If you're not a network geek don't waste precious life reading this. If you are a geek then I could do with some advice.
I've recently bought a Westell 6100 dsl modem router. It's got a NAT firewall plus a regular hardware firewall built in.
I've set it up with the DCHP server active, so that my ISP assigned IP (which is dynamic) goes to the router which has an IP of 192.168.1.1 on my LAN. The DCHP server is set to assign LAN IP's in the range 192.168.1.15 to 192.168.1.47. I have one PC on the LAN which as an IP of 192.168.1.47. All pretty routine :)
The firewall which is a bit like IP Chains is set to allow everything in and is preconfigured by the manufacturer. As I understand it the idea is that inbound connections are passed by the firewall and blocked by the NAT firewall. The inbound firewall rules are......
Quotetitle [ Security Level 1 IN rules ]
begin
Rules
pass all
AddresDrop
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
pass protocol udp, to port 53 >> done
pass protocol udp, from port 53 >> done
drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
end
I have set NAT up so that no services are offered. I'm assuming that this means no incoming connections are accepted. PC Flanks shows me stealthed for all their tests.
The outbound firewall rules simply open the ports I need to surf the web, do e-mail and play CS. However the router just opens the ports. Obviously it can't tell what applications are using those ports. Therefore I have installed Kerio 2.15 (rules based packet level software firewall).
Kerio is designed to control which programs are allowed to access which ports outbound and I've set up rules accordingly.
Now here's the problem...as soon as I try to connect to Steam I get several outbound connection attempts which I set Kerio to allow. The connections then pass out through similar outbound rules in my router firewall and I connect to Steam. But oddly I then get incoming UDP connections from the Deadmen servers? They don't appear to be coming from the router IP as they show the Deadmen IP addresses and ports.
Now I assume that these inbound packets from the Counter-Strike servers would pass through my router inbound firewall rules and run smack bang into the NAT firewall, which is set to drop all incoming connection attempts. So how does Kerio software firewall on my PC see these packets if the router is supposed to be blocking them?
I get the idea of port triggering, but I've not activated any trigger rules on the NAT firewall so that shouldn't work. Basically the NAT firewall is set to block everything. Now Counter-Strike might not work without these inbound packets but that's not the point. I'm mainly concerned about why they get through at all, and by association what else might be coming in.
This may not be enough information or I may well have missed something obvious (I'm rubbish at this stuff) but any help as to why these Deadmen packets are getting through the router and triggering my software firewall would be bonus :)
That's so easy I sha'n't bother replying. (yes I'm four sheets to the wind and yes I have my doubts about the apostrophies in shant)
Have you thought about the fact that Steam may be requesting them? If you have the deadmen servers in your favourites list then they may be getting polled by steam for server status. The outbound request will be on a certain port, the inbound info may well be on a different port but will be claased as legitimate responses to outbound requests.
Yep I understand the idea. The inbound requests come when I refresh my server list on the favorite tab, although oddly not on the internet tab.
My issue is why I'm seeing these inbound connections at all. I though (possibly wrongly) that NAT would allow return responses to outbound connections like web surfing and e-mail checks but not unsolicited inbounds, which these Steam connections appear to be?
My software firewall doesn't flag up anything else as incoming when I surf etc. only Steam. Maybe Steam packets are special and the NAT firewall sees them as inbound responses to outbound connections and passes them but the software firewall sees them as just inbound and not a response to anything and so flags them? Also maybe it's because the response from Steam is from or to a different port as therefore gets a pass from NAT but an alert from the software firewall? I'm just confused
At the end of the day I'm not fussed unless these Steam connections are an indication that I've left a gaping hole in my router?
gimme your ip some time and i'll happily perform a full portscan :-)
QuoteOriginally posted by smilodon@Nov 13 2004, 10:47 AM
Yep I understand the idea. The inbound requests come when I refresh my server list on the favorite tab, although oddly not on the internet tab.
I guess Steam is automatically requesting status info from the servers in your server list.
QuoteMy issue is why I'm seeing these inbound connections at all. I though (possibly wrongly) that NAT would allow return responses to outbound connections like web surfing and e-mail checks but not unsolicited inbounds, which these Steam connections appear to be?
I don't think that is NAT. Does your firewall support SPI (Stateful Packet Inspection). That is what is probably allowing responses to Steam's request for info from fav server list. This is a good thing BTW :)
QuoteAt the end of the day I'm not fussed unless these Steam connections are an indication that I've left a gaping hole in my router?
Go to grc.com (https://www.grc.com/x/ne.dll?bh0bkyd2) and do a free portscan then tell us what it says.
Steam Ports listed here (http://steampowered.custhelp.com/cgi-bin/steampowered.cfg/php/enduser/std_adp.php?p_faqid=160&p_created=1093381261&p_sid=-WSLBqqh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTcmcF9zZWFyY2hfdHlwZT1zZWFyY2hfbmwmcF9wcm9kX2x2bDE9MyZwX2NhdF9sdmwxPSZwX2NhdF9sdmwyPSZwX3BhZ2U9MSZwX3NlYXJjaF90ZXh0PWZyaWVuZHM*&p_li=) although they list more than you really need and if you have SPI you don't really need any open.
Useful website here (http://www.portforward.com/) with support for many different routers.
Cheers all. Tugs, I'm away for a few days and have a dynamic IP. I'll let you know what it is when I get back on Thursday.
To be honest I'm sure these inbounds are not showing a hole in my system. I pass grc and PC Flank with flying colours. I guess I'm more interested in why they're there at all. And I understand why meathook is sending them but not why they get past my router? I'm sure it's me being clueless but to summarise My HW firewall is set to allow them through. My NAT is set to allow no port forwarding or port triggering. So why does my software firewall see the packets at all, if NAT blocked them?
Also I'm annoyed that so called expert Benny hasn't chipped in. Obvioulsy all mouth and no trousers eh!
Buttocks.
PM me when you get back. I can prolly give you a remote to a server you can run your own port scan from.
I'll re-read this in a minute, but bare in mind, I'm rubbish.
I have just had a look at the specs on Westall's website. Your router DOES have SPI. Consequently, it doesn't matter whether you have Port Forwarding or Port Triggering enabled, SPI is permitting packets into your LAN that are legitimate responses to requests from your LAN. That is exactly how SPI should behave.
In short, your OK and SPI is doing it's job (loads of info on SPI here (http://www.google.co.uk/search?hl=en&q=stateful+packet+inspection))