How did they get past my NAT?

He did have port forwarding enabled, not 5900, but he was hosting services.

So, any number of things could have exposed his network and then the hacker could use anything they wanted. Simple, really, exploit a hole in service X, add your own app or use one installed, get access to other things.

As for Routing, I don't need a lesson, I was talking about his device, which is a ROUTER not a firewall.

I can place any of my firewalls in DROP-IN (non-routed) mode and have the same IP's on all jacks - then the rules determine what passes between jacks - he can't do that on his cheap NAT Router.

So, your argument is that nat routers are more often incompetent than firewalls are. If true, a reasonable argument. Actually you say, "have been shown"-- by whom?

Mind you you stated at the top that you were only concerned with quality firewalls. Does that mean if I say "quality NAT routers" you would agree that the two are equivalent?

No, I would not. There is no governing body to determine what IS or IS NOT quality. NAT does not make a firewall.

Show me a NAT Router that passes CERT testing as a firewall and I'll change my opinion.

Usually, that's not true. You may want to think about what's called "NAT helpers".

Usually, it's not a problem to get through a NAT implementation. Skype, for example, does this as default.

Yours, VB.

And just as this flamewar dies out, I'd like to pitch in again. I cannot be absolutely certain what caused the issue as I had little logging enabled, but as I have previously stated, I'm pretty confident that this issue was due to a "Active FTP NAT Helper", as originally suggested by Sebastian G and illustrated with Micheal Ziegler's help. As a result of this issue I upgraded my home router to the latest Tomato firmware (1.11), in which the author has kindly added an option to disable the NAT helper.

The test page I linked somewhere above for the NAT Helper "vulnerability" now happily shows that nothing gets through, with status "500 Go away (PORT IP mismatch).".

Leythos, if exploiting a hole in any service X is as simple as you seem to think (without you knowing anything about the services involved), it's truly amazing to me that the internet still more or less works :)

Thanks, Tao

Where has it been shown many times?

( Not shown [many times] in this newsgroup. I first heard of any such issue from a few months ago perhaps, from Sebastian, on this newsgroup, and since by Volker. In a thread where you were advocating NAT for - I thought - blocking incoming )

Try google for reference materials.

unfortunately, those that make a point like the one you make , are less vocal.

you mention " I'd hate to think I didn't get the memo about someone changing the definition of "firewall" with the International Standards Organization "

what is the ISO definition of firewall ? I couldn`t find it

can you name some of the firewalls you used in the past, that didn`t do much more than the "traditional definition". And can you define the traditional definition ?

What I would GUESS, is that a firewall is a packet filter and a packet filter is a firewall. Same thing. Can be Device(network firewall) or Software.

a packet filter controls a network by selectively allowing or blocking packets.

packet filter is always Layer 3 (stateless/static packet filter) and can be both Layers 3 and 4. (stateful / dynamic paclet filter )

(definition based on webopedia and the one given in the docs for the openbsd pf program)

It rules out the broken cable you mentioned ;-)

rules out NAT Router too. which is probably good.

with webopedia, it calls "packet filter" only the first generation of firewall. at the network layer of the OSI model. (though if it accesses tcp port , that is something at Layer 4 too). So, by that definition, SPI != packet filter.

That page does talk of a firewall as sitting between 2 networks. perhaps, as oppose to an individual computer from a network.

It does not mention about if a concept may be flawed.. like running a software firewall on a non dedicated machine.

To keep it simplistic for you, the Internet is a massive/giant network the Wide Area Network being protected from by the firewall. The network being protected by the FW is the Local Area Network.

Your concept of a FW is flawed. A FW must separate two networks. The network it is protecting from, and the network it is protecting. A FW must have at least two network interfaces. One interface must face the WAN, and the other interface must face the LAN. In the case of a software FW running on a secured host computer, the computer must have two NIC(s) with one facing the WAN and the other one facing the LAN.

If a software solution is not using two NIC(s), it's not a FW, but rather, it's a machine level packet filter protecting at the machine level.

If service X has a hole, then service X can be exploited. Clearly the attacker knows which services to try since those are the ports you have open. And exploiting service X means they have entry to your machine. And if they have entry to your machine, then they can do what they want. Why exactly do you say that the internet works? There are probably millions of machines out there that are owned by outsiders- ie on which outsiders can do what they want. They primarily use them for launching phishing and spam attacks on the world. Your definition of "works" needs upgrading.

I am sorry, but you regard paper as a valid computer defense. Who cares if they have a piece of paper attached? The question is not who has the paper trail, but who has the security.

As have firewalls as times.

What is the complicated way then?

note- a firewall blocking certain outgoing can help protect other people on the internet from a compromised machine. Leythos is keen on blocking certain outgoing so he`d probably know of some examples.

makes sense, thanks.

SMTP, SQL Command, Windows File Sharing, IM......

I don't allow outbound SMTP from workstations ever.

I don't allow outbound SQL Command from anything, ever.

Windows File Sharing, DNS, etc... never from the local workstations..

IM - only from approved workstations....

While DNS is not a easy exploit the others permit LAN machines to spread malware to people on the net with exposed machines.

The proper thing would be to block all outbound traffic, and only allow outbound traffic for those applications or services that need outbound traffic. That would mostly apply to a solution such as a FW appliance, packet filtering FW router or a software FW running on a secured gateway computer that could implement the solution poperly by creating packet filtering rules.

When segmenting networks, a FW limits the damage that can be spread from one network to another network, like a firedoor or firewall.

if you block SMTP. Can users only send email via Yahoo like websites? I guess you don`t block some SMTP and not others, since how would you distinguish between good and bad. They could(knowingly or not) be bad and use your SMTP server You`d have to block all.. Do you have no SMTP server ?

I know one company that has an SMTP server and does not allow Yahoo. That way they can more easily see all the email that goes in and out.

well, if you are a techie user on the network of [mostly] idiot users, then you may not appreciate that.

I wouldn`t say "properly"..

With a network firewall, you cannot see directly, which application sent the packet or established a connection. But you can block packets based on criteria that that application may use. like tcp port and app layer protocol. .It is not literally blocking application blah though. The techie world does [or have produced software or techniques to] evade this sort of thing and get through the firewall.

With a software firewall on each machine - an example you did not mention for obvious reasons - one app could pretend to be another. That firewallleaktest site prob has examples. But at least with that you can identify what application sent the packet, if it is not being evasive or malicious. And as far as I know, the regular techie world has not come up with a way to evade that one! I see malware doing it all the time. But techies are not running commands to let one application pretend to be another.. I guess it is because the need has not arisen. Companies do not - and with good reason - run a PFW on each machine! I don`t know if a techie software firewall like perhaps winipfw, or, I don`t know if it is a software firewall, but this ipsec thing you mention sometimes (is it a fw?), can see the application that sent the packet.

Yahoo? Who uses Yahoo?

If you don't have your own email server in your network then you can limit your SMTP outbound to just the IP of your ISP's SMTP server - this will cause most SMTP bots to be limited to just the SMTP service of your ISP and they will contact you shortly after you are compromised.

And yes, we block all SMTP Outbound from Workstations/Devices, Except for our own SMTP server - if you're not using our SMTP server then you're not using SMTP.

None of the companies we setup allow IM, Yahoo, MSN, etc... The only SMTP they allow is from their own email server, and there are a lot of other things too.

The Pharmacies don't allow ANY outbound except to Business Partner sites

- so that means no HTTPS or HTTP except to approved sites.

the SMTP server that malicious programs are most likely to access when on your network, is your SMTP server. Since most SMTP servers are not "open relays".