Re: Linksys Router and BlackICE - Confused!!

From: Leythos (void_at_nowhere.org)
Date: 09/24/04

• Next message: kony: "Re: FBI SADISM, PERVERSION, MENTAL TORTURE and BLATANT human rights violations"
• Previous message: Beauford: "Linksys Router and BlackICE - Confused!!"
• In reply to: Beauford: "Linksys Router and BlackICE - Confused!!"
• Next in thread: Zaphod Beelblebrox: "Re: Linksys Router and BlackICE - Confused!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 24 Sep 2004 13:01:54 GMT

In article <8a48l0thhmcv3phcsv2502o6143qhtfar9@4ax.com>,
beauford@hotpop.com says...
> Hi,
>
> I have a Linksys BEFSR41 router with 6 computers connected to it as
> outlined below.
>
> Win2000 - Domain Controller and Mail Server - BlackIce installed
> Win2000 - Domain Controller and IIS Web Server - BlackIce Installed
> XP Pro - Workstation
> XP Pro - Workstation
> Linux Slackware - Stand alone - Apache webserver running
> Windows NT 4.0 - Workstation
>
> I have my Linksys Router set up to forward port 25 traffic to my mail
> server and to forward port 80 web traffic to my Linux box.
>
> Since I installed the mail server it is being hammered by these Asian
> IP blocks trying to relay through it - so I installed BlackIce to
> block this - and that is working fine.

Here is the root of your problem, if you want to firewall your
applications and servers you need to purchase a firewall, not a NAT
device. In this case, you want to block outsiders based on IP subnets,
and a real firewall can do this for you. I have 83 Class C subnets
blocked in my firewall, and several Class A subnets - these are
permanent blocks. I also have the firewall detect probes on 135 through
139 and 445 (and 1433/1434) and block those addresses for 20 minutes.

You do NOT want to rely on something BI (which was just IDS when it
started) to secure your servers, never trust something running on the
server offering services to protect itself.

> Here's the part where I'm confused. On the other Win2k PC BlackICE is
> also picking up traffic to port 25 - and when you look at the logs it
> says the victim IP is that of my mail server.
>
> I contacted Linksys and they said this is normal. Well it doesn't seem
> normal to me. If port 25 is not being forwarded to this machine then
> does it not make sense that this machine should not be seeing any
> traffic to this port.
>
> This is what I got from Linksys
>
> "Since the computer is hooked up to the router and the firewall
> detects the traffic, even though the port is not forwarded to that
> computer, since it is an activity on the router, it would still detect
> the traffic for that port but that doesn't mean that it is going
> through it."
>
> My understanding was that any traffic that is not forwarded to a
> specific machine should be dropped. So BlackICE should never see this
> traffic. Am I missing something here.....

None of the traffic that is inbound, unless invited or forwarded, makes
it from the WAN side to the LAN side. If you install Wall Watcher (free)
you can see when something hits the WAN port and fails to get to the LAN
side - the local address will show the public IP - indicating that the
probe didn't make it into your LAN.

We run hundreds of linksys units across the country, various levels of
firmware, and never see the problem you describe.

You need to check the forwarding rules in the Linksys and see what
you've configured.

You best bet is to purchase a WatchGuard Firebox or a SOHO unit and set
it up to firewall your devices. A SOHO unit is about $500, a Firebox
(that can do the things I described above) is a lot more, but it's worth
it.

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

---

• Next message: kony: "Re: FBI SADISM, PERVERSION, MENTAL TORTURE and BLATANT human rights violations"
• Previous message: Beauford: "Linksys Router and BlackICE - Confused!!"
• In reply to: Beauford: "Linksys Router and BlackICE - Confused!!"
• Next in thread: Zaphod Beelblebrox: "Re: Linksys Router and BlackICE - Confused!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How to Maintain an IIS Server? ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ... (microsoft.public.inetserver.iis.security) Re: CEICW fails at firewall config ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ... (microsoft.public.windows.server.sbs) Re: How to Maintain an IIS Server? ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ... (microsoft.public.inetserver.iis.security) Re: Activesync / Airsync - Alternative Ports ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ... (microsoft.public.pocketpc.activesync) Re: Activesync / Airsync - Alternative Ports ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ... (microsoft.public.pocketpc.activesync)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)