Just want to keep the crap out!!

Actually this is true to some point. The very-low-cost cheap implementations don't have any connection tracking modules or only pretty stupid one. But most low- and mid-cost consumer products are trimmed for easiness of usage and therefore contain a lot of such heuristics.

No, I've read such stupid advice way to often.

Only if necessary!

Put in some stupid heuristics and see how it breaks. F.e. most implementations will forward TCP-based DNS replies from any server if a DNS request appeared recently.

Seatbelts usually aren't damaged. But common NAT implementations...

A good host-based packet filter is free of costs. Try Wipfw. If you like to create a discussion about good defaults for clueless homeusers, a set of scripts and maybe a nice guy, this could actually turn into a serious alternative to all those bullshit personal network discos.

I'm not going to pay anything for protecting a simple home user's computer. A router is only needed if two or more have to share the same line.

Better, but not much, and definitely not worth the money.

Sure, that's why you're usually putting exploits in an advertisement propagated through DoubleClick or alike to a lot of usually harmless websites. Why not paying $1000 to target 10s or millions of computers? :-D

You have bandwidth, calculation power and storage space. And especially you're usually clueless about your system.

Most devices, which are selled as "SOHO Routers", can do routing, NAT and filtering today.

I'm not talking about sniffing packets, but inserting packets.

I'm not talking about FTP.

Unfortenately no - with the trick I tried to explain.

A simple packet filter is doing more than a usual NAT implementation. It can filter away packets, which obviously have spoofed addresses.

I don't see a problem to implement this myself. How to do it, I explained in a speech some years ago:

What we did here in Bad Waldsee, Germany, for example:

My favorite, the German headline means "our service offers": ;-)

What I lately saw at the UBS, Zurich, was even worse.

I wish you were right here.

Again, I'm not talking about SPI. I'm just suggesting a simple packet filter for filtering out spoofed packets. That's it. And most of the common devices already have one.

Yours, VB.

"dawg"

That didn't occur to me.Of course I have heard of using an older PC as a firewall. I do have an old Compaq 333 or something w/nic. But, it's been so long since I read about it and it wasn't a completely in-depth article by X-something or something X,how would I tun this old PC into a Firewall/Router. BTW,you guys can really drag out an argument to it's bitter end,huh?:)

"dawg" firewall. I do have an old Compaq 333 or something w/nic. But, it's been so

Check out

Your Compaq 333 should be more than adequate. It will need two NIC's though. Just get a cheap $15 10/100 NIC if it only has one. It even supports three NIC's, if you want to have a "DMZ area".

Haven't set it up yet, but it is on my "to do" list. Got enough parts here to throw something together for it. Once I get motivated, I'm wanting to get the parts all together and stuff them into a box I'm currently using as a wireless captive portal (running "ZoneCD"). Basically "two computers" stuffed into one box, one will run Smoothwall and the other ZoneCD.

Give it a shot and have fun...

Like Eric said, Smoothwall is a good choice. IPCop is slightly better depending on your needs (one project is a fork of the other, I forget which came first). I'm currently using Endian (which is a fork off of IPCop) on an older Toshiba laptop using two cheap PCMCIA NICS. Works like a charm; even has integral battery backup. :)

Why I let myself get dragged into this I'll never know...

We weren't talking about "SOHO Routers". The OP asked about keeping crap off of one home computer. As Sebastion pointed out a couple of days ago, SOHO is distinct from "home use". I'm talking about units like this little Linksys WRK54G wireless router/switch thing I got at Wal-Mart for $100 with a card for a laptop included.

I fail to see how you could insert packets without being in a position to sniff packets. You're going to have to either physically tap into a line somewhere, compromise an ISP router/switch, or possibly hack a cable modem.

Uhh... read your own post. It's about the fourth paragraph above this one.

I have no idea what you're talking about here. I sure wasn't in this thread.

Unless you compromise my wire somehow and stage a man-in-the-middle attack--an attack scenario that 99.999% of home users will never face-- the source address is irrelevant, spoofed or not. If it doesn't correspond to an existing connecting in the NAT table it is simply dropped into the bit bucket.

Totally irrelevant; completely different attack scenario. Firewalls by their very nature are useless against a clueless user who unwittingly allows malware onto their box by clicking the wrong link or opening an email attachment.

All this proves is that Internet security is a layered affair.

My setup: Since I have more than one machine in the house and we want to be able to share files between them...

First line: Home-built linux firewall

to...

Second line: the aforementioned Linksys wireless router running NAT, not for security, but whatever it provides, it provides. This is all actually double NAT; 192.x.x.x to 10.x.x.x to public IP.

Third line: Windows firewall configured to only allow the file-sharing traffic between the statically configured IP addresses on my LAN. And outgoing Internet of course.

Fourth: AVG anti-virus, daily update, daily scan, resident shield.

Fifth: Microsoft Anti-Spyware, daily update, daily scan, real-time protection turned on.

Sixth: Periodic scan with Lavasoft Adaware and Spybot S&D.

Seventh: Firefox rather than IE. Thunderbird rather than OE or Outlook. OpenOffice.org rather than MSO.

Eighth: Most important. My brain preventing my fingers from doing stupid things.

Yes. And for a SOHO router, I'm paying i.e. 34,- EUR for an Asus RX3041.

I don't think so.

Yes, why not.

Just send packets with spoofed sender's addresses.

No. Nothing like this is needed.

An example for dynamic NAT:

To insert packets into the internal network behind NAT, you're just sending packages to the ports on the external interface of a NAT router, which seem to belong to connections NATed by the router. Usually, this is a fixed range of ports you have to try out.

An example for static NAT:

To insert a packet, which seems to come from inside, just spoof an IP address like 192.168.0.1 for sender's IP address. Then you can insert packages, which seem to come from inside.

Both are are very dangerous for UDP based protocols, of course. They are dangerous, too, for weak TCP implementations like the one from older Windows versions.

Of course, you're not sending just one single packet but many, starting with packets which will most likely work. Usually, one will work.

This is another topic, which has nothing to do with the topic I'm writing above. Weak FTP implementations for NAT are a second attack vector.

Yes. This is most important.

Yours, VB.

I think IPCop came out of Smoothwall. Read a little on it once. Thanks, never heard of Endian, but will check that one out too.

All these "turn-key" Linux-based projects are great. Pretty much everyone has a relatively old computer sitting around to do something with.

I was kinda playing with the idea of running BlackIce on an old computer too, filtering stuff from the cable modem before it hits any my routers. Currently running BlackIce on a working desktop, side-by-side with Sygate (works fine), but right at the entry point might be a better home for IDS.

Cheers, Eric

On what device have you found this to be true?

Most modern implementations are smart enough to prevent this type of spoofing from occurring because they maintain a state of knowing that the IP's specified on the protected side will never be allowed from the unprotected side.

On every I saw up to today.

Nice to hear. What I'm missing is an implementation I can see. With some little filtering there is no problem anyways.

Yours, VB.