Re: Firewall hits passing through a NAT router - How does that work?

From: Rincewind (rinso_at_unseen.edu)
Date: 04/27/05


Date: Tue, 26 Apr 2005 22:59:24 GMT

On Tue, 26 Apr 2005 18:23:11 -0400, Robert Glueck mumbled something like
this:

> I'm running the Firestarter v.0.92 firewall, installed with default
> settings (all traffic from the Internet denied unless it's a response to
> traffic initiated by my machine) on my desktop machine which runs Xandros
> 2.0.1 and is connected to the Internet via a NAT router and a cable modem
> broadband connection. When I scan my machine using the port scanning
> services offered by Sygate, GRC, PCFlank etc., all ports scanned are
> diagnosed as stealthed. No surprise, as it is the router that's being
> scanned, I assume. I also assume that no connect attempt from the
> Internet that's not in response to a connect initiated by myself should
> pass through the router.
>
> Yet, I sometimes get firewall hits, occasionally lots of them (dozens in a
> session) that are recorded by Firestarter as dropped packets. They
> consistently come from a small number of domains, in particular
> reverse.theplanet.com (quite a few different specific IP addresses in that
> domain, e.g. 70.85.109.180, 70.85.15.34, 70.85.14.242, 70.84.68.196),
> reverse.coreix.net (e.g. 83.142.30.80) and dd8316.kasserver.com (a German
> "customer administration system"). The ports that are hit are in the high
> range, e.g. 45321-45445, 33277 and higher, 38600-38800, etc.
>
> Typical log entries in the /var/log/messages file of Xandros (a
> Debian-based distro) look like this:
>
> Apr 20 16:46:50 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=70.85.109.180 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF
> PROTO=TCP SPT=80 DPT=33821 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Apr 20 18:54:14 [deleted] kernel: IN=eth0 OUT= MAC=[deleted]
> SRC=83.142.30.80 DST=192.168.0.3 LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF
> PROTO=TCP SPT=80 DPT=33903 WINDOW=5840 RES=0x00 ACK SYN URGP=0
>
> Two questions:
>
> 1. How is it possible that an unauthorized connect attempt from these
> sources can penetrate through the NAT router to be recorded by my
> firewall? As an aside, one of the security scanners available on the web
> that I used to have my machine scanned (I don't remember which) was
> actually able to determine the correct local (LAN) address of my machine,
> behind the router. How is that possible?
>
> 2. Who are these folks at reverse.theplanet.com, reverse.coreix.net and
> kasserver.com, and what are they up to?
>
> Many thanks for your help.
>
> Robert

The above are responses from a web server(SPT=80). You sometimes get this
behaviour when the web server is so slow to respond that the connection is
timed out by your browsing machine, but the router still remembers the
connection and passes it through. I see this frequently with one of the
news servers I use.

-- 
Rinso
     /\
    /  \
   /wizz\
~~~~~~~~~~~~


Relevant Pages

  • Firewall hits passing through a NAT router - How does that work?
    ... I'm running the Firestarter v.0.92 firewall, ... settings (all traffic from the Internet denied unless it's a response to ... as it is the router ... one of the security scanners available on the ...
    (comp.os.linux.security)
  • Re: Firewall hits passing through a NAT router - How does that work?
    ... > settings (all traffic from the Internet denied unless it's a response ... as it is the router ... one of the security scanners available on the ...
    (comp.os.linux.security)
  • Re: Access When PC Off
    ... I appreciate your response. ... everynight and shut down the internet at the status tab in the router. ... > when they're shutdown. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Sleath ports with Sygate PF
    ... In article, Thomas Hertel ... >>response from the router directly before yours on the internet would itself ... Further, whenever you access any service in the internet, your IP ... lonely.I'm not at all sure how to spoof IP from behind a NAT router. ...
    (comp.security.firewalls)
  • Multiple IP Addresses for website, routing and NAT
    ... Let us also assume that all traffic to the web server ... will originate from the public Internet and will go through NAT translation ... outbound response will have a source IP address of 192.168.10.100 (before ... ISP's router? ...
    (microsoft.public.windows.server.networking)