Re: Would a firewall prevent Sasser worm?

From: Lars M. Hansen (
Date: 05/07/04

Date: Fri, 07 May 2004 14:58:28 GMT

On 7 May 2004 10:24:47 -0400, John Brock spoketh

>Thanks for the answer. If I may try to boil it down, it looks like
>you are saying that NAT is a perfectly good firewall for a home
>user who has no reason to think he will ever be the target of a
>DoS attack (which is to say most home users) and has no desire ever
>to allow outside computers to initiate connections to his machine.
>Is that right?

Yes and no. A NAT router provides adequate protection for home users.
These devices are designed to block inbound connections while allowing
all outbound connections. Most such routers also allows you to host
servers (forwarding traffic on certain ports to a defined internal
host), and some allows for blocking some outbound ports.

SPI simply means that the router does a closer inspection of the packets
to ensure that they are what is really expected.

>Or let me put it another way: If I am using a NAT router and I go
>to a security site like and use its ShieldsUP! facility I
>should see nothing but closed ports, which means that while it's
>possible for a hacker to disrupt my Internet connection with a DoS
>attack it is *not* possible for him to break into my machine. Yes?

Yes, all your ports should show up as closed. This makes it difficult
for outsiders to get into you network, however, there are supposed to be
ways to fool NAT and get in anyways. But, that's a lot of work to be
doing to get into a home users' computer.

>You are saying that what an SPI firewall does is allow you to expand
>on this basic protection, allow certain incoming connections, and
>perhaps filter outgoing connections in various ways. Right?

SPI does a closer inspection of incoming packets to ensure that they
match the reply packets that are expected. Doesn't have anything to do
with allowing traffic or filtering outbound. For instance, when Linksys
introduced SPI for their BEFSR11 and 41, that broke port forwarding, so
those hosting servers couldn't enable SPI...

>I bought my BEFSX41 firewall/router because I had gotten the
>impression from various reading that a NAT router, while helpful,
>fell short of complete protection from outside break-ins. I don't
>resent spending the extra money, but it looks like you are telling
>me that I was mistaken, and that for my purposes NAT alone would
>have been sufficient. The thing is, I may be helping another home
>user get set up for broadband soon, and if a NAT router is all she
>needs then there is little point in making things more expensive
>and complicated by getting a full firewall/router. But I don't
>want to leave this person open to infection either, so I want to
>make sure I understand the issue fully. Can you point me to any
>helpful web sites which go into the issue of NAT as firewall in
>more detail?

My recommendation is that you get anti-virus software and a router of
some kind. A NAT router is relatively cheap, and it does keep the junk
on the outside from getting to the inside. Anti-virus software for home
use can be had from a few vendors for free.

Lars M. Hansen
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Relevant Pages

  • Re: Lets talk about yum and p2p in Fedora
    ... That's just port forwarding, not NAT. ... NAT is the magic genie in the middle that keeps track of connections ... protected by a firewall, but in practice this doesn't work most of the ...
  • Re: NAT with IP Filters
    ... connections which I mean, from a private interface). ... Static NAT connection on purpose. ... you have disabled the firewall if you aren't filtering specific ports. ...
  • Re: 3-legged firewalls, routing between legs, the "DMZ"
    ... > implement a three-legged firewall using OpenBSD, NAT, and PF for our ... > I'm putting the "DMZ" in quotes because as I understand it, ... that as well as NAT Router behind it or on DMZ as well. ... if you were to setup the NAT Router on the DMZ don't allow ...
  • Re: appliance firewall
    ... NAT *is not* a firewall. ... A cheap NAT router will stop packets that are trying to get in, unless they have been explicitly allowed. ...
  • Re: BSD as routing device for 2 ISPs
    ... we have 2 independent ISPs, ... - NAT and spread traffic load-based across ISPs to use both wires ... (loosing active connections is ok and will of course happen) ... In my case, it is THE firewall. ...