Re: How did they get past my NAT?

In article <1192088852.392958.21220@r29g2000hsg.googlegroups. com>,
maniaque27@gmail.com says...
> I would need to set up a
> second router/firewall/NAT device like a linksys wrt54G to sit behind
> the telecoms-operator-provided Xavi router, forward the appropriate
> ports through both devices, and make sure that the firewall is turned
> on on the wrt54g? I can only assume that what was "missing" in my
> original setup was a firewall (which my adsl router claims to have,
> but when I turn it on all the port forwarding stops working, which
> sort of defeats the purpose). Or do you have any other suggestions on
> how this can be done using home equipment?

A NAT is not a firewall at all, it's basic routing - Most non-technical
types call NAT Routers firewalls, they are not.

a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
inbound traffic, that's all.

No, port forwarding is what your problem is - if you forward ports then
you expose your computer/network and that's how people reach your
computer to do things you don't want.

You should learn to post in one group or to cross post so that your
thread is easy to work with for multiple groups that you've done this
in.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

On Oct 11, 6:31 am, Leythos <v...@nowhere.lan> wrote:
> In article <1192088852.392958.21...@r29g2000hsg.googlegroups. com>,
> maniaqu...@gmail.com says...
>
>
> A NAT is not a firewall at all, it's basic routing - Most non-technical
> types call NAT Routers firewalls, they are not.

That I understand, but I'm always a little confused about what the
difference Exactly is... a firewall is a device that only allows
connections that you want to allow - a NAT is a device that allows
outgoing connections arbitrarily, but normally (or only sometimes? see
the STUN information Chris mentioned) prevents arbitrary incoming
connections. Most home routers additionally claim to have a "firewall"
function that you can turn on / off (including the WRT54G) - when do
you decide what is and what is not a ffirewall? I really would like to
know, it's something that's puzled me for years. Some things are
clearly not a firewall at all, like a "Full-cone" NAT router. Some
things are clearly a firewall first, and anything else after, like one
of those Cisco devices. But aren't most home routers somewhere in-
between?

>
> a WRT54g is not a firewall, it's a nat router. NAT blocks "unsolicited"
> inbound traffic, that's all.

not true. the WRT54G can block outgoing connections based on any
number of specified parameters, and then it has all those extra fancy
features that I don't understand ;)

Firewall Protection: Enable Disable
Additional Filters
Filter Proxy Filter Cookies
Filter Java Applets Filter ActiveX
Block Portscans Filter P2P Applications
Block WAN Requests
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)

>
> No, port forwarding is what your problem is - if you forward ports then
> you expose your computer/network and that's how people reach your
> computer to do things you don't want.
>

Only if they get past the intended security of the service in
question, right?

> You should learn to post in one group or to cross post so that your
> thread is easy to work with for multiple groups that you've done this
> in.
>

Yep, thanks.

Tao

In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
maniaque27@gmail.com says...
> not true. the WRT54G can block outgoing connections based on any
> number of specified parameters, and then it has all those extra fancy
> features that I don't understand ;)

it's a NAT device that can block outbound ports - it has no clue what
those ports are and doesn't know the difference between HTTP and SMTP
except that they use different ports.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Really quick update - Michael Ziegler helped me find the issue on a
thread I badly cross-posted on alt.comp.networking.connectivity:
http://groups.google.com/group/alt.c...972156a51e0d/#

My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
wrong above) has an Active FTP "NAT Helper" which allows any program
with TCP-connection-creation priviledges on any of my computers to
open an incoming port to this machine from a target site on the
internet. Java Applets, by default, have this functionality enabled.
You can test for this "feature" or "flaw" at the following site:
http://bedatec.dyndns.org/ftpnat/dotest_en.html

On the day this happened, I was browsing on at least a couple of sites
that could well have had "harmful content", probably including a java
applet that opened up my port to the attacking site by using the FTP
NAT helper trick. My VNC server was a flawed version which (I tested
that) allowed certain well-crafted incoming connections to bypass
authentication.

Now - at this point I have no proof that that was the course of
events, but "Occam's razor" and all that, it is definitely the
simplest explanation that fits all the facts. I will definitely do a
more thorough malware check on my machine and I will implement a
solution that allows be to forward the ports I want without the NAT
Helper flaw, but in the meantime I will sleep much better knowing that
chances are 95% that I at least know exactly what the problem was.

Thanks for all your help!
Tao

In article <1192128212.845454.45420@22g2000hsm.googlegroups.c om>,
maniaque27@gmail.com says...
> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
> wrong above) has an Active FTP "NAT Helper" which allows any program
> with TCP-connection-creation priviledges on any of my computers to
> open an incoming port to this machine from a target site on the
> internet.

Another reason to never trust the ISP/Vendor supplied hardware.

Always get your own NAT/Firewall appliance and then you control
everything and manage it.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Maniaque wrote:


>> A NAT is not a firewall at all, it's basic routing - Most non-technical
>> types call NAT Routers firewalls, they are not.
>
> That I understand, but I'm always a little confused about what the
> difference Exactly is... a firewall is a device that only allows
> connections that you want to allow - a NAT is a device that allows
> outgoing connections arbitrarily, but normally (or only sometimes? see
> the STUN information Chris mentioned) prevents arbitrary incoming
> connections.


NAT/NAPT is a mechanism to provide connectivity. Preventing incoming
connections might be a particularly useless side effect, depending on the
implementation. It has nothing to do with security.

> Most home routers additionally claim to have a "firewall"
> function that you can turn on / off (including the WRT54G)


Yes, but this is not related to NAT.

Leythos wrote:
> In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
> maniaque27@gmail.com says...
>> not true. the WRT54G can block outgoing connections based on any
>> number of specified parameters, and then it has all those extra fancy
>> features that I don't understand ;)
>
> it's a NAT device that can block outbound ports - it has no clue what
> those ports are and doesn't know the difference between HTTP and SMTP
> except that they use different ports.
>

just some questions with as goal to learn more

so you call a firewall something with complex heuristics ?
really does iptables provide more than filtering between protocol, port
and state information, and do people actually use it. Because in essence
iirc
a nat router does the same it opens up a connection if somebody on the
inside requests it
and after that allows the connection untill it's broken down (FIN or RST)
do i have a point here or not ?

Leythos wrote:
> In article <1192128212.845454.45420@22g2000hsm.googlegroups.c om>,
> maniaque27@gmail.com says...
>> My router (Xavi 7768r with GlobespanVirata chipset, I think I had it
>> wrong above) has an Active FTP "NAT Helper" which allows any program
>> with TCP-connection-creation priviledges on any of my computers to
>> open an incoming port to this machine from a target site on the
>> internet.
>
> Another reason to never trust the ISP/Vendor supplied hardware.
>
> Always get your own NAT/Firewall appliance and then you control
> everything and manage it.
>
i wholeheartly agree with you on this one

the problem is ... some ISP's filter on specific device (MAC), some
ISP's lent you the router for
personal usage and some ISP's dissallow other so called 'not supported'
router and put a
clause in little lettres on your contract.

here in belgium it's actually pretty worse in this field. even worse the
biggest ISP here belgacom
disallows secured pop (ssl/tls) or imap to non business users, which
still costs +40 EURO/month.

In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
> > maniaque27@gmail.com says...
> >> not true. the WRT54G can block outgoing connections based on any
> >> number of specified parameters, and then it has all those extra fancy
> >> features that I don't understand ;)
> >
> > it's a NAT device that can block outbound ports - it has no clue what
> > those ports are and doesn't know the difference between HTTP and SMTP
> > except that they use different ports.
> >
>
> just some questions with as goal to learn more
>
> so you call a firewall something with complex heuristics ?
> really does iptables provide more than filtering between protocol, port
> and state information, and do people actually use it. Because in essence
> iirc
> a nat router does the same it opens up a connection if somebody on the
> inside requests it
> and after that allows the connection untill it's broken down (FIN or RST)
> do i have a point here or not ?

Does the device, in the standard/default mode, block traffic in both
directions?

Does the device know the difference between HTTP and SMTP or only TCP 80
and TCP 25?

Does the device understand being attacked and auto-block sources of
attacks or unauthorized traffic?

Does the device use NAT or can it be setup with rules without using NAT?
If it forces NAT then I don't consider it a firewall unless it can do
all the others - since MOST of the devices that force NAT are
residential device (yea, not all inclusive, but you should get the idea
without us going off the deep end).



--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>>> In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
>>> maniaque27@gmail.com says...
>>>> not true. the WRT54G can block outgoing connections based on any
>>>> number of specified parameters, and then it has all those extra fancy
>>>> features that I don't understand ;)
>>> it's a NAT device that can block outbound ports - it has no clue what
>>> those ports are and doesn't know the difference between HTTP and SMTP
>>> except that they use different ports.
>>>
>> just some questions with as goal to learn more
>>
>> so you call a firewall something with complex heuristics ?
>> really does iptables provide more than filtering between protocol, port
>> and state information, and do people actually use it. Because in essence
>> iirc
>> a nat router does the same it opens up a connection if somebody on the
>> inside requests it
>> and after that allows the connection untill it's broken down (FIN or RST)
>> do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?

no ok you got me here, it only does this for INBOUND traffic but i myself
don't block outbound traffic on my box (slackware) as well
because i consider myself knowledgeable enough to be trusted :D

> Does the device know the difference between HTTP and SMTP or only TCP 80
> and TCP 25?
>
> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?
>
> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).
>
>
>
do you consider netfilter to be a firewall (well in essence it's a
statefull packet filter)
because iirc there is no smtp or http netfilter module
and it does its filtering mostly on the data link and transport
protocol's headers
like most firewalls do. it would be very costly performance wise to
implement
application protocol filters into firewalls and i've yet to see one that
does
also implementing complex heuristics because let's face it the higher
you go up in
the tcp/ip stack the more complex the headers and payload become, the
more bugs you'll get
in the code that does the heuristics --> the more flaws there are to be
exploited!

In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> >
> do you consider netfilter to be a firewall (well in essence it's a
> statefull packet filter)
> because iirc there is no smtp or http netfilter module
> and it does its filtering mostly on the data link and transport
> protocol's headers
> like most firewalls do. it would be very costly performance wise to
> implement
> application protocol filters into firewalls and i've yet to see one that
> does
> also implementing complex heuristics because let's face it the higher
> you go up in
> the tcp/ip stack the more complex the headers and payload become, the
> more bugs you'll get
> in the code that does the heuristics --> the more flaws there are to be
> exploited!

Sorry, but I don't consider NAT Routers to be firewalls, they are
routers with some fancy features, not firewalls.

Many "Firewalls" do know the difference between SMTP and traffic over
TCP 25 - so, while you've yet to see one, you just are not working with
the better hardware out there.

As for Bugs, yes, but I only purchase certified appliances, ones from
vendors that have a proven record of staying secure and clean, so I
trust that a LOT more than what most people use in their homes.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

> In article <470e921a$0$29265$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
> > Leythos wrote:
> > > In article <1192120303.414117.236860@g4g2000hsf.googlegroups. com>,
> > > maniaque27@gmail.com says...
> > >> not true. the WRT54G can block outgoing connections based on any
> > >> number of specified parameters, and then it has all those extra fancy
> > >> features that I don't understand ;)
> > >
> > > it's a NAT device that can block outbound ports - it has no clue what
> > > those ports are and doesn't know the difference between HTTP and SMTP
> > > except that they use different ports.
> > >
> >
> > just some questions with as goal to learn more
> >
> > so you call a firewall something with complex heuristics ?
> > really does iptables provide more than filtering between protocol, port
> > and state information, and do people actually use it. Because in essence
> > iirc
> > a nat router does the same it opens up a connection if somebody on the
> > inside requests it
> > and after that allows the connection untill it's broken down (FIN or RST)
> > do i have a point here or not ?
>
> Does the device, in the standard/default mode, block traffic in both
> directions?

A cat5 cable cut in half does. Is it a firewall?

> Does the device know the difference between HTTP and SMTP or only
> TCP 80 and TCP 25?

Firewalls in the traditional definition never did, were they not
firewalls? Application-level protocol recognition is only recently on
the scene, yet we've had things people called "firewalls" existing for
quite a while before that. I'd hate to think I didn't get the memo
about someone changing the definition of "firewall" with the
International Standards Organization.

> Does the device understand being attacked and auto-block sources of
> attacks or unauthorized traffic?

So when did the definition of "firewall" start requiring it to also
fit the definition of "network intrusion prevention device" or
"network intrusion detection device?"

Just curious.

> Does the device use NAT or can it be setup with rules without using NAT?
> If it forces NAT then I don't consider it a firewall unless it can do
> all the others - since MOST of the devices that force NAT are
> residential device (yea, not all inclusive, but you should get the idea
> without us going off the deep end).

Ah, okay here's where we come down to brass tacks--with the use of the
word "I."

Seme folks seem to have their own definition of a firewall that
doesn't match that accepted by over the course of a lot of networking
history inlcluding the present. This view categorically rejects those
devices which don't fit a personally crafted unique definition of
"firewalls."

Unfortunately, it's pedantic and pointless. But then again, so it
much of the banter by the more abusive posters here. To protect their
identity, we won't mention Leythos and Sebastian by name.

Now, that's not to say there isn't something to learn about the range
of functionality one might want to consider in their border protection
in the narrow definition such folks try to paint, but being so prickly
about what to call a "firewall" and what to call a "NAT router" is
just a freakin waste of time. Better to say "corporate grade border
security appliance" which has built into the obvious fact that
functionality and features of corporate grade hardware exceed that of
$70 Linksys gear popular among home and small office users.

And let's not forget that there was a time not very long ago where the
fucntionality packed into your garden variety wrt54g (particularly one
packing the fucntionality of third party firmware) took a HELL of alot
of much more expensive hardware and was certainly considered a
"firewall." And still is for that matter.

Those with what I'll call this "modern purist" view may be shocked to
see the breadth of defintions for our friend the firewall that are in
existence that cast a much bigger net than his own:
http://www.google.com/search?q=define%3Afirewall

We now return you to your regularly scheduled semantic argument.

Best Regards,
--
Todd H.
http://www.toddh.net/

In article <848x69vui9.fsf@ripco.com>, comphelp@toddh.net says...
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.

I've not been Abusive to any person here. While I certainly know that
NAT appliances are not firewalls (but firewalls can do NAT), there is a
misconception as to what the public is being told a firewall is.

Yea, you don't like it, you must be one that purchased one of those
BEFSR41 units and fell for the "it's a firewall" crap - did you know
that when the BEFSR41 was introduced it was called a ROUTER with no
mention of firewall - a year later, with no changes, it was being
marketed as a "Firewall" - same box, same firmware.....

So, like it or not Todd H, most residential users are not using
firewalls, they are using ROUTERS.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> DOT paulus AT skynet DOT be"> says...
>> do you consider netfilter to be a firewall (well in essence it's a
>> statefull packet filter)
>> because iirc there is no smtp or http netfilter module
>> and it does its filtering mostly on the data link and transport
>> protocol's headers
>> like most firewalls do. it would be very costly performance wise to
>> implement
>> application protocol filters into firewalls and i've yet to see one that
>> does
>> also implementing complex heuristics because let's face it the higher
>> you go up in
>> the tcp/ip stack the more complex the headers and payload become, the
>> more bugs you'll get
>> in the code that does the heuristics --> the more flaws there are to be
>> exploited!
>
> Sorry, but I don't consider NAT Routers to be firewalls, they are
> routers with some fancy features, not firewalls.

If the router closes all ports and conceals LAN IP addresses
then it's just as good, and in one respect better than, any
software firewall.

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

> Leythos wrote:
> > In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla
> > <"kevin DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one
> >> that does
> >> also implementing complex heuristics because let's face it the
> >> higher you go up in
> >> the tcp/ip stack the more complex the headers and payload become,
> >> the more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are
> >> to be exploited!
> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.
>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.

Uh oh. Someone said "software firewall."

Brace for the impending ranting about how they aren't firewalls
either.

--
Todd H.
http://www.toddh.net/

Todd H. wrote:
> Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:
>
>> Leythos wrote:
>>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla
>>> <"kevin DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one
>>>> that does
>>>> also implementing complex heuristics because let's face it the
>>>> higher you go up in
>>>> the tcp/ip stack the more complex the headers and payload become,
>>>> the more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are
>>>> to be exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.
>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.
>
> Uh oh. Someone said "software firewall."
>
> Brace for the impending ranting about how they aren't firewalls
> either.
>

opps, I didn't expect to get off scott free.

Rick Merrill <rick0.merrill@NOSPAM.gmail.com> writes:

>Leythos wrote:
>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>> DOT paulus AT skynet DOT be"> says...
>>> do you consider netfilter to be a firewall (well in essence it's a
>>> statefull packet filter)
>>> because iirc there is no smtp or http netfilter module
>>> and it does its filtering mostly on the data link and transport
>>> protocol's headers
>>> like most firewalls do. it would be very costly performance wise to
>>> implement
>>> application protocol filters into firewalls and i've yet to see one that
>>> does
>>> also implementing complex heuristics because let's face it the higher
>>> you go up in
>>> the tcp/ip stack the more complex the headers and payload become, the
>>> more bugs you'll get
>>> in the code that does the heuristics --> the more flaws there are to be
>>> exploited!
>>
>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>> routers with some fancy features, not firewalls.

>If the router closes all ports and conceals LAN IP addresses
>then it's just as good, and in one respect better than, any
>software firewall.


IF it closes all ports (nat is irrelevant). But the hypothesis of the
thread was that ports were being punched through the router. Note that a
router which refuses to pass on ports IS a firewall. And since it operates
on software loaded on the router, it is a software firewall.

In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
rick0.merrill@NOSPAM.gmail.com says...
> Leythos wrote:
> > In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> > DOT paulus AT skynet DOT be"> says...
> >> do you consider netfilter to be a firewall (well in essence it's a
> >> statefull packet filter)
> >> because iirc there is no smtp or http netfilter module
> >> and it does its filtering mostly on the data link and transport
> >> protocol's headers
> >> like most firewalls do. it would be very costly performance wise to
> >> implement
> >> application protocol filters into firewalls and i've yet to see one that
> >> does
> >> also implementing complex heuristics because let's face it the higher
> >> you go up in
> >> the tcp/ip stack the more complex the headers and payload become, the
> >> more bugs you'll get
> >> in the code that does the heuristics --> the more flaws there are to be
> >> exploited!
> >
> > Sorry, but I don't consider NAT Routers to be firewalls, they are
> > routers with some fancy features, not firewalls.
>
> If the router closes all ports and conceals LAN IP addresses
> then it's just as good, and in one respect better than, any
> software firewall.

Actually, a NAT Router is better than any PERSONAL firewall solution
installed on a non-dedicated computer.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos wrote:
> In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
> rick0.merrill@NOSPAM.gmail.com says...
>> Leythos wrote:
>>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>>> DOT paulus AT skynet DOT be"> says...
>>>> do you consider netfilter to be a firewall (well in essence it's a
>>>> statefull packet filter)
>>>> because iirc there is no smtp or http netfilter module
>>>> and it does its filtering mostly on the data link and transport
>>>> protocol's headers
>>>> like most firewalls do. it would be very costly performance wise to
>>>> implement
>>>> application protocol filters into firewalls and i've yet to see one that
>>>> does
>>>> also implementing complex heuristics because let's face it the higher
>>>> you go up in
>>>> the tcp/ip stack the more complex the headers and payload become, the
>>>> more bugs you'll get
>>>> in the code that does the heuristics --> the more flaws there are to be
>>>> exploited!
>>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>>> routers with some fancy features, not firewalls.
>> If the router closes all ports and conceals LAN IP addresses
>> then it's just as good, and in one respect better than, any
>> software firewall.
>
> Actually, a NAT Router is better than any PERSONAL firewall solution
> installed on a non-dedicated computer.
>
what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
distribution (iptables)
and is there such a big difference between a firewall that has its code
burned in flash (firmware)
and a firewall that hooks into the tcp/ip stack of a a general purpose OS

In article <4710aff1$0$22302$ba620e4c@news.skynet.be>, goarilla <"kevin
DOT paulus AT skynet DOT be"> says...
> Leythos wrote:
> > In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
> > rick0.merrill@NOSPAM.gmail.com says...
> >> Leythos wrote:
> >>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
> >>> DOT paulus AT skynet DOT be"> says...
> >>>> do you consider netfilter to be a firewall (well in essence it's a
> >>>> statefull packet filter)
> >>>> because iirc there is no smtp or http netfilter module
> >>>> and it does its filtering mostly on the data link and transport
> >>>> protocol's headers
> >>>> like most firewalls do. it would be very costly performance wise to
> >>>> implement
> >>>> application protocol filters into firewalls and i've yet to see one that
> >>>> does
> >>>> also implementing complex heuristics because let's face it the higher
> >>>> you go up in
> >>>> the tcp/ip stack the more complex the headers and payload become, the
> >>>> more bugs you'll get
> >>>> in the code that does the heuristics --> the more flaws there are to be
> >>>> exploited!
> >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
> >>> routers with some fancy features, not firewalls.
> >> If the router closes all ports and conceals LAN IP addresses
> >> then it's just as good, and in one respect better than, any
> >> software firewall.
> >
> > Actually, a NAT Router is better than any PERSONAL firewall solution
> > installed on a non-dedicated computer.
> >
> what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
> distribution (iptables) and is there such a big difference between
> a firewall that has its code burned in flash (firmware)
> and a firewall that hooks into the tcp/ip stack of a a general purpose OS

As long as it a dedicated computer and not one that users are
playing/working on, then it can easily be a firewall. Checkpoint running
on a Nix OS is a great example of a dedicated server class firewall -
notice the dedicated.

With all that is available at a reasonable cost today, a firewall that
is just a router is not really a firewall. The appliances I install can
tell the difference between SMTP and HTTP or FTP and do a lot more,
that's the least I would install.

This still goes back to these cheap residential units called firewalls
by the marketing department - if you look up NAT, it's routing, simple
and plain, not Firewalling.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

> This still goes back to these cheap residential units called firewalls
> by the marketing department - if you look up NAT, it's routing, simple
> and plain, not Firewalling.

And if you look up firewalling um... it can be implemented by.... wait
for it.....


ROUTERS!


I don't dispute marketing departments being very prone to overblowing
capabilities of many devices, but show me a good citation from a
widely known source for "firewall" implying or requiring all the
things you include in your definition.

Point is, it's not nearly as narrowly defined as you seem to require.

No doubt a "firewall" appliance that implements IPS, IDS, allows
no traffic by default, has the ability to provide a higher level of
security than your garden variety broadband router for the home office
market, but... that does not mean the latter class of devices don't
also fit the definition of firewall. They're just lesser firewall
appliances.

--
Todd H.
http://www.toddh.net/

In article <84odf383od.fsf@ripco.com>, comphelp@toddh.net says...
> Leythos <void@nowhere.lan> writes:
>
> > This still goes back to these cheap residential units called firewalls
> > by the marketing department - if you look up NAT, it's routing, simple
> > and plain, not Firewalling.
>
> And if you look up firewalling um... it can be implemented by.... wait
> for it.....
>
> ROUTERS!

Firewalls can route, routers are not firewalls.

> I don't dispute marketing departments being very prone to overblowing
> capabilities of many devices, but show me a good citation from a
> widely known source for "firewall" implying or requiring all the
> things you include in your definition.
>
> Point is, it's not nearly as narrowly defined as you seem to require.
>
> No doubt a "firewall" appliance that implements IPS, IDS, allows
> no traffic by default, has the ability to provide a higher level of
> security than your garden variety broadband router for the home office
> market, but... that does not mean the latter class of devices don't
> also fit the definition of firewall. They're just lesser firewall
> appliances.

I'll give you that, but people seem to think a firewall will protect
them from many things that these NAT Routers don't protect them from,
and a firewall appliance can and does protect them from.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> writes:

>In article <4710aff1$0$22302$ba620e4c@news.skynet.be>, goarilla <"kevin
>DOT paulus AT skynet DOT be"> says...
>> Leythos wrote:
>> > In article <ia2dneKJc_O3U5LanZ2dnUVZ_r7inZ2d@comcast.com>,
>> > rick0.merrill@NOSPAM.gmail.com says...
>> >> Leythos wrote:
>> >>> In article <470e9db8$0$22311$ba620e4c@news.skynet.be>, goarilla <"kevin
>> >>> DOT paulus AT skynet DOT be"> says...
>> >>>> do you consider netfilter to be a firewall (well in essence it's a
>> >>>> statefull packet filter)
>> >>>> because iirc there is no smtp or http netfilter module
>> >>>> and it does its filtering mostly on the data link and transport
>> >>>> protocol's headers
>> >>>> like most firewalls do. it would be very costly performance wise to
>> >>>> implement
>> >>>> application protocol filters into firewalls and i've yet to see one that
>> >>>> does
>> >>>> also implementing complex heuristics because let's face it the higher
>> >>>> you go up in
>> >>>> the tcp/ip stack the more complex the headers and payload become, the
>> >>>> more bugs you'll get
>> >>>> in the code that does the heuristics --> the more flaws there are to be
>> >>>> exploited!
>> >>> Sorry, but I don't consider NAT Routers to be firewalls, they are
>> >>> routers with some fancy features, not firewalls.
>> >> If the router closes all ports and conceals LAN IP addresses
>> >> then it's just as good, and in one respect better than, any
>> >> software firewall.
>> >
>> > Actually, a NAT Router is better than any PERSONAL firewall solution
>> > installed on a non-dedicated computer.
>> >
>> what if your Personal Computer runs a BSD (ipfw,pf) or GNU/Linux
>> distribution (iptables) and is there such a big difference between
>> a firewall that has its code burned in flash (firmware)
>> and a firewall that hooks into the tcp/ip stack of a a general purpose OS

>As long as it a dedicated computer and not one that users are
>playing/working on, then it can easily be a firewall. Checkpoint running
>on a Nix OS is a great example of a dedicated server class firewall -
>notice the dedicated.

>With all that is available at a reasonable cost today, a firewall that
>is just a router is not really a firewall. The appliances I install can
>tell the difference between SMTP and HTTP or FTP and do a lot more,
>that's the least I would install.

>This still goes back to these cheap residential units called firewalls
>by the marketing department - if you look up NAT, it's routing, simple
>and plain, not Firewalling.

And now you are going to tell us what the difference is between a NAT
router that rejects all incoming unsolicited connections, and a firewall
that rejects all unsolicited incoming connections.
It is certainly true that a firewall can be a slightly less blunt
instrument, and can reject or accept more subtly that a NAT router can, but
IF that router is set up not to do any port forwarding, then it is also a
firewall set up to reject all incoming connections.

> It is certainly true that a firewall can be a slightly less blunt

> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.

There are two major differences:

1. NAT is not designed to work as a security solution.
2. Depending on the implementation, it might forward the connection anyway
without any explicit rule.

In article <TChQi.10182$GO5.9633@edtnps90>, unruh-spam@physics.ubc.ca
says...
> And now you are going to tell us what the difference is between a NAT
> router that rejects all incoming unsolicited connections, and a firewall
> that rejects all unsolicited incoming connections.
> It is certainly true that a firewall can be a slightly less blunt
> instrument, and can reject or accept more subtly that a NAT router can, but
> IF that router is set up not to do any port forwarding, then it is also a
> firewall set up to reject all incoming connections.

No, I'm not going to go around in circles for you - you've already shown
that you can't comprehend what is written vs what you think was written.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> wrote in
news:MPG.217d12e555dffbb4989ae9@adfree.Usenet.com:
....snip more of Leythos' whinging...

Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only
by your tenacity.

Regards,

In article <Xns99CA5DC79768Dabcxyzcom@204.153.245.131>, abc@xyz.com
says...
> Leythos <void@nowhere.lan> wrote in
> news:MPG.217d12e555dffbb4989ae9@adfree.Usenet.com:
> ...snip more of Leythos' whinging...
>
> Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only
> by your tenacity.

I see you're still trolling - since you can't be smart enough to
understand that my view/opinion/expereinces were not claimed to be world
encompassing, even though you took them that way....

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Leythos <void@nowhere.lan> wrote in
news:MPG.217d4df2698e87e3989af7@adfree.Usenet.com:
....snip yet more of Leyhtos' whining...

Still hard at the weaselling, eh Leythos?

C'mon, don't stop now, just when you're on a roll, Leythos.

C'mon, say something else really stupid, Leythos, and then defend it to the
death with you pathetic weaselling. C'mon, Leythos!

Regards,

"Sebastian G." <seppi@seppig.de> writes:

> > It is certainly true that a firewall can be a slightly less blunt

>> instrument, and can reject or accept more subtly that a NAT router can, but
>> IF that router is set up not to do any port forwarding, then it is also a
>> firewall set up to reject all incoming connections.

>There are two major differences:

>1. NAT is not designed to work as a security solution.
>2. Depending on the implementation, it might forward the connection anyway
>without any explicit rule.

So might an incompetent firewall. A competently implimented NAT does work
as a firewall IF set to not forward any unsolicited packetc.
Of course you have to decide if your particular NAT is a competent
implimentation. HOwever if you punch holes ( have it forward ports) all
bets are off.

In article <gGOQi.14414$G25.13546@edtnps89>, unruh-spam@physics.ubc.ca
says...
> "Sebastian G." <seppi@seppig.de> writes:
>
> > > It is certainly true that a firewall can be a slightly less blunt
>
> >> instrument, and can reject or accept more subtly that a NAT router can, but
> >> IF that router is set up not to do any port forwarding, then it is also a
> >> firewall set up to reject all incoming connections.
>
> >There are two major differences:
>
> >1. NAT is not designed to work as a security solution.
> >2. Depending on the implementation, it might forward the connection anyway
> >without any explicit rule.
>
> So might an incompetent firewall. A competently implimented NAT does work
> as a firewall IF set to not forward any unsolicited packetc.
> Of course you have to decide if your particular NAT is a competent
> implimentation. HOwever if you punch holes ( have it forward ports) all
> bets are off.

No, you don't have to decide, there are quality groups, CERT for one,
that can test and tell us if they pass the proper tes