Re: Linksys WRT54G and Firewall software

Leythos wrote:
Yes. But the NAT router is directly connected to the internet connection and it is completely unprotected (i.e. no filtering at all) on the LAN side.

Oh, and you think that XP, directly connected to the PUBLIC Internet is
completely protected? Nope.

Yes. It is protected. In some respects it does the same as the NAT
router except for the NAT.

Now, the NAT router, WAN port, the device was specifically designed to
block unsolicited traffic inbound, which is not what the XP firewall was
designed to do.

What exactly was the XP firewall designed to do if not block unsolicited
inbound traffic?

Oh, and lan side - you mean like if the packets get past the XP Firewall
they don't have full access to the computer/OS/apps?

If something gets past the XP firewall it must not necessarily have full
access to the computer. It may be just a limited user access. It depends
where the packets ends.

But what I have meant is that a average router is a very vulnerable
target on the LAN side as it basically has no protection at all on the
LAN side. Any malware on a computer on the LAN side, even a simply
script which is running in a limited user account can openly attack the
router to reconfigure or even flash with a hacker firmware. The malware
could even run a brute force attack on the password...

The NAT router is secured by default, except for wireless, and they are
starting to change that.
NAT router's are not "secured" per se by default. They run NAT. NAT tries to match incoming packets to established connections and conversations. It's purpose it not to block but to allow traffic through. NAT thus drops any packets which it does not know where to send them. But the reasons is not to secure anything but simply because it does not know where to send the packet. If it thinks it knows because there is something in the SPI table it sends it there. Check the filter rules on an actual NAT router. Look at the rules. The "security" NAT provides is simply dropping packets if it does not know what else to do with it.

NAT routers don't "Think" they either match or don't match. There is no
thinking in it. Dropping "unsolicited" or "unmatched" traffic is proper
and what should be done.

Yes. But it depends on the definition of "unmatched". The router does
not consider if the packet is unmatched or not. It tries to match as
good as it can. You usually won't notice if it does the job to good and
forwards an unsolicited packet because the computer it gets to may
consider it unsolicited, too. But generally, you can observe that there
are some unsolicited (or misdirected) packets going through, in
particular in situations where you have several computers behind the NAT
and you are using UDP.

The NAT router is not something that the user can screw up without
connecting to it knowingly.
Yes. But many routers are used mostly unconfigured, often not even changing the default password. Many routers even have UPnP enabled.

And almost everyone of those with upnp and a default password don't have
remote management enabled - so, agian, they are secure by default - except
for unsecured wireless, but as I mentioned, they are getting much better
at not enabling wireless.

If the user screws up and has some malware on the computer, even if it
is only running as limited user, the complete router can be taken over
with some simple reconfigurations or a proper hacker firmware. The user
won't even notice because the internet connection works as usual.

The NAT router does not have port-forwarding (exceptions) enabled by
default.
Nor has the XP SP2 FW.

LOL - you're completely wrong. If I pickup any computer by any big box
outfit it will have preconfigured exceptions. If I setup file and printer
sharing it will setup exceptions. If I run as an administrator and install
AOL it will punch holes/exceptions in it...

Setting up file and printer sharing or installing AOL is no default port
forwarding. The last time I have checked Windows asked before opening
some ports for file and printer sharing. But not as default.

If I install a NAT Router (SOHO Typical) from the store, just bought
today, no port forwarding, no holes, no way for the OS to configure it
without my permission and knowing the password/IP, etc....

O.K. I take my laptop from the store, turn on the XP SP2 FW with no
exceptions and connect to a public hotspot. No problem either. Works
fine to download all the newest updates from microsoft... And I am
pretty sure that the FW will be on by default in an OEM installation.

Gerald
.

Relevant Pages

  • Re: Feasible to implement a router on a system on a chip?
    ... Or between a LAN and WAN? ... A "bridge" is a device that has two or more network ports, and which passes traffic between the ports (which may be of different types - ... no filtering or interpretation of the packets is done. ... A "router" has two or more network ports and passes packets between them based on their IP addresses, ...
    (comp.arch.embedded)
  • Understanding voip and NAT
    ... PC on my local lan - via a NAT D-link 604 broadband router to the net, ... I have a spare linux server on this network to run some form of server etc. ...
    (Debian-User)
  • Re: Just want to keep the crap out!!
    ... But then it's not a NAT router. ... address in packets coming from outside. ... First line: Home-built linux firewall ...
    (comp.security.firewalls)
  • Re: It works, but now....
    ... The switch is transparant. ... > LAN connected to a DSL router-modem, which means that the router is the ... reason to send packets to its port otherwise. ...
    (comp.os.linux.networking)
  • Re: Circumventing NAT?
    ... > router with NAT. ... If a host had an address of 192.168.0.17 behind a router ... using source routed packets. ... a sensible firewall configuration should defeat these approaches. ...
    (alt.computer.security)