1. Home
  2. Networking Firewalls
  3. How dose a firewall work?

How dose a firewall work?

I have built myself a SOHO network with two firewalls. I have a cable modem feeding WAN1 of a HotBrick 800/2

formatting link
my outer firewall.

From there, I have a CAT-5 cable going from LAN1 of that 800/2 going to WAN1 of a HotBrick LB-2

formatting link
, my inner firewall. My computers are plugged into the 4 LAN ports of the second firewall, the LB-2. For clarity, there are no computers connected to the

800/2 firewall (the first one in the chain), just the second firewall, the LB-2.

I have configured both firewalls to filter out 130.126.0.0-130.126.255.255. I have even filtered ports 1:65535 (all of them) on the outer (800/2) firewall!

Here is my concern.I have downloaded and installed Analog-X's packet monitor

formatting link
on a computer to see what is going on and this is what I see.

TTL Protocol Checksum SourceIP SourcePort TargetIP TargetPort

113 6 9B94 130.126.138.240 56193 192.168.0.101 1074

113 6 9C07 130.126.138.240 56193

192.168.0.101 1074

113 6 950C 130.126.138.240 56193

192.168.0.101 1074

113 6 9507 130.126.138.240 56193

192.168.0.101 1074

How is this possible? As I understand it, with the packet monitor running on a local computer, it monitors the IP address of the NIC card on that computer.and it sits behind two firewalls! Why does it see packets coming from an IP address that I am specifically blocking? Am I doing something wrong? How can I fix this?

Thanx

Reply to
Anonymous
Loading thread data ...

On Sun, 02 Jan 2005 15:43:03 GMT, spoketh

Looks to me what you are seeing are reply-packets to outbound requests made from your computer. I realize that the program says it's the other way around, but it's merely telling you where the packets are coming from, and if they are responses to packets that your computer have initiated, then the external address would indeed be the source address for these packets.

There's usually nothing running on port 1074, so it's more likely that's a source port, and that something on your computer have made an outbound request to 130.126.138.240.

I don't know what you mean by "filtering". Are you blocking inbound or outbound connections to/from those IP addresses? Are you sure you got the rules set up correctly for this block rule?

Lars M. Hansen

formatting link
Remove "bad" from my e-mail address to contact me. "If you try to fail, and succeed, which have you done?"

Reply to
Lars M. Hansen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.