Re: d-link DI-604
From: Arthur Hagen (art_at_broomstick.com)
Date: 11/29/04
- Next message: <©¿©>: "Re: Extending range of wireless network"
- Previous message: Eirik Seim: "Re: Any dual wan routers without a firewall?"
- In reply to: Duane Arnold: "Re: d-link DI-604"
- Next in thread: Duane Arnold: "Re: d-link DI-604"
- Reply: Duane Arnold: "Re: d-link DI-604"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Nov 2004 15:06:37 -0500
Duane Arnold <Notme@Notme.com> wrote:
> Arthur Hagen wrote:
>
>> The problem is that if a port is *closed*, it *will* send a signal
>> back to a
>> port scanner telling that there *is* a port there. That nothing is
>> coming past it doesn't matter, because it discloses the *precense*
>> of something on that IP address.
>> If all ports and protocols are "stealth" (just dropping the
>> packets), the black hats won't see the difference between that IP
>> and one that's not in use, and will direct their attention elsewhere.
>>
>
> So what if there is a presence there? If one cannot come past the NAT
> router or FW that's protecting the port so what? The port is
> protected.
When you know that the IP exists, you can concentrate on that address, and
start listening to traffic to and from that IP, and do IP spoofing to
camouflage your traffic as valid traffic to reach the inside. Or do a DoS
attack -- just because packets get no reply doesn't mean they don't affect
the recipient. If you don't know that there *is* a host on that IP, you
skip it -- after all, most IP addresses are not in use at all.
If you believe that having a NAT router in front of your site makes you
completely safe, you're sadly mistaken. It just means that more effort is
needed -- and hopefully enough effort that it's not worth the bother, based
on what you have behind it.
>> That said, the main good reason for making port 113 appear closed
>> instead of dropping packets is to speed up outgoing email, which
>> often is delayed from 5-30 seconds while the remote host waits for
>> an ident reply.
>
> I could see this making some kind of sense if the home user's job
> with the machine was to send out a trillion emails.
A 30 second wait is still annoying, and even more so when sending several
emails in one go, like many of us do. And there's even services that won't
let you connect at all without an ident reply.
>> Even better is to add a rule to the NAT firewall that when
>> encountering an outgoing 25/tcp from X to Y, will create a
>> short-lived rule routing incoming
>> 113/tcp from Y to X. That way, the port will NOT answer to any
>> hackers, but ident will work for email (if running identd), and not
>> delay the mail sending. Similar for other fixed port protocols
>> triggering reverse auth -- remote 6667/tcp is another good candidate.
>> Setting up rules like the above can be done on most NAT routers.
>> How to do it differs for different NAT routers, so I can't say how
>> it's done on a Linksys. I've seen it being called "Special
>> Applications" and "Triggered Rules", but again, the nomenclature
>> might differ.
>
> All one has to do is port forward 113 to a dummy ip in the DMZ of the
> router and 113 is so called stealth. But I stopped doing it with the
> Linksys and don't do with the Watchguard either.
That won't solve the problem, though -- it's just working around a
workaround of the router. And it's also potentially unsafe, as you're
letting unsolicited traffic into the LAN, even if nothing (currently)
answers to it.
-- *Art
- Next message: <©¿©>: "Re: Extending range of wireless network"
- Previous message: Eirik Seim: "Re: Any dual wan routers without a firewall?"
- In reply to: Duane Arnold: "Re: d-link DI-604"
- Next in thread: Duane Arnold: "Re: d-link DI-604"
- Reply: Duane Arnold: "Re: d-link DI-604"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
