>> 1. NAT is not designed to work as a security solution.
>> 2. Depending on the implementation, it might forward the connection anyway
>> without any explicit rule.
>
> So might an incompetent firewall. A competently implimented NAT does work
> as a firewall IF set to not forward any unsolicited packetc.
Wrong.
- A completely correct NAT implementation might also do a full forwarding in
a 1:1 setup.
- As well as it might forward every unsolicited packet to a specified host
on a 1:many setup (the DMZ host)...
- Reading layer 7 protocols and associate states isn't wrong either.
> Of course you have to decide if your particular NAT is a competent
> implimentation. HOwever if you punch holes ( have it forward ports) all
> bets are off.
What about punching holes from the inside? With a Java applet, you can
create a connection back to a server with a freely chosen port > 1023. With
Flash applets, you can even get < 1024 with some nifty (documented) tricks.
Now just create a connection from $local_ip:53 to $your_server:12345, drop
the connection from the client side, and if the victim fires up his local
DNS server within the timeout period... without a real firewall explicitly
denying any outside access to port 53, even for session-related packets, you
won't get any further. And with NAT alone, you can't solve this dilemma at all.
>In article <gGOQi.14414$G25.13546@edtnps89>, unruh-spam@physics.ubc.ca
>says...
>> "Sebastian G." <seppi@seppig.de> writes:
>>
>> > > It is certainly true that a firewall can be a slightly less blunt
>>
>> >> instrument, and can reject or accept more subtly that a NAT router can, but
>> >> IF that router is set up not to do any port forwarding, then it is also a
>> >> firewall set up to reject all incoming connections.
>>
>> >There are two major differences:
>>
>> >1. NAT is not designed to work as a security solution.
>> >2. Depending on the implementation, it might forward the connection anyway
>> >without any explicit rule.
>>
>> So might an incompetent firewall. A competently implimented NAT does work
>> as a firewall IF set to not forward any unsolicited packetc.
>> Of course you have to decide if your particular NAT is a competent
>> implimentation. HOwever if you punch holes ( have it forward ports) all
>> bets are off.
>No, you don't have to decide, there are quality groups, CERT for one,
>that can test and tell us if they pass the proper test to be qualified
>as a firewall. NAT is not a firewall function, it is often included in
>firewalls, but it is not a firewall function.
The question was not whether NAT was a firewall function but whether NAT
with no port holes punched through was effectively a firewall allowing no
unsolicited incoming traffic.
Is there a way in which a NAT router, with no holes punched through, is
more insecure than a firewall which rejects all unsolicited incoming
traffic? If you claim it is more insecure, please tell us why.
> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.
It is, for three reasons:
1. If a connection is initiated from the inside, all related traffic from
the outside is forwarded. For a firewall you'd need to add such a rule
explicitly, and you could still overwrite it (e.g. generally denying access
to a certain port range for every incoming connection from the WAN).
2. Depending on the implementation, a NAT router itself might decide to
forward a connection based on assumptions about various Layer 7 protocols.
3. NAT was never designed to be a security solution, but rather to provide
connectivity (even the RFC about NAT explicitly states that!). So you should
never assume that a NAT implementation simply drops a connection for which
it doesn't know any state.
In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
says...
> The question was not whether NAT was a firewall function but whether NAT
> with no port holes punched through was effectively a firewall allowing no
> unsolicited incoming traffic.
>
> Is there a way in which a NAT router, with no holes punched through, is
> more insecure than a firewall which rejects all unsolicited incoming
> traffic? If you claim it is more insecure, please tell us why.
And you're all wet because a firewall protects in both directions.
Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.
>It is, for three reasons:
>1. If a connection is initiated from the inside, all related traffic from
>the outside is forwarded. For a firewall you'd need to add such a rule
>explicitly, and you could still overwrite it (e.g. generally denying access
>to a certain port range for every incoming connection from the WAN).
Not at all sure what you mean. I initiate a http connection. The response
better get through both on a firewall and on a NAT.
>2. Depending on the implementation, a NAT router itself might decide to
>forward a connection based on assumptions about various Layer 7 protocols.
?? Not clear what you mean. This sounds like a bad implimentation.
>3. NAT was never designed to be a security solution, but rather to provide
>connectivity (even the RFC about NAT explicitly states that!). So you should
>never assume that a NAT implementation simply drops a connection for which
>it doesn't know any state.
>In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
>says...
>> The question was not whether NAT was a firewall function but whether NAT
>> with no port holes punched through was effectively a firewall allowing no
>> unsolicited incoming traffic.
>>
>> Is there a way in which a NAT router, with no holes punched through, is
>> more insecure than a firewall which rejects all unsolicited incoming
>> traffic? If you claim it is more insecure, please tell us why.
>And you're all wet because a firewall protects in both directions.
Protects what in both directions? We are talking about and outsider
attacking a machine behind the NAT/firewall. What is the relevance of "both
directions" to the issue at hand?
In article <WbhRi.33208$%B2.23616@edtnps82>, unruh-spam@physics.ubc.ca
says...
> "Sebastian G." <seppi@seppig.de> writes:
>
> >Unruh wrote:
>
>
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >It is, for three reasons:
>
> >1. If a connection is initiated from the inside, all related traffic from
> >the outside is forwarded. For a firewall you'd need to add such a rule
> >explicitly, and you could still overwrite it (e.g. generally denying access
> >to a certain port range for every incoming connection from the WAN).
>
> Not at all sure what you mean. I initiate a http connection. The response
> better get through both on a firewall and on a NAT.
Actually, it depends, when using a firewall, on the HTTP rule as to you
getting through or not.
In many cases you might allow HTTP from certain users or certain
internal IP or IP ranges and not allow HTTP from all other ranges - your
NAT Router can't do that, but a firewall can.
Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
In article <kdhRi.33209$%B2.7020@edtnps82>, unruh-spam@physics.ubc.ca
says...
> Leythos <void@nowhere.lan> writes:
>
> >In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
> >says...
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >And you're all wet because a firewall protects in both directions.
>
> Protects what in both directions? We are talking about and outsider
> attacking a machine behind the NAT/firewall. What is the relevance of "both
> directions" to the issue at hand?
You don't appear to know about "both directions" and in many cases you
don't allow ALL OUTBOUND, in fact, there is little reason to allow all
outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
networks. I might only allow SMTP outbound from 1 IP in the LAN and I
might want to block outbound connections except from a small range of IP
in the LAN but not in the DMZ - a firewall can do that, your home NAT
ROUTER can't.
What about the DMZ network? Most NAT Routers have the option - but most
of them don't actually setup/use a DMZ network, it's just an IP on the
LAN that gets ALL traffic not forwarded to some other area - which means
it's NOT a DMZ and it's not protected from/to the LAN - A firewall
doesn't make that mistake.
Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
Leythos wrote:
> In article <kdhRi.33209$%B2.7020@edtnps82>, unruh-spam@physics.ubc.ca
> says...
>> Leythos <void@nowhere.lan> writes:
>>
>>> In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
>>> says...
>>>> The question was not whether NAT was a firewall function but whether NAT
>>>> with no port holes punched through was effectively a firewall allowing no
>>>> unsolicited incoming traffic.
>>>>
>>>> Is there a way in which a NAT router, with no holes punched through, is
>>>> more insecure than a firewall which rejects all unsolicited incoming
>>>> traffic? If you claim it is more insecure, please tell us why.
>>> And you're all wet because a firewall protects in both directions.
>> Protects what in both directions? We are talking about and outsider
>> attacking a machine behind the NAT/firewall. What is the relevance of "both
>> directions" to the issue at hand?
>
> You don't appear to know about "both directions" and in many cases you
> don't allow ALL OUTBOUND, in fact, there is little reason to allow all
> outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
>
> I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
> networks. I might only allow SMTP outbound from 1 IP in the LAN and I
> might want to block outbound connections except from a small range of IP
> in the LAN but not in the DMZ - a firewall can do that, your home NAT
> ROUTER can't.
little question, just for the sake of education
a router splits up broadcast domains iirc and doesn't forward broadcasts
unless specified
so netbios broadcasts (eg who is master browser ... ) are NOT forwarded
and well
netbios requests as default should never define a destination ip that
needs to be gatewayed
eg if your lan is 192.168.1.* then it should never send packets to
192.168.1.0.
well i think that's the way it works with win xp sp2 + and Unix SAMBA
because i have sniffed and sniffed
but never saw a netbios packet with a destination that required the
router to forward it to the wan side
i do however outbound filter my SMB servers (2 x slackware mahcines)
since i can't be certain 100 %. the question is: is this somehow correct
and/or if not please elaborate i just want to learn and spread what i've
learned
in no way i mean to start flamewars or belittle people.
> What about the DMZ network? Most NAT Routers have the option - but most
> of them don't actually setup/use a DMZ network, it's just an IP on the
> LAN that gets ALL traffic not forwarded to some other area - which means
> it's NOT a DMZ and it's not protected from/to the LAN - A firewall
> doesn't make that mistake.
>
true most DMZ's on home routers are not real DMZ's
In article <4715f6e4$0$29264$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> i do however outbound filter my SMB servers (2 x slackware mahcines)
> since i can't be certain 100 %. the question is: is this somehow correct
> and/or if not please elaborate i just want to learn and spread what i've
> learned
> in no way i mean to start flamewars or belittle people.
Watch your logs, it will open your eyes as to what is leaving your
network.
Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
Leythos wrote:
> In article <4715f6e4$0$29264$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> i do however outbound filter my SMB servers (2 x slackware mahcines)
>> since i can't be certain 100 %. the question is: is this somehow correct
>> and/or if not please elaborate i just want to learn and spread what i've
>> learned
>> in no way i mean to start flamewars or belittle people.
>
> Watch your logs, it will open your eyes as to what is leaving your
> network.
>
what logs ?
everything syslog records ?
i'll guess i'll probably have to increase samba logging as well
since atm smbd prints only start time of the process
On Oct 11, 11:31 am, Maniaque <maniaqu...@gmail.com> wrote:
> On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
>
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups. com>,
> > maniaqu...@gmail.com says...
>
> > A NAT is not a firewall at all, it's basic routing - Most non-technical
> > types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections. Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G) - when do
> you decide what is and what is not a ffirewall? I really would like to
> know, it's something that's puzled me for years. Some things are
> clearly not a firewall at all, like a "Full-cone" NAT router. Some
> things are clearly a firewall first, and anything else after, like one
> of those Cisco devices. But aren't most home routers somewhere in-
> between?
>
>
>
> > a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> > inbound traffic, that's all.
>
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)
>
> Firewall Protection: Enable Disable
> Additional Filters
> Filter Proxy Filter Cookies
> Filter Java Applets Filter ActiveX
> Block Portscans Filter P2P Applications
> Block WAN Requests
> Block Anonymous Internet Requests
> Filter Multicast
> Filter Internet NAT Redirection
> Filter IDENT(Port 113)
>
>
>
> > No, port forwarding is what your problem is - if you forward ports then
> > you expose your computer/network and that's how people reach your
> > computer to do things you don't want.
>
> Only if they get past the intended security of the service in
> question, right?
>
> > You should learn to post in one group or to cross post so that your
> > thread is easy to work with for multiple groups that you've done this
> > in.
>
> Yep, thanks.
>
> Tao
A Firewall is packet and port filter. That's all. NAT routers have a
similar effect of a firewall. It is possible you have something
lurking in your computer that is advertising your computer on the
internet. Something like a BotNet type program.
>In article <WbhRi.33208$%B2.23616@edtnps82>, unruh-spam@physics.ubc.ca
>says...
>> "Sebastian G." <seppi@seppig.de> writes:
>>
>> >Unruh wrote:
>>
>>
>> >> The question was not whether NAT was a firewall function but whether NAT
>> >> with no port holes punched through was effectively a firewall allowing no
>> >> unsolicited incoming traffic.
>> >>
>> >> Is there a way in which a NAT router, with no holes punched through, is
>> >> more insecure than a firewall which rejects all unsolicited incoming
>> >> traffic? If you claim it is more insecure, please tell us why.
>>
>> >It is, for three reasons:
>>
>> >1. If a connection is initiated from the inside, all related traffic from
>> >the outside is forwarded. For a firewall you'd need to add such a rule
>> >explicitly, and you could still overwrite it (e.g. generally denying access
>> >to a certain port range for every incoming connection from the WAN).
>>
>> Not at all sure what you mean. I initiate a http connection. The response
>> better get through both on a firewall and on a NAT.
>Actually, it depends, when using a firewall, on the HTTP rule as to you
>getting through or not.
>In many cases you might allow HTTP from certain users or certain
>internal IP or IP ranges and not allow HTTP from all other ranges - your
>NAT Router can't do that, but a firewall can.
Yes, agreed. But that is irrelevant. The question is not whether or not a
firewall is more flexible than a NAT router, it is. The question is whether
there is a difference in security against unsolicited outside attacks
between a firewall which blocks all unsolicited outside connections, and a
NAT router with no port holes punched through (Ie no ports forwarded).
In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-spam@physics.ubc.ca
says...
>
> Yes, agreed. But that is irrelevant. The question is not whether or not a
> firewall is more flexible than a NAT router, it is. The question is whether
> there is a difference in security against unsolicited outside attacks
> between a firewall which blocks all unsolicited outside connections, and a
> NAT router with no port holes punched through (Ie no ports forwarded).
Yes, there is a difference.
All quality firewalls have certifications from independent authorities
that will state how they work and that they are actually providing xyz.
NAT Routers have no certification (at least in the class we're talking
about) and have been shown, many times, to have exploits that allow
Unsolicited inbound traffic to pass through - even with no rules set by
the owner.
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
On Oct 11, 11:31 am, Leythos <v...@nowhere.lan> wrote:
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups. com>,
> maniaqu...@gmail.com says...
>
> > I would need to set up a
> > second router/firewall/NAT device like a linksys wrt54G to sit behind
> > the telecoms-operator-provided Xavi router, forward the appropriate
> > ports through both devices, and make sure that the firewall is turned
> > on on the wrt54g? I can only assume that what was "missing" in my
> > original setup was a firewall (which my adsl router claims to have,
> > but when I turn it on all the port forwarding stops working, which
> > sort of defeats the purpose). Or do you have any other suggestions on
> > how this can be done using home equipment?
>
> A NAT is not a firewall at all, it's basic routing
<snip>
Not it is not Routing. Routing can be done with or without NAT.
A basic book like Computer Networking first step by Wendell Odom
published by Cisco Press would explain Routing.
Anyhow, saying that NAT is not a firewall does not explain how this
happened.
NAT Blocks incoming, unless port forwarding. He says he didn`t have
port forwarding set up to port 5900, where his VNC server got the
connection. Let`s assume that he checked afterwards to make sure the
port was not forwarded.
So, how did it happen?
Aside from Sebastian G`s cryptic explanation, I don`t see you
offerring an explanation.
> On Oct 11, 11:31 am, Leythos <v...@nowhere.lan> wrote:
> > In article <1192088852.392958.21...@r29g2000hsg.googlegroups. com>,
> > maniaqu...@gmail.com says...
> >
> > > I would need to set up a
> > > second router/firewall/NAT device like a linksys wrt54G to sit
> > > behind the telecoms-operator-provided Xavi router, forward the
> > > appropriate ports through both devices, and make sure that the
> > > firewall is turned on on the wrt54g? I can only assume that what
> > > was "missing" in my original setup was a firewall (which my adsl
> > > router claims to have, but when I turn it on all the port
> > > forwarding stops working, which sort of defeats the purpose). Or
> > > do you have any other suggestions on how this can be done using
> > > home equipment?
> >
> > A NAT is not a firewall at all, it's basic routing
>
> <snip>
>
> Not it is not Routing. Routing can be done with or without NAT.
>
> A basic book like Computer Networking first step by Wendell Odom
> published by Cisco Press would explain Routing.
>
> Anyhow, saying that NAT is not a firewall does not explain how this
> happened.
>
> NAT Blocks incoming, unless port forwarding. He says he didn`t have
> port forwarding set up to port 5900, where his VNC server got the
> connection. Let`s assume that he checked afterwards to make sure the
> port was not forwarded.
>
> So, how did it happen?
>
> Aside from Sebastian G`s cryptic explanation, I don`t see you
> offerring an explanation.
You are actually one among many that suggests NAT for security ,
perhaps rightly so, but this should then concern you.
I see Sebastian G has elaborated in further posts.
In article <1192735170.708582.241560@q5g2000prf.googlegroups. com>, jameshanley39@yahoo.co.uk says...
> NAT Blocks incoming, unless port forwarding. He says he didn`t have
> port forwarding set up to port 5900, where his VNC server got the
> connection. Let`s assume that he checked afterwards to make sure the
> port was not forwarded.
>
> So, how did it happen?
He did have port forwarding enabled, not 5900, but he was hosting
services.
So, any number of things could have exposed his network and then the
hacker could use anything they wanted. Simple, really, exploit a hole in
service X, add your own app or use one installed, get access to other
things.
As for Routing, I don't need a lesson, I was talking about his device,
which is a ROUTER not a firewall.
I can place any of my firewalls in DROP-IN (non-routed) mode and have
the same IP's on all jacks - then the rules determine what passes
between jacks - he can't do that on his cheap NAT Router.
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
>In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-spam@physics.ubc.ca
>says...
>>
>> Yes, agreed. But that is irrelevant. The question is not whether or not a
>> firewall is more flexible than a NAT router, it is. The question is whether
>> there is a difference in security against unsolicited outside attacks
>> between a firewall which blocks all unsolicited outside connections, and a
>> NAT router with no port holes punched through (Ie no ports forwarded).
>Yes, there is a difference.
>All quality firewalls have certifications from independent authorities
>that will state how they work and that they are actually providing xyz.
>NAT Routers have no certification (at least in the class we're talking
>about) and have been shown, many times, to have exploits that allow
>Unsolicited inbound traffic to pass through - even with no rules set by
>the owner.
So, your argument is that nat routers are more often incompetent than
firewalls are. If true, a reasonable argument. Actually you say, "have been
shown"-- by whom?
Mind you you stated at the top that you were only concerned with quality
firewalls. Does that mean if I say "quality NAT routers" you would agree
that the two are equivalent?
In article <DwTRi.20480$G25.9521@edtnps89>, unruh-spam@physics.ubc.ca
says...
> Leythos <void@nowhere.lan> writes:
>
> >In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-spam@physics.ubc.ca
> >says...
> >>
> >> Yes, agreed. But that is irrelevant. The question is not whether or not a
> >> firewall is more flexible than a NAT router, it is. The question is whether
> >> there is a difference in security against unsolicited outside attacks
> >> between a firewall which blocks all unsolicited outside connections, and a
> >> NAT router with no port holes punched through (Ie no ports forwarded).
>
> >Yes, there is a difference.
>
> >All quality firewalls have certifications from independent authorities
> >that will state how they work and that they are actually providing xyz.
>
> >NAT Routers have no certification (at least in the class we're talking
> >about) and have been shown, many times, to have exploits that allow
> >Unsolicited inbound traffic to pass through - even with no rules set by
> >the owner.
>
> So, your argument is that nat routers are more often incompetent than
> firewalls are. If true, a reasonable argument. Actually you say, "have been
> shown"-- by whom?
>
> Mind you you stated at the top that you were only concerned with quality
> firewalls. Does that mean if I say "quality NAT routers" you would agree
> that the two are equivalent?
No, I would not. There is no governing body to determine what IS or IS
NOT quality. NAT does not make a firewall.
Show me a NAT Router that passes CERT testing as a firewall and I'll
change my opinion.
Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
On Oct 18, 2:53 pm, Leythos <v...@nowhere.lan> wrote:
> In article <1192735170.708582.241...@q5g2000prf.googlegroups. com>,
> jameshanle...@yahoo.co.uk says...
>
> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
> > port forwarding set up to port 5900, where his VNC server got the
> > connection. Let`s assume that he checked afterwards to make sure the
> > port was not forwarded.
>
> > So, how did it happen?
>
> He did have port forwarding enabled, not 5900, but he was hosting
> services.
>
> So, any number of things could have exposed his network and then the
> hacker could use anything they wanted. Simple, really, exploit a hole in
> service X, add your own app or use one installed, get access to other
> things.
>
And just as this flamewar dies out, I'd like to pitch in again. I
cannot be absolutely certain what caused the issue as I had little
logging enabled, but as I have previously stated, I'm pretty confident
that this issue was due to a "Active FTP NAT Helper", as originally
suggested by Sebastian G and illustrated with Micheal Ziegler's help.
As a result of this issue I upgraded my home router to the latest
Tomato firmware (1.11), in which the author has kindly added an option
to disable the NAT helper.
The test page I linked somewhere above for the NAT Helper
"vulnerability" now happily shows that nothing gets through, with
status "500 Go away (PORT IP mismatch).".
Leythos, if exploiting a hole in any service X is as simple as you
seem to think (without you knowing anything about the services
involved), it's truly amazing to me that the internet still more or
less works :)
On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> says...
>
>
>
> > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > firewall is more flexible than a NAT router, it is. The question is whether
> > there is a difference in security against unsolicited outside attacks
> > between a firewall which blocks all unsolicited outside connections, and a
> > NAT router with no port holes punched through (Ie no ports forwarded).
>
> Yes, there is a difference.
>
> All quality firewalls have certifications from independent authorities
> that will state how they work and that they are actually providing xyz.
>
> NAT Routers have no certification (at least in the class we're talking
> about) and have been shown, many times, to have exploits that allow
> Unsolicited inbound traffic to pass through - even with no rules set by
> the owner.
>
Where has it been shown many times?
( Not shown [many times] in this newsgroup. I first heard of any such
issue from a few months ago perhaps, from Sebastian, on this
newsgroup, and since by Volker. In a thread where you were advocating
NAT for - I thought - blocking incoming )
In article <1194544020.150180.306890@v23g2000prn.googlegroups .com>, jameshanley39@yahoo.co.uk says...
> On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> > In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> > says...
> >
> >
> >
> > > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > > firewall is more flexible than a NAT router, it is. The question is whether
> > > there is a difference in security against unsolicited outside attacks
> > > between a firewall which blocks all unsolicited outside connections, and a
> > > NAT router with no port holes punched through (Ie no ports forwarded).
> >
> > Yes, there is a difference.
> >
> > All quality firewalls have certifications from independent authorities
> > that will state how they work and that they are actually providing xyz.
> >
> > NAT Routers have no certification (at least in the class we're talking
> > about) and have been shown, many times, to have exploits that allow
> > Unsolicited inbound traffic to pass through - even with no rules set by
> > the owner.
> >
>
> Where has it been shown many times?
>
> ( Not shown [many times] in this newsgroup. I first heard of any such
> issue from a few months ago perhaps, from Sebastian, on this
> newsgroup, and since by Volker. In a thread where you were advocating
> NAT for - I thought - blocking incoming )
Try google for reference materials.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)
<jameshanley39@yahoo.co.uk> wrote in message
news:d7665587-94fc-4017-b589-7a15af6c3623@l22g2000hsc.googlegroups.com...
> On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
> <jameshanle...@yahoo.co.uk> wrote:
>> On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
>>
>>
>>
>>
>>
>> > Leythos <v...@nowhere.lan> writes:
>> > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla
>> > > <"kevin
>> > > DOT paulus AT skynet DOT be"> says...
>> > > > Leythos wrote:
>> > > > > In article
>> > > > > <1192120303.414117.236...@g4g2000hsf.googlegroups. com>,
>> > > > > maniaqu...@gmail.com says...
>> > > > >> not true. the WRT54G can block outgoing connections based on
>> > > > >> any
>> > > > >> number of specified parameters, and then it has all those extra
>> > > > >> fancy
>> > > > >> features that I don't understand ;)
>>
>> > > > > it's a NAT device that can block outbound ports - it has no clue
>> > > > > what
>> > > > > those ports are and doesn't know the difference between HTTP and
>> > > > > SMTP
>> > > > > except that they use different ports.
>>
>> > > > just some questions with as goal to learn more
>>
>> > > > so you call a firewall something with complex heuristics ?
>> > > > really does iptables provide more than filtering between protocol,
>> > > > port
>> > > > and state information, and do people actually use it. Because in
>> > > > essence
>> > > > iirc
>> > > > a nat router does the same it opens up a connection if somebody on
>> > > > the
>> > > > inside requests it
>> > > > and after that allows the connection untill it's broken down (FIN
>> > > > or RST)
>> > > > do i have a point here or not ?
>>
>> > > Does the device, in the standard/default mode, block traffic in both
>> > > directions?
>>
>> > A cat5 cable cut in half does. Is it a firewall?
>>
>> > > Does the device know the difference between HTTP and SMTP or only
>> > > TCP 80 and TCP 25?
>>
>> > Firewalls in the traditional definition never did, were they not
>> > firewalls? Application-level protocol recognition is only recently on
>> > the scene, yet we've had things people called "firewalls" existing for
>> > quite a while before that. I'd hate to think I didn't get the memo
>> > about someone changing the definition of "firewall" with the
>> > International Standards Organization.
>>
>> > > Does the device understand being attacked and auto-block sources of
>> > > attacks or unauthorized traffic?
>>
>> > So when did the definition of "firewall" start requiring it to also
>> > fit the definition of "network intrusion prevention device" or
>> > "network intrusion detection device?"
>>
>> > Just curious.
>>
>> > > Does the device use NAT or can it be setup with rules without using
>> > > NAT?
>> > > If it forces NAT then I don't consider it a firewall unless it can do
>> > > all the others - since MOST of the devices that force NAT are
>> > > residential device (yea, not all inclusive, but you should get the
>> > > idea
>> > > without us going off the deep end).
>>
>> > Ah, okay here's where we come down to brass tacks--with the use of the
>> > word "I."
>>
>> > Seme folks seem to have their own definition of a firewall that
>> > doesn't match that accepted by over the course of a lot of networking
>> > history inlcluding the present. This view categorically rejects those
>> > devices which don't fit a personally crafted unique definition of
>> > "firewalls."
>>
>> > Unfortunately, it's pedantic and pointless. But then again, so it
>> > much of the banter by the more abusive posters here. To protect their
>> > identity, we won't mention Leythos and Sebastian by name.
>>
>> > Now, that's not to say there isn't something to learn about the range
>> > of functionality one might want to consider in their border protection
>> > in the narrow definition such folks try to paint, but being so prickly
>> > about what to call a "firewall" and what to call a "NAT router" is
>> > just a freakin waste of time. Better to say "corporate grade border
>> > security appliance" which has built into the obvious fact that
>> > functionality and features of corporate grade hardware exceed that of
>> > $70 Linksys gear popular among home and small office users.
>>
>> > And let's not forget that there was a time not very long ago where the
>> > fucntionality packed into your garden variety wrt54g (particularly one
>> > packing the fucntionality of third party firmware) took a HELL of alot
>> > of much more expensive hardware and was certainly considered a
>> > "firewall." And still is for that matter.
>>
>> > Those with what I'll call this "modern purist" view may be shocked to
>> > see the breadth of defintions for our friend the firewall that are in
>> > existence that cast a much bigger net than his own:
>> > http://www.google.com/search?q=define%3Afirewall
>>
>> > We now return you to your regularly scheduled semantic argument.
>>
>> > Best Regards,
>> > --
>> > Todd H.http://www.toddh.net/-
>>
>> unfortunately, those that make a point like the one you make , are
>> less vocal.
>>
>> you mention
>> "
>> I'd hate to think I didn't get the memo about someone changing the
>> definition of "firewall" with the International Standards Organization
>> "
>>
>> what is the ISO definition of firewall ? I couldn`t find it
>>
>> can you name some of the firewalls you used in the past, that didn`t
>> do much more than the "traditional definition". And can you define the
>> traditional definition ?
>>
>> What I would GUESS, is that a firewall is a packet filter and a packet
>> filter is a firewall. Same thing. Can be Device(network firewall) or
>> Software.
>>
>> a packet filter controls a network by selectively allowing or blocking
>> packets.
>>
>> packet filter is always Layer 3 (stateless/static packet filter)
>> and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
>>
>> (definition based on webopedia and the one given in the docs for the
>> openbsd pf program)
>>
>> It rules out the broken cable you mentioned ;-)-
>
> rules out NAT Router too. which is probably good.
>
> http://en.wikipedia.org/wiki/Firewall_(networking)
> differs with webopedia, it calls "packet filter" only the first
> generation of firewall. at the network layer of the OSI model. (though
> if it accesses tcp port , that is something at Layer 4 too).
> So, by that definition, SPI != packet filter.
>
> That page does talk of a firewall as sitting between 2 networks.
> perhaps, as oppose to an individual computer from a network.
>
To keep it simplistic for you, the Internet is a massive/giant network the
Wide Area Network being protected from by the firewall. The network being
protected by the FW is the Local Area Network.
> It does not mention about if a concept may be flawed.. like running a
> software firewall on a non dedicated machine.
Your concept of a FW is flawed. A FW must separate two networks. The network
it is protecting from, and the network it is protecting. A FW must have at
least two network interfaces. One interface must face the WAN, and the other
interface must face the LAN. In the case of a software FW running on a
secured host computer, the computer must have two NIC(s) with one facing the
WAN and the other one facing the LAN.
If a software solution is not using two NIC(s), it's not a FW, but rather,
it's a machine level packet filter protecting at the machine level.
>On Oct 18, 2:53 pm, Leythos <v...@nowhere.lan> wrote:
>> In article <1192735170.708582.241...@q5g2000prf.googlegroups. com>,
>> jameshanle...@yahoo.co.uk says...
>>
>> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
>> > port forwarding set up to port 5900, where his VNC server got the
>> > connection. Let`s assume that he checked afterwards to make sure the
>> > port was not forwarded.
>>
>> > So, how did it happen?
>>
>> He did have port forwarding enabled, not 5900, but he was hosting
>> services.
>>
>> So, any number of things could have exposed his network and then the
>> hacker could use anything they wanted. Simple, really, exploit a hole in
>> service X, add your own app or use one installed, get access to other
>> things.
>>
>And just as this flamewar dies out, I'd like to pitch in again. I
>cannot be absolutely certain what caused the issue as I had little
>logging enabled, but as I have previously stated, I'm pretty confident
>that this issue was due to a "Active FTP NAT Helper", as originally
>suggested by Sebastian G and illustrated with Micheal Ziegler's help.
>As a result of this issue I upgraded my home router to the latest
>Tomato firmware (1.11), in which the author has kindly added an option
>to disable the NAT helper.
>The test page I linked somewhere above for the NAT Helper
>"vulnerability" now happily shows that nothing gets through, with
>status "500 Go away (PORT IP mismatch).".
>Leythos, if exploiting a hole in any service X is as simple as you
>seem to think (without you knowing anything about the services
>involved), it's truly amazing to me that the internet still more or
>less works :)
If service X has a hole, then service X can be exploited. Clearly the
attacker knows which services to try since those are the ports you have
open. And exploiting service X means they have entry to your machine. And
if they have entry to your machine, then they can do what they want.
Why exactly do you say that the internet works? There are probably millions
of machines out there that are owned by outsiders- ie on which outsiders
can do what they want. They primarily use them for launching phishing and
spam attacks on the world. Your definition of "works" needs upgrading.
>On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
>> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
>> says...
>>
>>
>>
>> > Yes, agreed. But that is irrelevant. The question is not whether or not a
>> > firewall is more flexible than a NAT router, it is. The question is whether
>> > there is a difference in security against unsolicited outside attacks
>> > between a firewall which blocks all unsolicited outside connections, and a
>> > NAT router with no port holes punched through (Ie no ports forwarded).
>>
>> Yes, there is a difference.
>>
>> All quality firewalls have certifications from independent authorities
>> that will state how they work and that they are actually providing xyz.
I am sorry, but you regard paper as a valid computer defense. Who cares if
they have a piece of paper attached? The question is not who has the paper
trail, but who has the security.
>>
>> NAT Routers have no certification (at least in the class we're talking
>> about) and have been shown, many times, to have exploits that allow
>> Unsolicited inbound traffic to pass through - even with no rules set by
>> the owner.
As have firewalls as times.
>>
>Where has it been shown many times?
>( Not shown [many times] in this newsgroup. I first heard of any such
>issue from a few months ago perhaps, from Sebastian, on this
>newsgroup, and since by Volker. In a thread where you were advocating
>NAT for - I thought - blocking incoming )
In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
@w73g2000hsf.googlegroups.com>, jameshanley39@yahoo.co.uk says...
> Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.
SMTP, SQL Command, Windows File Sharing, IM......
I don't allow outbound SMTP from workstations ever.
I don't allow outbound SQL Command from anything, ever.
Windows File Sharing, DNS, etc... never from the local workstations..
IM - only from approved workstations....
While DNS is not a easy exploit the others permit LAN machines to spread
malware to people on the net with exposed machines.
Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website: http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
<jameshanley39@yahoo.co.uk> wrote in message
news:aaf5ac3a-9b60-451a-b03e-36c03533b841@w73g2000hsf.googlegroups.com...
> On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> <jameshanle...@yahoo.co.uk> wrote in message
> <snip>
>>
>> > That page does talk of a firewall as sitting between 2 networks.
>> > perhaps, as oppose to an individual computer from a network.
>>
>> To keep it simplistic for you, the Internet is a massive/giant network
>> the
>> Wide Area Network being protected from by the firewall. The network being
>> protected by the FW is the Local Area Network.
>>
>
> What is the complicated way then?
>
> note- a firewall blocking certain outgoing can help protect other
> people on the internet from a compromised machine. Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.
The proper thing would be to block all outbound traffic, and only allow
outbound traffic for those applications or services that need outbound
traffic. That would mostly apply to a solution such as a FW applian
Re: How did they get past my NAT? 