall can be a slightly less blunt

> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.

There are two major differences:

1. NAT is not designed to work as a security solution.
2. Depending on the implementation, it might forward the connection anyway
without any explicit rule.

In article <TChQi.10182$GO5.9633@edtnps90>, unruh-spam@physics.ubc.ca
says...
> And now you are going to tell us what the difference is between a NAT
> router that rejects all incoming unsolicited connections, and a firewall
> that rejects all unsolicited incoming connections.
> It is certainly true that a firewall can be a slightly less blunt
> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.

No, I'm not going to go around in circles for you - you've already shown
that you can't comprehend what is written vs what you think was written.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> wrote in
news:MPG.217d12e555dffbb4989ae9@adfree.Usenet.com:
....snip more of Leythos' whinging...

Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only
by your tenacity.

Regards,

In article <Xns99CA5DC79768Dabcxyzcom@204.153.245.131>, abc@xyz.com
says...
> Leythos <void@nowhere.lan> wrote in
> news:MPG.217d12e555dffbb4989ae9@adfree.Usenet.com:
> ...snip more of Leythos' whinging...
>
> Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only
> by your tenacity.

I see you're still trolling - since you can't be smart enough to
understand that my view/opinion/expereinces were not claimed to be world
encompassing, even though you took them that way....

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> wrote in
news:MPG.217d4df2698e87e3989af7@adfree.Usenet.com:
....snip yet more of Leyhtos' whining...

Still hard at the weaselling, eh Leythos?

C'mon, don't stop now, just when you're on a roll, Leythos.

C'mon, say something else really stupid, Leythos, and then defend it to the
death with you pathetic weaselling. C'mon, Leythos!

Regards,

"Sebastian G." <seppi@seppig.de> writes:

> > It is certainly true that a firewall can be a slightly less blunt

>> instrument, and can reject or accept more subtly that a NAT router can, but
>> IF that router is set up not to do any port forwarding, then it is also a
>> firewall set up to reject all incoming connections.

>There are two major differences:

>1. NAT is not designed to work as a security solution.
>2. Depending on the implementation, it might forward the connection anyway
>without any explicit rule.

So might an incompetent firewall. A competently implimented NAT does work
as a firewall IF set to not forward any unsolicited packetc.
Of course you have to decide if your particular NAT is a competent
implimentation. HOwever if you punch holes ( have it forward ports) all
bets are off.

In article <gGOQi.14414$G25.13546@edtnps89>, unruh-spam@physics.ubc.ca
says...
> "Sebastian G." <seppi@seppig.de> writes:
>
> > > It is certainly true that a firewall can be a slightly less blunt
>
> >> instrument, and can reject or accept more subtly that a NAT router can, but
> >> IF that router is set up not to do any port forwarding, then it is also a
> >> firewall set up to reject all incoming connections.
>
> >There are two major differences:
>
> >1. NAT is not designed to work as a security solution.
> >2. Depending on the implementation, it might forward the connection anyway
> >without any explicit rule.
>
> So might an incompetent firewall. A competently implimented NAT does work
> as a firewall IF set to not forward any unsolicited packetc.
> Of course you have to decide if your particular NAT is a competent
> implimentation. HOwever if you punch holes ( have it forward ports) all
> bets are off.

No, you don't have to decide, there are quality groups, CERT for one,
that can test and tell us if they pass the proper test to be qualified
as a firewall. NAT is not a firewall function, it is often included in
firewalls, but it is not a firewall function.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Unruh wrote:


>> 1. NAT is not designed to work as a security solution.
>> 2. Depending on the implementation, it might forward the connection anyway
>> without any explicit rule.
>
> So might an incompetent firewall. A competently implimented NAT does work
> as a firewall IF set to not forward any unsolicited packetc.


Wrong.
- A completely correct NAT implementation might also do a full forwarding in
a 1:1 setup.
- As well as it might forward every unsolicited packet to a specified host
on a 1:many setup (the DMZ host)...
- Reading layer 7 protocols and associate states isn't wrong either.


> Of course you have to decide if your particular NAT is a competent
> implimentation. HOwever if you punch holes ( have it forward ports) all
> bets are off.


What about punching holes from the inside? With a Java applet, you can
create a connection back to a server with a freely chosen port > 1023. With
Flash applets, you can even get < 1024 with some nifty (documented) tricks.
Now just create a connection from $local_ip:53 to $your_server:12345, drop
the connection from the client side, and if the victim fires up his local
DNS server within the timeout period... without a real firewall explicitly
denying any outside access to port 53, even for session-related packets, you
won't get any further. And with NAT alone, you can't solve this dilemma at all.

Leythos <void@nowhere.lan> writes:

>In article <gGOQi.14414$G25.13546@edtnps89>, unruh-spam@physics.ubc.ca
>says...
>> "Sebastian G." <seppi@seppig.de> writes:
>>
>> > > It is certainly true that a firewall can be a slightly less blunt
>>
>> >> instrument, and can reject or accept more subtly that a NAT router can, but
>> >> IF that router is set up not to do any port forwarding, then it is also a
>> >> firewall set up to reject all incoming connections.
>>
>> >There are two major differences:
>>
>> >1. NAT is not designed to work as a security solution.
>> >2. Depending on the implementation, it might forward the connection anyway
>> >without any explicit rule.
>>
>> So might an incompetent firewall. A competently implimented NAT does work
>> as a firewall IF set to not forward any unsolicited packetc.
>> Of course you have to decide if your particular NAT is a competent
>> implimentation. HOwever if you punch holes ( have it forward ports) all
>> bets are off.

>No, you don't have to decide, there are quality groups, CERT for one,
>that can test and tell us if they pass the proper test to be qualified
>as a firewall. NAT is not a firewall function, it is often included in
>firewalls, but it is not a firewall function.


The question was not whether NAT was a firewall function but whether NAT
with no port holes punched through was effectively a firewall allowing no
unsolicited incoming traffic.

Is there a way in which a NAT router, with no holes punched through, is
more insecure than a firewall which rejects all unsolicited incoming
traffic? If you claim it is more insecure, please tell us why.

Unruh wrote:


> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.

It is, for three reasons:

1. If a connection is initiated from the inside, all related traffic from
the outside is forwarded. For a firewall you'd need to add such a rule
explicitly, and you could still overwrite it (e.g. generally denying access
to a certain port range for every incoming connection from the WAN).

2. Depending on the implementation, a NAT router itself might decide to
forward a connection based on assumptions about various Layer 7 protocols.

3. NAT was never designed to be a security solution, but rather to provide
connectivity (even the RFC about NAT explicitly states that!). So you should
never assume that a NAT implementation simply drops a connection for which
it doesn't know any state.

In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
says...
> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.

And you're all wet because a firewall protects in both directions.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

"Sebastian G." <seppi@seppig.de> writes:

>Unruh wrote:


>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.

>It is, for three reasons:

>1. If a connection is initiated from the inside, all related traffic from
>the outside is forwarded. For a firewall you'd need to add such a rule
>explicitly, and you could still overwrite it (e.g. generally denying access
>to a certain port range for every incoming connection from the WAN).

Not at all sure what you mean. I initiate a http connection. The response
better get through both on a firewall and on a NAT.


>2. Depending on the implementation, a NAT router itself might decide to
>forward a connection based on assumptions about various Layer 7 protocols.

?? Not clear what you mean. This sounds like a bad implimentation.


>3. NAT was never designed to be a security solution, but rather to provide
>connectivity (even the RFC about NAT explicitly states that!). So you should
>never assume that a NAT implementation simply drops a connection for which
>it doesn't know any state.

Leythos <void@nowhere.lan> writes:

>In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
>says...
>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.

>And you're all wet because a firewall protects in both directions.

Protects what in both directions? We are talking about and outsider
attacking a machine behind the NAT/firewall. What is the relevance of "both
directions" to the issue at hand?

In article <WbhRi.33208$%B2.23616@edtnps82>, unruh-spam@physics.ubc.ca
says...
> "Sebastian G." <seppi@seppig.de> writes:
>
> >Unruh wrote:
>
>
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >It is, for three reasons:
>
> >1. If a connection is initiated from the inside, all related traffic from
> >the outside is forwarded. For a firewall you'd need to add such a rule
> >explicitly, and you could still overwrite it (e.g. generally denying access
> >to a certain port range for every incoming connection from the WAN).
>
> Not at all sure what you mean. I initiate a http connection. The response
> better get through both on a firewall and on a NAT.

Actually, it depends, when using a firewall, on the HTTP rule as to you
getting through or not.

In many cases you might allow HTTP from certain users or certain
internal IP or IP ranges and not allow HTTP from all other ranges - your
NAT Router can't do that, but a firewall can.


--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

In article <kdhRi.33209$%B2.7020@edtnps82>, unruh-spam@physics.ubc.ca
says...
> Leythos <void@nowhere.lan> writes:
>
> >In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
> >says...
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >And you're all wet because a firewall protects in both directions.
>
> Protects what in both directions? We are talking about and outsider
> attacking a machine behind the NAT/firewall. What is the relevance of "both
> directions" to the issue at hand?

You don't appear to know about "both directions" and in many cases you
don't allow ALL OUTBOUND, in fact, there is little reason to allow all
outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.

I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
networks. I might only allow SMTP outbound from 1 IP in the LAN and I
might want to block outbound connections except from a small range of IP
in the LAN but not in the DMZ - a firewall can do that, your home NAT
ROUTER can't.

What about the DMZ network? Most NAT Routers have the option - but most
of them don't actually setup/use a DMZ network, it's just an IP on the
LAN that gets ALL traffic not forwarded to some other area - which means
it's NOT a DMZ and it's not protected from/to the LAN - A firewall
doesn't make that mistake.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <kdhRi.33209$%B2.7020@edtnps82>, unruh-spam@physics.ubc.ca
> says...
>> Leythos <void@nowhere.lan> writes:
>>
>>> In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
>>> says...
>>>> The question was not whether NAT was a firewall function but whether NAT
>>>> with no port holes punched through was effectively a firewall allowing no
>>>> unsolicited incoming traffic.
>>>>
>>>> Is there a way in which a NAT router, with no holes punched through, is
>>>> more insecure than a firewall which rejects all unsolicited incoming
>>>> traffic? If you claim it is more insecure, please tell us why.
>>> And you're all wet because a firewall protects in both directions.
>> Protects what in both directions? We are talking about and outsider
>> attacking a machine behind the NAT/firewall. What is the relevance of "both
>> directions" to the issue at hand?
>
> You don't appear to know about "both directions" and in many cases you
> don't allow ALL OUTBOUND, in fact, there is little reason to allow all
> outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
>
> I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
> networks. I might only allow SMTP outbound from 1 IP in the LAN and I
> might want to block outbound connections except from a small range of IP
> in the LAN but not in the DMZ - a firewall can do that, your home NAT
> ROUTER can't.

little question, just for the sake of education
a router splits up broadcast domains iirc and doesn't forward broadcasts
unless specified
so netbios broadcasts (eg who is master browser ... ) are NOT forwarded
and well
netbios requests as default should never define a destination ip that
needs to be gatewayed
eg if your lan is 192.168.1.* then it should never send packets to
192.168.1.0.
well i think that's the way it works with win xp sp2 + and Unix SAMBA
because i have sniffed and sniffed
but never saw a netbios packet with a destination that required the
router to forward it to the wan side

i do however outbound filter my SMB servers (2 x slackware mahcines)
since i can't be certain 100 %. the question is: is this somehow correct
and/or if not please elaborate i just want to learn and spread what i've
learned
in no way i mean to start flamewars or belittle people.

> What about the DMZ network? Most NAT Routers have the option - but most
> of them don't actually setup/use a DMZ network, it's just an IP on the
> LAN that gets ALL traffic not forwarded to some other area - which means
> it's NOT a DMZ and it's not protected from/to the LAN - A firewall
> doesn't make that mistake.
>

true most DMZ's on home routers are not real DMZ's

In article <4715f6e4$0$29264$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> i do however outbound filter my SMB servers (2 x slackware mahcines)
> since i can't be certain 100 %. the question is: is this somehow correct
> and/or if not please elaborate i just want to learn and spread what i've
> learned
> in no way i mean to start flamewars or belittle people.

Watch your logs, it will open your eyes as to what is leaving your
network.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <4715f6e4$0$29264$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> i do however outbound filter my SMB servers (2 x slackware mahcines)
>> since i can't be certain 100 %. the question is: is this somehow correct
>> and/or if not please elaborate i just want to learn and spread what i've
>> learned
>> in no way i mean to start flamewars or belittle people.
>
> Watch your logs, it will open your eyes as to what is leaving your
> network.
>
what logs ?
everything syslog records ?
i'll guess i'll probably have to increase samba logging as well
since atm smbd prints only start time of the process

On Oct 11, 11:31 am, Maniaque <maniaqu...@gmail.com> wrote:
> On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
>
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> > maniaqu...@gmail.com says...
>
> > A NAT is not a firewall at all, it's basic routing - Most non-technical
> > types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections. Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G) - when do
> you decide what is and what is not a ffirewall? I really would like to
> know, it's something that's puzled me for years. Some things are
> clearly not a firewall at all, like a "Full-cone" NAT router. Some
> things are clearly a firewall first, and anything else after, like one
> of those Cisco devices. But aren't most home routers somewhere in-
> between?
>
>
>
> > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> > inbound traffic, that's all.
>
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)
>
> Firewall Protection: Enable Disable
> Additional Filters
> Filter Proxy Filter Cookies
> Filter Java Applets Filter ActiveX
> Block Portscans Filter P2P Applications
> Block WAN Requests
> Block Anonymous Internet Requests
> Filter Multicast
> Filter Internet NAT Redirection
> Filter IDENT(Port 113)
>
>
>
> > No, port forwarding is what your problem is - if you forward ports then
> > you expose your computer/network and that's how people reach your
> > computer to do things you don't want.
>
> Only if they get past the intended security of the service in
> question, right?
>
> > You should learn to post in one group or to cross post so that your
> > thread is easy to work with for multiple groups that you've done this
> > in.
>
> Yep, thanks.
>
> Tao

A Firewall is packet and port filter. That's all. NAT routers have a
similar effect of a firewall. It is possible you have something
lurking in your computer that is advertising your computer on the
internet. Something like a BotNet type program.

Leythos <void@nowhere.lan> writes:

>In article <WbhRi.33208$%B2.23616@edtnps82>, unruh-spam@physics.ubc.ca
>says...
>> "Sebastian G." <seppi@seppig.de> writes:
>>
>> >Unruh wrote:
>>
>>
>> >> The question was not whether NAT was a firewall function but whether NAT
>> >> with no port holes punched through was effectively a firewall allowing no
>> >> unsolicited incoming traffic.
>> >>
>> >> Is there a way in which a NAT router, with no holes punched through, is
>> >> more insecure than a firewall which rejects all unsolicited incoming
>> >> traffic? If you claim it is more insecure, please tell us why.
>>
>> >It is, for three reasons:
>>
>> >1. If a connection is initiated from the inside, all related traffic from
>> >the outside is forwarded. For a firewall you'd need to add such a rule
>> >explicitly, and you could still overwrite it (e.g. generally denying access
>> >to a certain port range for every incoming connection from the WAN).
>>
>> Not at all sure what you mean. I initiate a http connection. The response
>> better get through both on a firewall and on a NAT.

>Actually, it depends, when using a firewall, on the HTTP rule as to you
>getting through or not.

>In many cases you might allow HTTP from certain users or certain
>internal IP or IP ranges and not allow HTTP from all other ranges - your
>NAT Router can't do that, but a firewall can.

Yes, agreed. But that is irrelevant. The question is not whether or not a
firewall is more flexible than a NAT router, it is. The question is whether
there is a difference in security against unsolicited outside attacks
between a firewall which blocks all unsolicited outside connections, and a
NAT router with no port holes punched through (Ie no ports forwarded).

In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-spam@physics.ubc.ca
says...
>
> Yes, agreed. But that is irrelevant. The question is not whether or not a
> firewall is more flexible than a NAT router, it is. The question is whether
> there is a difference in security against unsolicited outside attacks
> between a firewall which blocks all unsolicited outside connections, and a
> NAT router with no port holes punched through (Ie no ports forwarded).

Yes, there is a difference.

All quality firewalls have certifications from independent authorities
that will state how they work and that they are actually providing xyz.

NAT Routers have no certification (at least in the class we're talking
about) and have been shown, many times, to have exploits that allow
Unsolicited inbound traffic to pass through - even with no rules set by
the owner.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

On Oct 11, 11:31 am, Leythos <v...@nowhere.lan> wrote:
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> maniaqu...@gmail.com says...
>
> > I would need to set up a
> > second router/firewall/NAT device like a linksys wrt54G to sit behind
> > the telecoms-operator-provided Xavi router, forward the appropriate
> > ports through both devices, and make sure that the firewall is turned
> > on on the wrt54g? I can only assume that what was "missing" in my
> > original setup was a firewall (which my adsl router claims to have,
> > but when I turn it on all the port forwarding stops working, which
> > sort of defeats the purpose). Or do you have any other suggestions on
> > how this can be done using home equipment?
>
> A NAT is not a firewall at all, it's basic routing

<snip>

Not it is not Routing. Routing can be done with or without NAT.

A basic book like Computer Networking first step by Wendell Odom
published by Cisco Press would explain Routing.

Anyhow, saying that NAT is not a firewall does not explain how this
happened.

NAT Blocks incoming, unless port forwarding. He says he didn`t have
port forwarding set up to port 5900, where his VNC server got the
connection. Let`s assume that he checked afterwards to make sure the
port was not forwarded.

So, how did it happen?

Aside from Sebastian G`s cryptic explanation, I don`t see you
offerring an explanation.

jameshanley39@yahoo.co.uk wrote:

> On Oct 11, 11:31 am, Leythos <v...@nowhere.lan> wrote:
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups.com>,
> > maniaqu...@gmail.com says...
> >
> > > I would need to set up a
> > > second router/firewall/NAT device like a linksys wrt54G to sit
> > > behind the telecoms-operator-provided Xavi router, forward the
> > > appropriate ports through both devices, and make sure that the
> > > firewall is turned on on the wrt54g? I can only assume that what
> > > was "missing" in my original setup was a firewall (which my adsl
> > > router claims to have, but when I turn it on all the port
> > > forwarding stops working, which sort of defeats the purpose). Or
> > > do you have any other suggestions on how this can be done using
> > > home equipment?
> >
> > A NAT is not a firewall at all, it's basic routing
>
> <snip>
>
> Not it is not Routing. Routing can be done with or without NAT.
>
> A basic book like Computer Networking first step by Wendell Odom
> published by Cisco Press would explain Routing.
>
> Anyhow, saying that NAT is not a firewall does not explain how this
> happened.
>
> NAT Blocks incoming, unless port forwarding. He says he didn`t have
> port forwarding set up to port 5900, where his VNC server got the
> connection. Let`s assume that he checked afterwards to make sure the
> port was not forwarded.
>
> So, how did it happen?
>
> Aside from Sebastian G`s cryptic explanation, I don`t see you
> offerring an explanation.

You are actually one among many that suggests NAT for security ,
perhaps rightly so, but this should then concern you.

I see Sebastian G has elaborated in further posts.

--

In article <1192735170.708582.241560@q5g2000prf.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> NAT Blocks incoming, unless port forwarding. He says he didn`t have
> port forwarding set up to port 5900, where his VNC server got the
> connection. Let`s assume that he checked afterwards to make sure the
> port was not forwarded.
>
> So, how did it happen?

He did have port forwarding enabled, not 5900, but he was hosting
services.

So, any number of things could have exposed his network and then the
hacker could use anything they wanted. Simple, really, exploit a hole in
service X, add your own app or use one installed, get access to other
things.

As for Routing, I don't need a lesson, I was talking about his device,
which is a ROUTER not a firewall.

I can place any of my firewalls in DROP-IN (non-routed) mode and have
the same IP's on all jacks - then the rules determine what passes
between jacks - he can't do that on his cheap NAT Router.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

In article <DwTRi.20480$G25.9521@edtnps89>, unruh-spam@physics.ubc.ca
says...
> Leythos <void@nowhere.lan> writes:
>
> >In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-spam@physics.ubc.ca
> >says...
> >>
> >> Yes, agreed. But that is irrelevant. The question is not whether or not a
> >> firewall is more flexible than a NAT router, it is. The question is whether
> >> there is a difference in security against unsolicited outside attacks
> >> between a firewall which blocks all unsolicited outside connections, and a
> >> NAT router with no port holes punched through (Ie no ports forwarded).
>
> >Yes, there is a difference.
>
> >All quality firewalls have certifications from independent authorities
> >that will state how they work and that they are actually providing xyz.
>
> >NAT Routers have no certification (at least in the class we're talking
> >about) and have been shown, many times, to have exploits that allow
> >Unsolicited inbound traffic to pass through - even with no rules set by
> >the owner.
>
> So, your argument is that nat routers are more often incompetent than
> firewalls are. If true, a reasonable argument. Actually you say, "have been
> shown"-- by whom?
>
> Mind you you stated at the top that you were only concerned with quality
> firewalls. Does that mean if I say "quality NAT routers" you would agree
> that the two are equivalent?

No, I would not. There is no governing body to determine what IS or IS
NOT quality. NAT does not make a firewall.

Show me a NAT Router that passes CERT testing as a firewall and I'll
change my opinion.

--

Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

On Oct 18, 2:53 pm, Leythos <v...@nowhere.lan> wrote:
> In article <1192735170.708582.241...@q5g2000prf.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
> > port forwarding set up to port 5900, where his VNC server got the
> > connection. Let`s assume that he checked afterwards to make sure the
> > port was not forwarded.
>
> > So, how did it happen?
>
> He did have port forwarding enabled, not 5900, but he was hosting
> services.
>
> So, any number of things could have exposed his network and then the
> hacker could use anything they wanted. Simple, really, exploit a hole in
> service X, add your own app or use one installed, get access to other
> things.
>

And just as this flamewar dies out, I'd like to pitch in again. I
cannot be absolutely certain what caused the issue as I had little
logging enabled, but as I have previously stated, I'm pretty confident
that this issue was due to a "Active FTP NAT Helper", as originally
suggested by Sebastian G and illustrated with Micheal Ziegler's help.
As a result of this issue I upgraded my home router to the latest
Tomato firmware (1.11), in which the author has kindly added an option
to disable the NAT helper.

The test page I linked somewhere above for the NAT Helper
"vulnerability" now happily shows that nothing gets through, with
status "500 Go away (PORT IP mismatch).".

Leythos, if exploiting a hole in any service X is as simple as you
seem to think (without you knowing anything about the services
involved), it's truly amazing to me that the internet still more or
less works :)

Thanks,
Tao

On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> says...
>
>
>
> > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > firewall is more flexible than a NAT router, it is. The question is whether
> > there is a difference in security against unsolicited outside attacks
> > between a firewall which blocks all unsolicited outside connections, and a
> > NAT router with no port holes punched through (Ie no ports forwarded).
>
> Yes, there is a difference.
>
> All quality firewalls have certifications from independent authorities
> that will state how they work and that they are actually providing xyz.
>
> NAT Routers have no certification (at least in the class we're talking
> about) and have been shown, many times, to have exploits that allow
> Unsolicited inbound traffic to pass through - even with no rules set by
> the owner.
>

Where has it been shown many times?

( Not shown [many times] in this newsgroup. I first heard of any such
issue from a few months ago perhaps, from Sebastian, on this
newsgroup, and since by Volker. In a thread where you were advocating
NAT for - I thought - blocking incoming )

In article <1194544020.150180.306890@v23g2000prn.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> > In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> > says...
> >
> >
> >
> > > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > > firewall is more flexible than a NAT router, it is. The question is whether
> > > there is a difference in security against unsolicited outside attacks
> > > between a firewall which blocks all unsolicited outside connections, and a
> > > NAT router with no port holes punched through (Ie no ports forwarded).
> >
> > Yes, there is a difference.
> >
> > All quality firewalls have certifications from independent authorities
> > that will state how they work and that they are actually providing xyz.
> >
> > NAT Routers have no certification (at least in the class we're talking
> > about) and have been shown, many times, to have exploits that allow
> > Unsolicited inbound traffic to pass through - even with no rules set by
> > the owner.
> >
>
> Where has it been shown many times?
>
> ( Not shown [many times] in this newsgroup. I first heard of any such
> issue from a few months ago perhaps, from Sebastian, on this
> newsgroup, and since by Volker. In a thread where you were advocating
> NAT for - I thought - blocking incoming )

Try google for reference materials.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

<jameshanley39@yahoo.co.uk> wrote in message
news:d7665587-94fc-4017-b589-7a15af6c3623@l22g2000hsc.googlegroups.com...
> On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
> <jameshanle...@yahoo.co.uk> wrote:
>> On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
>>
>>
>>
>>
>>
>> > Leythos <v...@nowhere.lan> writes:
>> > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla
>> > > <"kevin
>> > > DOT paulus AT skynet DOT be"> says...
>> > > > Leythos wrote:
>> > > > > In article
>> > > > > <1192120303.414117.236...@g4g2000hsf.googlegroups.com>,
>> > > > > maniaqu...@gmail.com says...
>> > > > >> not true. the WRT54G can block outgoing connections based on
>> > > > >> any
>> > > > >> number of specified parameters, and then it has all those extra
>> > > > >> fancy
>> > > > >> features that I don't understand ;)
>>
>> > > > > it's a NAT device that can block outbound ports - it has no clue
>> > > > > what
>> > > > > those ports are and doesn't know the difference between HTTP and
>> > > > > SMTP
>> > > > > except that they use different ports.
>>
>> > > > just some questions with as goal to learn more
>>
>> > > > so you call a firewall something with complex heuristics ?
>> > > > really does iptables provide more than filtering between protocol,
>> > > > port
>> > > > and state information, and do people actually use it. Because in
>> > > > essence
>> > > > iirc
>> > > > a nat router does the same it opens up a connection if somebody on
>> > > > the
>> > > > inside requests it
>> > > > and after that allows the connection untill it's broken down (FIN
>> > > > or RST)
>> > > > do i have a point here or not ?
>>
>> > > Does the device, in the standard/default mode, block traffic in both
>> > > directions?
>>
>> > A cat5 cable cut in half does. Is it a firewall?
>>
>> > > Does the device know the difference between HTTP and SMTP or only
>> > > TCP 80 and TCP 25?
>>
>> > Firewalls in the traditional definition never did, were they not
>> > firewalls? Application-level protocol recognition is only recently on
>> > the scene, yet we've had things people called "firewalls" existing for
>> > quite a while before that. I'd hate to think I didn't get the memo
>> > about someone changing the definition of "firewall" with the
>> > International Standards Organization.
>>
>> > > Does the device understand being attacked and auto-block sources of
>> > > attacks or unauthorized traffic?
>>
>> > So when did the definition of "firewall" start requiring it to also
>> > fit the definition of "network intrusion prevention device" or
>> > "network intrusion detection device?"
>>
>> > Just curious.
>>
>> > > Does the device use NAT or can it be setup with rules without using
>> > > NAT?
>> > > If it forces NAT then I don't consider it a firewall unless it can do
>> > > all the others - since MOST of the devices that force NAT are
>> > > residential device (yea, not all inclusive, but you should get the
>> > > idea
>> > > without us going off the deep end).
>>
>> > Ah, okay here's where we come down to brass tacks--with the use of the
>> > word "I."
>>
>> > Seme folks seem to have their own definition of a firewall that
>> > doesn't match that accepted by over the course of a lot of networking
>> > history inlcluding the present. This view categorically rejects those
>> > devices which don't fit a personally crafted unique definition of
>> > "firewalls."
>>
>> > Unfortunately, it's pedantic and pointless. But then again, so it
>> > much of the banter by the more abusive posters here. To protect their
>> > identity, we won't mention Leythos and Sebastian by name.
>>
>> > Now, that's not to say there isn't something to learn about the range
>> > of functionality one might want to consider in their border protection
>> > in the narrow definition such folks try to paint, but being so prickly
>> > about what to call a "firewall" and what to call a "NAT router" is
>> > just a freakin waste of time. Better to say "corporate grade border
>> > security appliance" which has built into the obvious fact that
>> > functionality and features of corporate grade hardware exceed that of
>> > $70 Linksys gear popular among home and small office users.
>>
>> > And let's not forget that there was a time not very long ago where the
>> > fucntionality packed into your garden variety wrt54g (particularly one
>> > packing the fucntionality of third party firmware) took a HELL of alot
>> > of much more expensive hardware and was certainly considered a
>> > "firewall." And still is for that matter.
>>
>> > Those with what I'll call this "modern purist" view may be shocked to
>> > see the breadth of defintions for our friend the firewall that are in
>> > existence that cast a much bigger net than his own:
>> > http://www.google.com/search?q=define%3Afirewall
>>
>> > We now return you to your regularly scheduled semantic argument.
>>
>> > Best Regards,
>> > --
>> > Todd H.http://www.toddh.net/-
>>
>> unfortunately, those that make a point like the one you make , are
>> less vocal.
>>
>> you mention
>> "
>> I'd hate to think I didn't get the memo about someone changing the
>> definition of "firewall" with the International Standards Organization
>> "
>>
>> what is the ISO definition of firewall ? I couldn`t find it
>>
>> can you name some of the firewalls you used in the past, that didn`t
>> do much more than the "traditional definition". And can you define the
>> traditional definition ?
>>
>> What I would GUESS, is that a firewall is a packet filter and a packet
>> filter is a firewall. Same thing. Can be Device(network firewall) or
>> Software.
>>
>> a packet filter controls a network by selectively allowing or blocking
>> packets.
>>
>> packet filter is always Layer 3 (stateless/static packet filter)
>> and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
>>
>> (definition based on webopedia and the one given in the docs for the
>> openbsd pf program)
>>
>> It rules out the broken cable you mentioned ;-)-
>
> rules out NAT Router too. which is probably good.
>
> http://en.wikipedia.org/wiki/Firewall_(networking)
> differs with webopedia, it calls "packet filter" only the first
> generation of firewall. at the network layer of the OSI model. (though
> if it accesses tcp port , that is something at Layer 4 too).
> So, by that definition, SPI != packet filter.
>
> That page does talk of a firewall as sitting between 2 networks.
> perhaps, as oppose to an individual computer from a network.
>

To keep it simplistic for you, the Internet is a massive/giant network the
Wide Area Network being protected from by the firewall. The network being
protected by the FW is the Local Area Network.

> It does not mention about if a concept may be flawed.. like running a
> software firewall on a non dedicated machine.


Your concept of a FW is flawed. A FW must separate two networks. The network
it is protecting from, and the network it is protecting. A FW must have at
least two network interfaces. One interface must face the WAN, and the other
interface must face the LAN. In the case of a software FW running on a
secured host computer, the computer must have two NIC(s) with one facing the
WAN and the other one facing the LAN.

If a software solution is not using two NIC(s), it's not a FW, but rather,
it's a machine level packet filter protecting at the machine level.

Maniaque <maniaque27@gmail.com> writes:

>On Oct 18, 2:53 pm, Leythos <v...@nowhere.lan> wrote:
>> In article <1192735170.708582.241...@q5g2000prf.googlegroups.com>,
>> jameshanle...@yahoo.co.uk says...
>>
>> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
>> > port forwarding set up to port 5900, where his VNC server got the
>> > connection. Let`s assume that he checked afterwards to make sure the
>> > port was not forwarded.
>>
>> > So, how did it happen?
>>
>> He did have port forwarding enabled, not 5900, but he was hosting
>> services.
>>
>> So, any number of things could have exposed his network and then the
>> hacker could use anything they wanted. Simple, really, exploit a hole in
>> service X, add your own app or use one installed, get access to other
>> things.
>>

>And just as this flamewar dies out, I'd like to pitch in again. I
>cannot be absolutely certain what caused the issue as I had little
>logging enabled, but as I have previously stated, I'm pretty confident
>that this issue was due to a "Active FTP NAT Helper", as originally
>suggested by Sebastian G and illustrated with Micheal Ziegler's help.
>As a result of this issue I upgraded my home router to the latest
>Tomato firmware (1.11), in which the author has kindly added an option
>to disable the NAT helper.

>The test page I linked somewhere above for the NAT Helper
>"vulnerability" now happily shows that nothing gets through, with
>status "500 Go away (PORT IP mismatch).".

>Leythos, if exploiting a hole in any service X is as simple as you
>seem to think (without you knowing anything about the services
>involved), it's truly amazing to me that the internet still more or
>less works :)

If service X has a hole, then service X can be exploited. Clearly the
attacker knows which services to try since those are the ports you have
open. And exploiting service X means they have entry to your machine. And
if they have entry to your machine, then they can do what they want.
Why exactly do you say that the internet works? There are probably millions
of machines out there that are owned by outsiders- ie on which outsiders
can do what they want. They primarily use them for launching phishing and
spam attacks on the world. Your definition of "works" needs upgrading.


>Thanks,
>Tao

"jameshanley39@yahoo.co.uk" <jameshanley39@yahoo.co.uk> writes:

>On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
>> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
>> says...
>>
>>
>>
>> > Yes, agreed. But that is irrelevant. The question is not whether or not a
>> > firewall is more flexible than a NAT router, it is. The question is whether
>> > there is a difference in security against unsolicited outside attacks
>> > between a firewall which blocks all unsolicited outside connections, and a
>> > NAT router with no port holes punched through (Ie no ports forwarded).
>>
>> Yes, there is a difference.
>>
>> All quality firewalls have certifications from independent authorities
>> that will state how they work and that they are actually providing xyz.

I am sorry, but you regard paper as a valid computer defense. Who cares if
they have a piece of paper attached? The question is not who has the paper
trail, but who has the security.

>>
>> NAT Routers have no certification (at least in the class we're talking
>> about) and have been shown, many times, to have exploits that allow
>> Unsolicited inbound traffic to pass through - even with no rules set by
>> the owner.

As have firewalls as times.


>>

>Where has it been shown many times?

>( Not shown [many times] in this newsgroup. I first heard of any such
>issue from a few months ago perhaps, from Sebastian, on this
>newsgroup, and since by Volker. In a thread where you were advocating
>NAT for - I thought - blocking incoming )

In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
@w73g2000hsf.googlegroups.com>, jameshanley39@yahoo.co.uk says...
> Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.

SMTP, SQL Command, Windows File Sharing, IM......

I don't allow outbound SMTP from workstations ever.

I don't allow outbound SQL Command from anything, ever.

Windows File Sharing, DNS, etc... never from the local workstations..

IM - only from approved workstations....

While DNS is not a easy exploit the others permit LAN machines to spread
malware to people on the net with exposed machines.

--

Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

<jameshanley39@yahoo.co.uk> wrote in message
news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
> On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> <jameshanle...@yahoo.co.uk> wrote in message
> <snip>
>>
>> > That page does talk of a firewall as sitting between 2 networks.
>> > perhaps, as oppose to an individual computer from a network.
>>
>> To keep it simplistic for you, the Internet is a massive/giant network
>> the
>> Wide Area Network being protected from by the firewall. The network being
>> protected by the FW is the Local Area Network.
>>
>
> What is the complicated way then?


>
> note- a firewall blocking certain outgoing can help protect other
> people on the internet from a compromised machine. Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.

The proper thing would be to block all outbound traffic, and only allow
outbound traffic for those applications or services that need outbound
traffic. That would mostly apply to a solution such as a FW appliance,
packet filtering FW router or a software FW running on a secured gateway
computer that could implement the solution poperly by creating packet
filtering rules.


>
>
>> > It does not mention about if a concept may be flawed.. like running a
>> > software firewall on a non dedicated machine.
>>
>> Your concept of a FW is flawed. A FW must separate two networks. The
>> network
>> it is protecting from, and the network it is protecting. A FW must have
>> at
>> least two network interfaces. One interface must face the WAN, and the
>> other
>> interface must face the LAN. In the case of a software FW running on a
>> secured host computer, the computer must have two NIC(s) with one facing
>> the
>> WAN and the other one facing the LAN.
>>
>> If a software solution is not using two NIC(s), it's not a FW, but
>> rather,
>> it's a machine level packet filter protecting at the machine level.-
>
> makes sense, thanks.

When segmenting networks, a FW limits the damage that can be spread from one
network to another network, like a firedoor or firewall.

>
>

In article <533b5129-d008-4dd3-ac15-33ab1c6c5c11
@v4g2000hsf.googlegroups.com>, jameshanley39@yahoo.co.uk says...
> On Nov 18, 11:54 pm, Leythos <v...@nowhere.lan> wrote:
> > In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
> > @w73g2000hsf.googlegroups.com>, jameshanle...@yahoo.co.uk says...
> >
> > > Leythos is keen on
> > > blocking certain outgoing so he`d probably know of some examples.
> >
> > SMTP, SQL Command, Windows File Sharing, IM......
> >
> > I don't allow outbound SMTP from workstations ever.
> >
> > I don't allow outbound SQL Command from anything, ever.
> >
> > Windows File Sharing, DNS, etc... never from the local workstations..
> >
> > IM - only from approved workstations....
> >
> > While DNS is not a easy exploit the others permit LAN machines to spread
> > malware to people on the net with exposed machines.
> >
>
>
> if you block SMTP. Can users only send email via Yahoo like websites?
> I guess you don`t block some SMTP and not others, since how would you
> distinguish between good and bad. They could(knowingly or not) be bad
> and use your SMTP server You`d have to block all.. Do you have
> no SMTP server ?

Yahoo? Who uses Yahoo?

If you don't have your own email server in your network then you can
limit your SMTP outbound to just the IP of your ISP's SMTP server - this
will cause most SMTP bots to be limited to just the SMTP service of your
ISP and they will contact you shortly after you are compromised.

And yes, we block all SMTP Outbound from Workstations/Devices, Except
for our own SMTP server - if you're not using our SMTP server then
you're not using SMTP.

> I know one company that has an SMTP server and does not allow Yahoo.
> That way they can more easily see all the email that goes in and out.

None of the companies we setup allow IM, Yahoo, MSN, etc... The only
SMTP they allow is from their own email server, and there are a lot of
other things too.

The Pharmacies don't allow ANY outbound except to Business Partner sites
- so that means no HTTPS or HTTP except to approved sites.

--

Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

<jameshanley39@yahoo.co.uk> wrote in message
news:c74699fe-6733-4a46-8353-284d587ce521@a28g2000hsc.googlegroups.com...
> On Nov 19, 2:42 am, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> <jameshanle...@yahoo.co.uk> wrote in message
>>
>> news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
>>
>>
>>
>>
>>
>> > On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> >> <jameshanle...@yahoo.co.uk> wrote in message
>> > <snip>
>>
>> >> > That page does talk of a firewall as sitting between 2 networks.
>> >> > perh