Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com: ...snip more of Leythos' whinging...
Still hard at the weaselling, eh Leythos? Your stupidity is exceeded only by your tenacity.
Regards,
I see you're still trolling - since you can't be smart enough to understand that my view/opinion/expereinces were not claimed to be world encompassing, even though you took them that way....
Leythos wrote in news: snipped-for-privacy@adfree.Usenet.com: ...snip yet more of Leyhtos' whining...
Still hard at the weaselling, eh Leythos?
C'mon, don't stop now, just when you're on a roll, Leythos.
C'mon, say something else really stupid, Leythos, and then defend it to the death with you pathetic weaselling. C'mon, Leythos!
Regards,
So might an incompetent firewall. A competently implimented NAT does work as a firewall IF set to not forward any unsolicited packetc. Of course you have to decide if your particular NAT is a competent implimentation. HOwever if you punch holes ( have it forward ports) all bets are off.
No, you don't have to decide, there are quality groups, CERT for one, that can test and tell us if they pass the proper test to be qualified as a firewall. NAT is not a firewall function, it is often included in firewalls, but it is not a firewall function.
Wrong.
- A completely correct NAT implementation might also do a full forwarding in a 1:1 setup.
- As well as it might forward every unsolicited packet to a specified host on a 1:many setup (the DMZ host)...
- Reading layer 7 protocols and associate states isn't wrong either.
What about punching holes from the inside? With a Java applet, you can create a connection back to a server with a freely chosen port > 1023. With Flash applets, you can even get < 1024 with some nifty (documented) tricks. Now just create a connection from $local_ip:53 to $your_server:12345, drop the connection from the client side, and if the victim fires up his local DNS server within the timeout period... without a real firewall explicitly denying any outside access to port 53, even for session-related packets, you won't get any further. And with NAT alone, you can't solve this dilemma at all.
The question was not whether NAT was a firewall function but whether NAT with no port holes punched through was effectively a firewall allowing no unsolicited incoming traffic.
Is there a way in which a NAT router, with no holes punched through, is more insecure than a firewall which rejects all unsolicited incoming traffic? If you claim it is more insecure, please tell us why.
It is, for three reasons:
And you're all wet because a firewall protects in both directions.
Not at all sure what you mean. I initiate a http connection. The response better get through both on a firewall and on a NAT.
?? Not clear what you mean. This sounds like a bad implimentation.
Protects what in both directions? We are talking about and outsider attacking a machine behind the NAT/firewall. What is the relevance of "both directions" to the issue at hand?
Actually, it depends, when using a firewall, on the HTTP rule as to you getting through or not.
In many cases you might allow HTTP from certain users or certain internal IP or IP ranges and not allow HTTP from all other ranges - your NAT Router can't do that, but a firewall can.
You don't appear to know about "both directions" and in many cases you don't allow ALL OUTBOUND, in fact, there is little reason to allow all outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.
I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on networks. I might only allow SMTP outbound from 1 IP in the LAN and I might want to block outbound connections except from a small range of IP in the LAN but not in the DMZ - a firewall can do that, your home NAT ROUTER can't.
What about the DMZ network? Most NAT Routers have the option - but most of them don't actually setup/use a DMZ network, it's just an IP on the LAN that gets ALL traffic not forwarded to some other area - which means it's NOT a DMZ and it's not protected from/to the LAN - A firewall doesn't make that mistake.
little question, just for the sake of education a router splits up broadcast domains iirc and doesn't forward broadcasts unless specified so netbios broadcasts (eg who is master browser ... ) are NOT forwarded and well netbios requests as default should never define a destination ip that needs to be gatewayed eg if your lan is 192.168.1.* then it should never send packets to
192.168.1.0. well i think that's the way it works with win xp sp2 + and Unix SAMBA because i have sniffed and sniffed but never saw a netbios packet with a destination that required the router to forward it to the wan sidei do however outbound filter my SMB servers (2 x slackware mahcines) since i can't be certain 100 %. the question is: is this somehow correct and/or if not please elaborate i just want to learn and spread what i've learned in no way i mean to start flamewars or belittle people.
true most DMZ's on home routers are not real DMZ's
Watch your logs, it will open your eyes as to what is leaving your network.
what logs ? everything syslog records ? i'll guess i'll probably have to increase samba logging as well since atm smbd prints only start time of the process
A Firewall is packet and port filter. That's all. NAT routers have a similar effect of a firewall. It is possible you have something lurking in your computer that is advertising your computer on the internet. Something like a BotNet type program.
Yes, agreed. But that is irrelevant. The question is not whether or not a firewall is more flexible than a NAT router, it is. The question is whether there is a difference in security against unsolicited outside attacks between a firewall which blocks all unsolicited outside connections, and a NAT router with no port holes punched through (Ie no ports forwarded).
Yes, there is a difference.
All quality firewalls have certifications from independent authorities that will state how they work and that they are actually providing xyz.
NAT Routers have no certification (at least in the class we're talking about) and have been shown, many times, to have exploits that allow Unsolicited inbound traffic to pass through - even with no rules set by the owner.
Not it is not Routing. Routing can be done with or without NAT.
A basic book like Computer Networking first step by Wendell Odom published by Cisco Press would explain Routing.
Anyhow, saying that NAT is not a firewall does not explain how this happened.
NAT Blocks incoming, unless port forwarding. He says he didn`t have port forwarding set up to port 5900, where his VNC server got the connection. Let`s assume that he checked afterwards to make sure the port was not forwarded.
So, how did it happen?
Aside from Sebastian G`s cryptic explanation, I don`t see you offerring an explanation.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.