Re: Is there a risk with firewalls?

---

• From: "jameshanley39@xxxxxxxxxxx" <jameshanley39@xxxxxxxxxxx>
• Date: 27 Jul 2007 18:44:58 GMT

---

Sebastian G. wrote:

jameshanley39@xxxxxxxxxxx wrote:

Now, would someone please get a point that typical NAT router
don't magically drop every packet with unknown target, but rather
takes measure of guessing the target and forwarding it by chance?
That's why Stephen's suggestion is so misguided, since it won't
help at all with protecting a vulnerable system.

what do you mean 'guess the target' ?

Exactly that: Applying some programmed algorithm that selects the
most likely target. For example, if the router assigns IP adresses
via DHCP and has only seen one client so far, he could forward
everything there. Or if there are multiple clients and one has eMule
running, the router has already seen TCP segments on port 4662, then
incoming packets with ports 4661, 4665 and 4672 are forwarded there.
Or if he saw an FTP connection and read a PORT command, it might also
setup the appropriate forwarding.

If the NAT router receives an incoming it blocks it, unless port
forwarding has been set up.

That's how it should be.
However, the implementors are interested on providing maximum
connectivity and reducing support costs. If the router does some good
guessing, the better.

I don't see any guessing.

interesting

Well, did you actually test your router's implementation?

not for lack of trying!!

I vaguely recall an issue or issues that stopped me.

I wanted to analyse what connections were going on using netstat, but
once a connection is established, you can't know for sure if it's
incoming or outgoing. You have to guess based on port number (whether
the port number is high or low). I wasn't content with that.

I guess the term I should use is that netstat is not stateful.


What methods are there, to know if an established connection is
incoming or outgoing?

I did at one point use ethereal with a filter, that worked. But i'm
interested in other methods.

Also, one weakness with ethereal used as a local port monitor, is ,
unlike netstat, it doesn't show what process is using a port. Not
suprising, since 'by concept' it's not meant for that 'cos the process
id is not in a packet!

Another thing I wanted to test further.. 2 comps A and B communicating
with MSN v6.x or later, sending each other a file.
(I've since read that it might use a 'relay server', server sits in the
middle, and A nd B make an outgoing to that)
But anyhow, I recall seeing B's ip , and the connection was was
incoming
71.4.5.2:1118 TO 192.168.0.2:2344
And I thought.. hang on, my router isn't port forwarding 2344, is it?
I did an online port scan and it didn't show it as open (though maybe
that was irrelevant since it turned out that it wasn't open locally
either)
I did a local port scan , from another comp on my lan, and it said
closed or filtered. Not open.

I didn't understand that. And in retrospect, i'm still puzzled, maybe
it was only open to that 71... ip. but I didn't know how to spoof that
to check, I guess i could've asked the friend to scan from his comp.

I don't think my router had that port open.. Maybe it was acting a bit
like some proxies (the ones kids might use at school to get out of a
firewall). I don't mean like a proxy in changing the source ip to its
own, but, in changing the TCP port. So maybe one port - not 2344 - was
being port forwarded by my router, and through it I was getting
incoming connections to my comp at other ports.

I didn't and still don't know how to analyse that further.

and the speedtouch NAT router i have at the moment has such an ugly GUI
I can't see what it's port forwarding in one screen. It's reliable
though, unlike previous ones i've had.












.

---

• References:
  • Re: Is there a risk with firewalls?
    • From: jameshanley39@xxxxxxxxxxx
  • Re: Is there a risk with firewalls?
    • From: Sebastian G.

• Prev by Date: Re: Checkpoint VPN client
• Next by Date: Re: Firewall problem
• Previous by thread: Re: Is there a risk with firewalls?
• Next by thread: Re: Is there a risk with firewalls?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Using Remote Desktop From an SBS Domain ... when you tried to RDP while attached directly to a port on your router? ... So if 3389 needs forwarded on the client end too then that is what the ... Hopefully next week I can attempt a connection while my ISP watches the ... (microsoft.public.windows.server.sbs) Re: Using Remote Desktop From an SBS Domain ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ... (microsoft.public.windows.server.sbs) Re: Setting up Home Network w/ 2 Routers ... successfully got my 2Wire, Netgear, and Linksys playing nicely. ... Connected the LAN port #1 of 2Wire to the WAN port of the Netgear. ... connection type and all for me. ... If you add another router to the mix, just make sure to disable the ... (microsoft.public.windowsxp.network_web) How did they get behind my NAT? ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... client connection using local port number 5900 (which was also being ... (alt.computer.security) Re: Can not access Web and FTP sites from Internet ... your IP Configuration on the Server is correctly. ... Connecting To 12.208.215.87...Could not open connection to the host, ... 1> From the result, we can see the telnet failed, which means the router ... does not forward Port 443 to SBS Server. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)