Re: WinRoute Pro

From: bargepole (jbhur@hotmail.com)
Date: 02/03/02 

From: "bargepole" <jbhur@hotmail.com>
Date: Sun, 03 Feb 2002 02:08:19 GMT

I think Winroute unloads the connection from its NAT table so quickly
because it's designed to share a limited resource among many users. There's
a limit of 1400 table entries, so the quicker one is removed, the faster
it's available to other users.
As you've shown, it's so quick to purge its table that the reply packets
from a previously connected host are unrecognized.

I read somewhere that Tiny refers to the Settings>Advanced>Security Options
as a "wizard", intended as a quick and easy way to setup firewall response
in a general way. Using packet filter rules with logging offers far more
granularity in determining what is to be logged. Personally, I prefer
logging on filter rules, one reason being that each detection uses only 1
line, rather than 2, at the expense of slightly less information (packet
length).

If you have a catchall packet filter rule, maybe you could try turning
logging on and turn off the logging in Security Options.
For example:
Incoming
Internet Interface
...
Drop IP Any host -> Any host Log

This may give you what you want, filling your logs at half the rate. Of
course, you could be more selective by adding individual rules for specific
protocols (ICMP, IGMP, TCP, UDP, etc.)

"L. Walker" <k_aneda@yahoo.com> wrote in message
news:Pine.LNX.4.44.0202031145410.674-100000@myst.puzzle...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am sharing the internet using WinRoute Pro 4.1.27 and
> turned on the following log features:
>
> Log incoming packets that have no record in the NAT table [All]
>
> Normally I had it on SYN packets only but realised that it would be handy
> to pick up on ACK scans, etc.
>
> Since having the new logging settings, I have noticed odd things...
> Using diagram:
>
> Webserver <---> Gateway with Winroute <---> Client
>
> I think I was able to work it out this far, but I thought I'd ask to see
> what you people on the newsgroup think.
>
> Whenever client uses a webbrowser (only tested with Internet Explorer and
> Outlook Express), when the connection is torn down from the client side
> (send fin ack/ack packet, im a bit rusty with TCP... correct me if im
> wrong please), the connection drops out of the NAT table... and then the
> server sends a ACK packet back and since the connection is dropped from
> the NAT table it lists it as a "incoming packet with no entry in the NAT
> table".
>
> Side note: Another thing I noticed was that masqueraded packets always had
> a source port (from the gateway/NAT box doing the masquerading) of above
> 61000, this helps to filter out the packets when going thru large logs...
>
> This is filling up my logs and is becoming rather annoying... anyone got a
> workaround, apart from logging only incoming SYN packets that have no
> record in the NAT table...
>
> Small excerpt from log while browsing yahoo.com:
>
> 11:54:27 NAT: Detected TCP packet which has no entry in the NAT table....
> 11:54:27 NAT: + proto:TCP, len:54, ip+port:216.115.102.78:80 ->
> 203.19.xxx.xxx:61498, flags: FIN ACK...
> 11:54:30 NAT: Detected TCP packet which has no entry in the NAT table....
> 11:54:30 NAT: + proto:TCP, len:1514, ip+port:216.115.102.78:80 ->
> 203.19.xxx.xxx:61498, flags: ACK...
>
> - --
> L. Walker
> IRC: K_aneda @ AustNET, #rna
> - --
> If one wants to be a policeman, one must learn how to be a thief.
> - --
> That's why we spend so much time trying to understand our own
> motivations and those of others. That's what makes life so
> interesting.
> -- Kaji, Evangelion Ep 18
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8XIuUBJ6saYuOFLgRAqPBAJ9Uae+K2yy8XC4TWrFhmEnYQI66TgCdHjhd
> ktuxZDA8VjaCDDYdt+HlaIc=
> =sl4V
> -----END PGP SIGNATURE-----
>

Relevant Pages

  • Re: WinRoute Pro
    ... the NAT table for I believe. ... packet logging shows some nice information but other times the ... when the connection is torn down from the client side ...
    (comp.security.firewalls)
  • Re: [Fwd: Re: 3 connections as one]
    ... You can do it for outgoing connections fairly easily using the NAT ... but you can't really load balance multiple links ... I've got a DSL connection and a Cable internet connection at home now, ... NAT tricks are needed and packets can be routed 100% dynamically. ...
    (freebsd-hackers)
  • RE: Outgoing Connections and NAT
    ... NAT isn't a proxy. ... expect to see a connection on the NATing machine ... only the packets that aren't being actually directed to the NATing host. ... The question I have is when I am accessing the internet no connection is ...
    (Security-Basics)
  • Re: IPFW Rule set question...
    ... I don't understand what you mean when you say NAT modifications... ... how the packets are changed on the gateway to allow them to be seen as ... When I do a netstat -an while connected remotley it shows the connection on ... i also tried opening up the ssh port to everyone, with allow tcp from any to ...
    (freebsd-questions)
  • Re: How does KeepAlive-mechanism work under 2K, xp?
    ... > There are some network configurations that require regular activity ... Well I wouldn't be sure that a NAT would see the packets generated by the ... Keepalive feature as keeping the connection active. ...
    (microsoft.public.win32.programmer.networks)
Loading