The word you were searching for might have been "honest" or "direct". As you might understand, this is a place for discussing, not for cuddling and soft caressing. If some people have a problem with that, it's definitely not my fault.
BTW, isn't this getting a little bit offtopic?
Now, would someone please get a point that typical NAT router don't magically drop every packet with unknown target, but rather takes measure of guessing the target and forwarding it by chance? That's why Stephen's suggestion is so misguided, since it won't help at all with protecting a vulnerable system.
He is very technical. You, Duane Arnold, are much much worse in your way!
Remember, software/hardware Firewall tradeoff in comp.security.firewalls Aug 2006
formatting link
and that referred to The thread was called It had a fantastic discussion, really interesting. But you ruined it somewhat. But nevertheless, it's still good
"56k dial up on laptop 802.11G ?" in alt.internet.wireless
formatting link
And this was on the same subject. You have a history of being a nuisance, far more so than the person you are targetting today.
your style is predictable, you don't discuss the nitty gritty,or share knowledge. You just say 'do it this way', and after posts and post of you avoiding discussion when faced with somebody knowledgeable enough, , or of you avoiding duscsion anyway, and name-calling, your method comes out.. you say that your stuff is based on conclusions from those you call the top guns of the newsgroup, and you accept it. Very well, but not so good if you try to argue their case. At least quote them.
As time goes by, you may improve a tiny little bit, when you learn a little more from your 'top guns'. But when faced with aruging with somebody knowledgeale whose position is different to one of your 'top guns' you go back to name-calling and personal attacks
So, Duane Arnold, one option for you, is to realise you have a problem . Then stop the personal attacks against people you can't debate with, and people you could partially debate with.
Exactly that: Applying some programmed algorithm that selects the most likely target. For example, if the router assigns IP adresses via DHCP and has only seen one client so far, he could forward everything there. Or if there are multiple clients and one has eMule running, the router has already seen TCP segments on port 4662, then incoming packets with ports 4661, 4665 and 4672 are forwarded there. Or if he saw an FTP connection and read a PORT command, it might also setup the appropriate forwarding.
That's how it should be. However, the implementors are interested on providing maximum connectivity and reducing support costs. If the router does some good guessing, the better.
Well, did you actually test your router's implementation?
I vaguely recall an issue or issues that stopped me.
I wanted to analyse what connections were going on using netstat, but once a connection is established, you can't know for sure if it's incoming or outgoing. You have to guess based on port number (whether the port number is high or low). I wasn't content with that.
I guess the term I should use is that netstat is not stateful.
What methods are there, to know if an established connection is incoming or outgoing?
I did at one point use ethereal with a filter, that worked. But i'm interested in other methods.
Also, one weakness with ethereal used as a local port monitor, is , unlike netstat, it doesn't show what process is using a port. Not suprising, since 'by concept' it's not meant for that 'cos the process id is not in a packet!
Another thing I wanted to test further.. 2 comps A and B communicating with MSN v6.x or later, sending each other a file. (I've since read that it might use a 'relay server', server sits in the middle, and A nd B make an outgoing to that) But anyhow, I recall seeing B's ip , and the connection was was incoming
71.4.5.2:1118 TO 192.168.0.2:2344 And I thought.. hang on, my router isn't port forwarding 2344, is it? I did an online port scan and it didn't show it as open (though maybe that was irrelevant since it turned out that it wasn't open locally either) I did a local port scan , from another comp on my lan, and it said closed or filtered. Not open.
I didn't understand that. And in retrospect, i'm still puzzled, maybe it was only open to that 71... ip. but I didn't know how to spoof that to check, I guess i could've asked the friend to scan from his comp.
I don't think my router had that port open.. Maybe it was acting a bit like some proxies (the ones kids might use at school to get out of a firewall). I don't mean like a proxy in changing the source ip to its own, but, in changing the TCP port. So maybe one port - not 2344 - was being port forwarded by my router, and through it I was getting incoming connections to my comp at other ports.
I didn't and still don't know how to analyse that further.
and the speedtouch NAT router i have at the moment has such an ugly GUI I can't see what it's port forwarding in one screen. It's reliable though, unlike previous ones i've had.
Oops!.. Sorry for the missing info. I like the fact of having a NAT router as a first line of defense. Then I would like a software firewall so I control what my program connects to (like that nasty svchost.exe that I always blocked). After a year I had to uninstall the Sunbelt-Kerio firewall, becuase I had it with so many issues after upgrading to new releases.
No much, just the ussual: a desktop PC with XP SP2 and Web browsing, email client, rss client, IM, news client, antivirus, and P2P.
Nope. I was told I needed to pay a static IP address. So I abandoned the idea long ago.
Nope. I was adviced that if my PC was the only one on a network I needed to turn the Microsoft Print and Sharing off. I may get a laptop later though.
Nope.
Hmm... I didn't think it could cost 2$$, but I don't have an unlimited budget. I'll have to think about it more after I see the range.
Forget the soft firewall as being effective and being any real means of protection - in most cases it's going to get compromised at some point and the soft firewall isn't going to protect you. On the flip side I've seen ZAP protect a home user for years with a direct connection (no NAT) to the internet...
I like the D-Link DFL-700 because it has real blocking methods, real DMZ and LAN networks, acts as a PPTP server and can provide port forwarding inbound based on you authenticating with the device first....
However, until today, I have not noticed you before until this post. I don't see you helping anyone anywhere. I wonder why? And SG is more technical is a joke too. The boy couldn't technique his way out of a paper sack, and nether can you.
that's a soft logical and go crawl back into your hole, with SG. :)
My problem is that I'm not completely sure on the features I need. I do not trust a flat and cheap router ($30). A hardware router & firewall hardware sounds like it will protect me better. I have learned a lot about NAT, and the importance of SPI features. Also I do know that some manufacturers are really bad or irresponsible and they have released so many firmwares, and patches. I'm not sure about the feature details in the administration of the firewall, but my learning is in process. I do not place limits on my learning as long as the gain is to know how to protect myself. Budget is limited though, but it will be great to know what I'm missing for not paying beyond more than $400.
For what I have been researching, the difference I see beyond your recommended solution is on the number of VPN connection (moving it to the corporate way). I'm just looking to administer 1 PC, 1 laptop, and a testing server. If I ever VPN will be just 1 connection (me), I'm quite paranoid ;) I'm going to have a laptop wireless, I'm also looking for a WiFi feature of the hardware (as long as I can properly secure it just for my laptop's use). I appreciate your assistance.
Many of the low end appliances, like the DFL-700, will do what you want and provide a level of protection as long as you implement ALL of the other security measures, a firewall won't protect you from most exploits or from yourself.
The higher end units have additional protection features, can detect attacks of specific types, can filter content out of inbound SMTP (if you have your own email server), can filter content out of HTTP sessions (The DFL-700 does this too) so that you can block things like active-x, JS, exe, bad, scr, etc... downloads..... You also get good logging in most cases.
I've got a lot of friends that have simple BEFSR41 units that practice safe-hex and don't need anything more than the cheap NAT router and they've not been compromised either. The difference is that they follow the standards for save internet/network/device access.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.