D-Link 604 port-forwarding router opinions?

I am currently running Windows XP SP2 (fully patched) and use a Bitdefender, Spywareblaster, and Ad-Aware for antivirus/antispyware. My single XP box at home is connected to my broadband internet connection via a D-Link 604 (latest firmware) router. I use OpenSSH to tunnel home from work and use Windows Remote Desktop tunneled through SSH to remote-control my machine from work.

I have had my little D-Link router for about 2 years now and I have never had a problem. The only open port I allow access to is the one through which I use SSH, and even that I have only allow to trigger when accessed via the IP I use from work. My router does not reply to any pings, block Port 113 by default, and allows shows up as fully stealthed by every scanner with which I ever test it.

No... I don't run any software firewall and I have disabled Windows SP2's built-in "firewall."

I don't use IE or Outlook Express and I am not random "click on this banner" kind of person.

In mid-2006, I now ask, am I protected enough? I think I am and the proof is I've never had any problems. Discussion?

Thank you.

Reply to
Loading thread data ...

Doesn't matter. They're as good as MS Paint in terms of security.

Nice, but be aware that IPs can be spoofed. Anyway, as long as your work place is stable in terms of network configuration, it shouldn't create any problems.


Very bad.

Bad, but usually can't be helped.

Well, but about presenting your security concept? I can see at least two lame applications above that point out a certain lack of concept.

None. You're providing false arguments in first place. Or do you really think that my Curry Of Life[tm] is super-tasty because noone ever complained?

Reply to
Sebastian Gottschalk

Spywareblaster, and Ad-Aware for antivirus/antispyware.

Why all this snake oil?

Yours, VB.

Reply to
Volker Birk

Wrong, this is an opinion. Many of us do not allow our firewalls to respond to pings or even ICMP.

Very good, it's not necessary for anything most people use.

Doesn't matter, it just shows that you don't have open ports, which is good, but stealth doesn't mean much.

You are as well protected as any home user, you only have one inbound connection from a specific source, and no matter what SG says, you're not a target enough for anyone to spend the time trying to crack your setup.

Reply to

Because of the extra 46%!

formatting link
| They take the x number from OBJ_STREAM (ie. the real object/entries | count in the definition file) and MULTIPLY it with number 1.46 and | this value is then showed to the user as REAL number of definitions in | the file.

Reply to
Sebastian Gottschalk

*nod* These are both of (as far as I know) predominant schools of thought. Most home users and even some small offices can get away with this configuration. However, it does not take much at all to out grow this. What options does the OP have to test his connection from afar is his internal system is not responding because the power is out or the system has BSODed? Usually when you start doing remote things it is good to at least have a way to test the connection between your ISPs router and your house / office. However this is based on individual personal opinions. If you ever get to a point where you are supporting other users remote connecting in to an office, it is VERY helpful to be able to have them try to ping the external IP of the router at the office they are trying to connect in to.

I have found that this can cause some mail servers to hang for a few seconds if they try to issue an IDENT / AUTH query to the sending system. My solution to this was to set up a recent history (last few seconds) of connection destined to a mail server. If there was a connection to the mail server and said server sends an IDENT / AUTH request, send back a REJECT rather than DROPping the request. This will cause the mail server to immediately stop trying to IDENT / AUTH the sender and go straight in to the SMTP phase of the connection. Again, this is based on personal experience, your mileage may vary.

If you are wanting to go for stealth mode, it is better to know the people that control the upstream router and have them issue "ICMP Host Unreachable" messages if any traffic is destined to any port that you do not want to explicitly allow in addition to state full traffic.

It is relatively trivial to find ""Stealthy hosts based on the fact that they will not provoke the router to issue "ICMP Host Unreachable" messages seeing as how the router DOES know how to get to the host in question. Verses if the router DOES NOT know how to get to the system and as such it will issuing the "ICMP Host Unreachable" message.

For the average Small Office / Home Office (a.k.a. SOHO), most likely.

I think Leythos touched on a VERY good point. That being, the OP is quite likely not a juicy enough target for any one to bother getting in to. You only have to secure beyond what would be attackers are motivated enough to go after.

Something else to keep in mind is that basic NATing is often enough for most SOHOs to be protected from the internet at large. What you need to be more concerned about is internally initiated outbound attacks, i.e. bots / worms / viri / etc. Any and all of these attacks will overcome the firewall that is in place. In fact, this is where other technologies come in to play, namely egress filtering, IDS and IPS and the likes.

Grant. . . .

Reply to
Taylor, Grant

What about eBay, MySpace or other big websites using a loadbalancer? What you typically get is when first connecting to the server with the loadbalancer is that various servers from all over the web are pining you (ICMP pings and/or TCP pings) and based on the result you'll be forwarded to the nearest/fastest servers.

Denying a reply just lets you get thrown on the default, heavy-loaded server where all the other "oh, ICMP pings are bad"-fools are gambling around, too (which effectively is the reason why it's much more loaded).

Or timeout after 30 seconds.

Absolutely right. Again, most home router I've seen already have a special exemption doing exactly that.

You really don't know if the host behind the router has open ports, and as soon as the router is circumvented (which is a rather easy issue), you've got the big problem.

Again, the point is with loadbalancers and unnecessary repeated traffic.

Today's malware is not clever enough to recognize that you're not interesting. It will simply blindly fire all kinds of exploits, including those designed to trigger port forwardings.

Java, Flash...

What about explicitly blocking all useless ports so that a triggered port forwarding won't affect it either?

Reply to
Sebastian Gottschalk

It's never presented a problem for anyone I know, and there doesn't "Appear" to be any difference between systems blocking ICMP and those not when testing from the user side.

Load balancing doesn't have to know where I am or how many hops, it can just round-robin a connection or base the connection on how many current connections.

If the router isn't letting unsolicited inbound traffic pass, which is not a simple feat to break, at least not on any quality device that most all user have access too, then you don't have to care what ports are open on any host behind the router.

Wrong, it still gets load balanced, just not the way you describe.

And none of them will work on quality devices. Sure, if you have port triggering enabled, but it's not enabled by default on any of those cheap NAT devices that I've seen, and certainly not on any of the firewalls.... So, we're talking about things that are not impacting users again.

If your device doesn't handle port triggering properly then there would be a cert or other alert about it that could be pointed to. As port Triggering is NOT enabled by default it's really a bogus point to bring up.

Reply to

*ROTFL*. We all ever knew, but it is very funny to read this ;-)

Yours, VB.

Reply to
Volker Birk

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.