NAT is not a mechanism for securing a network.. but.. HELP!

What is a "real firewall"?

Oh, yes, it does. It's impossible to deny tunneling without cutting the cable, i.e. with whitelist filtering.

Yours, VB.

Sorry, you're wrong. Of course that works.

SOAP messages are all proper Internet mail messages. It's just sending email for transporting RPC or messages, you know.

But SOAP only is an example. You don't need to use SOAP for that. You can do your own protocol as well.

If you can send mail to and receive mail from other users in the Internet, you can tunnel information as content of Internet mail, OK?

And of course, you can find an encoding/decoding to transport what you want, clear?

So, for example, what Alex does here with his wwwsh:

Yours, VB.

Oh, nice, then free network is very easy to achieve for everyone. Just use a proxy server outside, and have the right meta tags inserted into every page which is proxied ;-)

Yours, VB.

NAT means "network address translation". Usually, it's a term used for masqeurading (changing insideIP/port to singleIP/otherport dynamically for giving Internet access to many hosts with one single IP address in the Internet, also called dynamic NAT) and what is called static NAT (mapping IP/port to otherIP/otherPort).

What do you mean with "1:1" here?

Yours, VB.

Too technical, perhaps soemone might put it in simples words or by giuving an example.

All the normal things and then more - were you looking for something specific?

We took away sites that were not needed, meaning ALL of them and then white listed the ones we needed - so, maybe you should not be so petty in your assumptions - we did both, deny all, white list many.

Statement means nothing, as it is prevalent in every company that permits unrestricted and full open access to all of it's employees - human nature is the same everywhere.

I'm growing very tired of your short one-liners without any benefit to the discussion - this definition has been provided in many threads - please search google for the answer.

Come on, get off it, tunneling to a place that has no benefit to the person tunneling isn't really doing anything. Heck, tell me how allowing HTTP outbound to partnercompany.com is going to help you tunnel into your home PC.

You don't appear to understand NAT if you think it's just for 1:MANY. There are many examples of 1:1 NAT, and most firewalls have that option.

What don't you understand about 1:1?

tape PIBLIC IP RANGE, map it 1:1 to another RANGE, that's 1:1.

Look it up

So it has nothing to do with proxying?

A(me)-> proxy A-> proxy B-> B(dest)

The proxy idea is clear to me but still iam having difficulty understanding the tunneling idea.

Usually, security can have a great improve by educating users. This is why I'm asking.

Yours, VB.

I think, to talk about "real firewalls" (and maybe "wrong" ones) only is window-dressing, so I had the hope, that you mean something sensible with it. But with that I stand corrected.

If you have no access into the Internet, then tunneling through the Internet is not possible, but if someone at partnercompany.com helps you with a gateway.

But we're talking here about security if you do have network, I think. Why are you insisting in scenarios, where no network communication to the Internet exists?

Yours, VB.

I don't think so. And I think, that I have understood NAT, thank you. I feel secure enough to implement my own NAT code.

Ah, you mean static NAT with just translating one IP address into another. Thank you for your explanation, what you mean.

Yours, VB.

I thought so. That is what I meant by a properly configured router. So, back to what I was saying... a properly configured NAT router *is* pretty good protection.

Not perfect. But certainly better than setting up and leaving your PC on a card table in the middle of Times Square.

BTW, since you are obviously at a very high level on this stuff... Say on a Linksys BEFSR41, what kind of settings would you consider the minimum for the Filtered Private Port Range?

DCE-Net: 135-139 SMB: 445 Spooler: 515 MS-SQL: 1433-1434 pcAnywhere: 5631-5632

Those are the ports I typically add to Port Range Forwarding, dumping them to the bit bucket. I use the remainder to setup things I actually use such as BitTorrent, FTP, FTP-PASV, and HTTP.

Sure, but again it is semantics. One can use only a NAT router in the process of firewalling their system. Firewalling being defined as an attempt to prevent completely unrestricted access.

It can have it, if you spoof the address.

Yes. The operating system usually creates the IP packages. The operating system's implementation of the TCP/IP protocol family inserts a correct source address automatically.

But you also can use a so called raw socket. This is a technic, with wich you can build your own packages, and have influence on anything they consist of. So you can build your own packages with a spoofed IP address as the source address.

You can do this using the network API of your operating system - usually an implementation of the BSD socket API (or XTI, if you have UNIX).

Or you can use packet generator software, which already can do this for you, and you don't need to program. A sample for such a software is hping.

Oh yes, we have. We have it from the router before then.

Yours, VB.

Well, that is my point... Spitting your coffee all over the keyboard and choking every time you see someone call their NAT router a firewall is much ado about nothing.

You know very well what they mean. That placing the box between their cable and their PC is an attempt at preventing unrestricted access into their system. It is a process of firewalling their system. That a cheap NAT router is unable to prevent *all* forms of access is just a matter of capabilities.

Contrary to your penchant for winking, I think you are flying off the handle here. Keep in mind I am poking you in the ribs every time that I tell you a NAT router is a firewall. As Tony Soprano would put it "I'm busting your balls." Don't be so touchy.

Yes, I believe that a simple NAT router is a basic attempt at firewalling a system. About as much as the average home user will ever do. It's *their* firewall, whether you like it or not. Together with a basic software firewall (a packet filter, which also makes you apoplectic when people call it a firewall), it's not a bad firewall. Not for a home user.

Don't be so intense. We're not talking about protecting Citicorp in this case. It's a home user. Let them have their firewall. You could just smile and nod when they tell you about it instead of jumping over the table and throttling them.

BTW, I'd like to just ignore the silly charge based on your poor memory... But you're a nice guy generally, so here you go.

The poster you are speaking of is: Kenny Koala The following is a response I made to him. It's from my own database, but you can follow the message-id back to his original posts.

=============================== From: CyberDroog To: Newsgroups: comp.security.firewalls Subject: Re: Us>

1. Your a dupe for believing some random chick in a chat room is some hot, high paid person at a major news network. In all likelihood it isn't even a woman.
2. You don't need a T1 line to set up a proxy. A per month cable connection will do just fine. Not to mention that there are free, or low cost, proxy services out there. You don't need to set up your own.
3. Your a dupe for believing it can't be discovered. It might have escaped you that the content of packets can be examined to see what somebody using a proxy is doing.

Do you really believe that network admins have never heard of a proxy before? ANYTHING that you send or receive over a network can be viewed by the admins. There are programs that will reconstruct the traffic and allow the admin to see exactly what the user is seeing.

If the middle aged pervert you are chatting with types "yada yada yada", that data has to pass through the local network to get to the proxy. And whatever you type to your boyfriend has to pass through that local network to get to him. It's an open book for any admin who cares to pay attention. ===============================

I'm beginning to question your ability to decipher sarcasm.

I'll add a ;) here so you don't know if I'm being serious or not.

Sometimes a bug is just bad programming. For instance a program expects you to enter a number; if you enter a letter and the program crashes, that's a bug. Well, actually it doesn't have to be a bug since the program may be WAD (Working As Designed). If they coded no bounds checking, then it's a design flaw. But most people call it a bug.

In the case of the Linksys exploit I mentioned, it was a programming error. The device was properly refusing remote administration on the default port, but a bug in the code was causing it to allow remote administration on other ports.

I believe Linksys had a similar bug with the password settings. The device was allowing the password to be changed without verifying the current password. So in effect, there was no password.