Re: Port scans through NAT router?




"Duane Arnold" <NotMe@xxxxxxxxx> wrote in message
news:PwECf.7931$Hd4.3322@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> ohaya wrote:
>> Hi,
>>
>> I have Sygate Personal Firewall running on my PC, which is connected to
>> the Internet via a Netgear NAT router (RT314). I am occasionally getting
>> popups saying that Sygate detected a port
>> scan, and when I do a backtrace, I can see that they're coming from
>> various places "outside" my network.
>>
>> The main reason for this post is that I'm curious, and I don't
>> understand how that can be happening, because in the Netgear router, I
>> don't have any ports mapped to my machine's internal IP address at all,
>> and I definitely don't have the ports that are being reported by Sygate
>> mapped in the router.
>>
>> So, my question is "How can these port scans, on those ports, which are
>> not mapped in the Netgear router, be getting through to my PC?". I
>> thought that if I didn't map a given port in the Netgear, that the
>> router would have nowhere to route any traffic on any unmapped ports?
>>
>
> Well, does the RT314 which I went to the Netgear site and the RT314 is not
> listed as a product so I can even see the specs for it have SPI (Statefull
> Packet Inspection)?
>
> http://www.cpx.com/whitepapers/Compex%20SPI%20Firewall.pdf
>
> SPI is also being talked about in the link below too.
>
> http://www.homenethelp.com/web/explain/about-NAT.asp
>
> If the NAT router doesn't have SPI as part of its firmware, then
> unsolicited packets/probes can come through the NAT router like a hot
> knife through butter just like they did when I was using a Linksys NAT
> router that didn't have SPI, which BlackIce I was using behind the NAT
> router at the time detected the probes coming through the router reaching
> the machines and stopped them.
>

SPI itself does not provide the router enough information to do port
forwarding. How does it know which internal host to forward these packets
to anyhow. I would be looking at the port forwarding rules that are in
place.

BernieM


.