I've touched on this question in a previous post but didn't explain the problem very well. I've done some more research but still have an issue I can't get to grips with. So this is for any UberGeeks who might have a brain the size of a planet.
I run a Westell 6100 NAT modem/router with built in inbound/outbound firewall. On the single PC attached to this router is Windows XP home and a copy of Kerio 2.15, which is a rules bases SPI software firewall.
My question is why my router allows some inbound packets to pass through NAT but my software firewall flags them as inbound connection attempts?
The router firewall allows outbound connection to everything except NETBOIS. Inbound everything is also allowed. However NAT has no ports open so all unsolicited inbound packets are dropped by the router.
The software firewall has strict inbound and outbound rules and is set to flag an alert when anything not covered by one of these rules trys to get in or out.
As I understand it my router recieves outbound packets from my PC and sends them off onto the Internet after entering them into it's data table. The packet reaches it's destination, which for example is a web server. The web server then sends back the packets that make up the requested web page. They hit my router, which looks the packets up in it's data table, sees that they are a repsonse to my PC's web page request and passes the packets to my PC which in turn sends them to my Browser. Any packets that do not appear in the data table are considered unsolicited and are dropped silently. No problem there.
My SPI Firewall (Kerio) works in a similar manner. It also logs outgoing connection to a data table and only allows the corresponding return packets to pass back to my PC. Any unsolicited packets are checked against it's rules and are dropped as I have no rules allowing inbound connections.
And so to the point. When I refresh my game server list in Steam or try to connect to any of them I get an inbound connection attempt warning from Kerio. This suggests these packets from the Deadmen servers are unsolicited, as a reponse to a query from my Steam client should be treated as such and passed by the firewall?
However my NAT router doesn't pick them up. It must assume they are indeed responses to my outbound packets from Steam. Otherwise the NAT router would drop them and I would get a 'no response' server warning in Steam, and my attempts to connect to a game server should fail.
So while I understand that these inbound packets are totally legitimate I can't understand why my NAT router accepts them as return packets but Kerio doesn't and flags an inbound connection attempt.
Steam Client -> Kerio (logged & passed) -> NAT Router (logged & passed) -> Steam Server
Steam Server -> NAT Router (checked & passed) -> Kerio -| (checked & Blocked) ???
I also get this on my AV updates and a few other applications. I don't think I have a security problem here but would be facinated to understand why this happens.
Ta. :D
QuoteOriginally posted by smilodon@Dec 5 2004, 03:11 AM
I run a Westell 6100 NAT modem/router with built in inbound/outbound firewall. On the single PC attached to this router is Windows XP home and a copy of Kerio 2.15, which is a rules bases SPI software firewall.
Whilst I do not know what level SPI is implemented to in either your router or in Kerio, the Westell website does at least appear to say it has SPI. However, according to Kerio's release history they did not introduce any SPI for UDP and other IP protocols until version 4.1.0 of the firewall (14th September 04). Prior to that they had some version of limited packet filtering only. Current version is 4.1.2 (4th November 04) and according to a number of Kerio users it is still quite buggy and has flagged a number of connections as an instrusion where there was none. If you really have v2.15 then it may be even buggier and hence catching false positives. Alternatively packets may get through the SPI if deemed to be a response to a legitimate session but then picked up by Kerio?
I'm not a firewall geek though, so this is just my uneducated guess which is usually worth about 2 cents........but in this case given for free ;)
TL.
:withstupid:
Looks like Kerio is reporting false positves. Get an update?
Thanks for the advice
However Kerio 4 isn't a natural decendent of Kerio 2.15. Kerio 2.15 was software developed by Tiny Software and given to Kerio. Tiny went on to develop Tiny Firewall and some of it's employees went their own way with a new company called Kerio and created the mess that is Kerio 4.
But thanks for reading my drivel anyway and suggesting some solutions :D
Question:
Do you really need a software firewall?
Discuss in no more than 200 words.
QuoteOriginally posted by BlueBall@Dec 5 2004, 02:47 PM
Question:
Do you really need a software firewall?
Discuss in no more than 200 words.
[post=70877]Quoted post[/post]
I always find users (that term is used here because I look after the Network and Firewall Infrastrucuture for my Company) go from one extreme to another.
By that I mean having no firewall to adding a hardware broadband router with integrated firewall and also having a software firewall on the PCs on their local LAN.
Where in business circles perhaps some extra sensitive servers may merti adding the extra local layer of security, for the rest of us, laptops, desktops, etc. if you have a hardware device blocking everything coming in, but allowing everything out, you'll normally be safe. In fact the software firewall ends up making your configuration rather painful to keep current.
When I mention no inbound connections, I refer to external Internet devices initiating a connection to your LAN devices. All outbound connections allow will normally allow replies to come back to the originating host on the LAN. This means the firewall records "states" i.e. opens a channel when you connect out, allowing the device you connect to to reply and no return traffic is blocked.
Is your firewall NAT only or is it a port filter? If it is NAT only then you will benefit from the software firewall and only need to allow your LAN pc to talk to the firewall IP address itself, on the ports you want it to use.
Sorry for the garbled long winded reply.
If you want to open other services into your LAN
I use a hardware firewall but no software firewall; I keep my anti virus up to date; I don't trust suspicious emails and I am careful about the web sites I visit.
My router provides NAT as well as having an SPI filter. Additionally I can enable a true firewall mode but most people who own my model of router don't do this as NAT and SPI is fine for home users.
My 2 cents ;)
QuoteOriginally posted by Albert
Question:
Do you really need a software firewall?
Discuss in no more than 200 words.
[post=70877]Quoted post[/post]
With NAT only I loose all control of outbound connections from my LAN. Should I get a nasty on my PC (trojan, spyware, keylogger etc.) it would be able to connect out without any problem at all. With a firewall I can control each packet from each application down to local and remote ports, protocol and even destination IP.
Security is a layered thing. The more layers the greater the security. Kerio is free and I understand how to write tight rules that control access to and from my PC. So it's a low cost, low effort process that greatly increases my level of security. Coupled witrh good AV & AT protection and I'm hopefully as safe as can be reasonably expected.
BlueBall your question is discussed to death HERE (http://www.dslreports.com/forum/remark,12010843~mode=flat)
And for anyoner interested I might have sussed the original question I asked.
NAT and Kerio hold entries in their respective data tables for differing amounts of time when dealing with UDP packets. Kerio is timing out before the router, so the router still has the channel open and passes the return packets and Kerio has closed the channel and so flags the packet as an unsolicited inbound packet. I think?
Finally am I 'beyond sad' ?Because I find all this stuff facinating.
Though so :( :(
I don't even know what NAT is! :blink:
Long long ago in a galaxy far far away I used to use NIS to protect my system.
Things have moved on though, including my internet connection, which for the last year or so has been broadband. I've got myself a nice Belkin modem/router/WAP, with a firewall build in.
I haven't tweaked it in any way, I just enabled it and leave it alone. I have AVG on as up to date as you can possibly get it, and everything seems to work fine for me.
If I run a software firewall in conjunction with the hardware firewall I never get any warnings, so I don't bother with software firewalls any more, just a waste of computer resources.
I'm intrigued as to how the firewall deals with UDP. There shouldn't be entries in the state table, unless you tell it that given udp port xyz leaving, allow port zyx back in, which doesn't sound right.
I assume you've allowed your specific udp's back in, or am I missing something in this thread.
There are two firewalls in this saga. One sits on the modem and is set to allow all outgoing connections, bar NETBIOS. It also allows all incoming connection and passes them to NAT. It don't use it mainly because it isn't application specific. It just open a port to all traffic or it blocks it completely. Not very satisfactory.
The software firewall sees the UDP packets from Steam as unsolicited and I have to set up inbound rules in the software firewall to account for them.
Out though port xyz and back in through port zyx is called 'trigger ports' in my modem configration. It says Forward a range of ports to an IP address on the LAN only after specific outbound traffic But I don't use that either :)
NAT obvioulsy is seeing the UDP packets from Steam as return packets in the state table and forwards them to my PC. I don't have IP passthrough or DMZ or any of that stuff active...just simple NAT.
In order to sustain my beleagured PC I am looking into getting rid of my software firewall and getting a hardware one. Will it make much difference? Please bear in mind that my knowledge of networks consists of putting a cable from one net card to another and running a wizard... :D
Oh Sorry for the thread hi-jack...
No problem.
OK here goes with me trying not to get over complicated.
1. Harware NAT. One feature of NAT (which should be built into your modem/router) is that it ignores any inbound connection attempts from the outside. So your PC cannot be attacked from the Internet. However it doesn't stop anything from inside your computer from dialing out. So if you download a piece of software from the Internet and it's infected with a trojan, then the tojan can connect out to it's owner and your PC is in deep trouble. So NAT protects you from whats outside
2. Hardware firewall. This isn't a feature of all modem/routers so check your intended purchase has one. Hardware firewalls can protect both inbound and outbound, so they stop hacking attempts from the Internet as well as preventing tojans etc from 'phoning home' from your PC out onto the Internet. However they only open and close 'ports'. So for example - You want to look at the Deadmen home page. Your web browser connects out from you PC to the web server on the Internet that hosts the Deadmen web site (Hi-Velocity). It connects to port 80 of the web server. So to allow that connection you have to set your router firewall to allow outbound connections to port 80. So now your web browser can connect to port 80 on any web server including the Deadmen one. However now that outbound connections to port 80 are allowed ANYTHING can no connect out onto port 80, including spyware applications, trojans, keyloggers and the like. You've opened a hole that anything can get out through. So basic hardware firewalls offer only reasonable protection from outside and inside.
3. Software firewalls. Good software firewalls that live on your PC can be much more exact. You can make far more precise rules that make sure no program is allowed to do anything it wasn't supposed to do. You can lock your PC down tighter than a tight thing. So software firewalls offer good protection from outside and inside.
So it's about levels of protection. The more effort you put in the more protection you get out. All you have to do is balance the threats against the effort required to protect your PC.
For me that's a NAT router and a software firewall combined.
Stateful Packet Inspection.
TL.
QuoteOriginally posted by smilodon@Dec 6 2004, 10:57 AM
There are two firewalls in this saga. It also allows all incoming connection and passes them to NAT.
The software firewall sees the UDP packets from Steam as unsolicited and I have to set up inbound rules in the software firewall to account for them.
Out though port xyz and back in through port zyx is called 'trigger ports' in my modem configration. It says Forward a range of ports to an IP address on the LAN only after specific outbound traffic But I don't use that either :)
Ok, sorry, slowly getting my head round what you're saying.
Ypu have a router doing NAT. Forwarding all ports inbound to x address. The bit I'm struggling with is
Quote NAT obvioulsy is seeing the UDP packets from Steam as return packets in the state table and forwards them to my PC. I don't have IP passthrough or DMZ or any of that stuff active...just simple NAT.
Simple NAT doesn't do that. Simple NAT translates IP addresses, and that is all, it doesn't rely on state tables or the like, unless it's for TCP.
I think, and feel free to kick me in the nuts, you have a router doing NAT
your private address to your public ISP assigned address and vice versa, no restrictions.
And you also have your software firewall - port filtering on your PC.
Quote It don't use it mainly because it isn't application specific.
Each to their own and I'm certainly not critisinfnngnangn/ belittling, but I know what's installed on my PC and I don't feel the need to be application specific. source/destination/port is good enough for most hosting organisations, and is certainly good enough for me. Just keep an eye on what you download/install and make sure your av is up to date, and run spyware things now and then.
As a side note, Giant antispyware looks good on my limited trial.
Personally I use a hardware router with a firewall on it. It does the NAT and the port based security. Netgear 824g
Well that's another way of putting it, but I thought mine explaination was simpler :)
I have a question about NAT. I always thought NAT worked by maping connections to ports, ie: when the the webserver sends back the data to a particular port the NAT router knows which internal IP address it needs to go to. You only have one external IP address.
I always wondered what IP Masquerading did. I recently read that IP Masquerading does what I have described above, and that NAT actually maps many external ip address to many private addresses. :huh: Am i understanding that right?
http://en.tldp.org/HOWTO/IP-Masquerade-HOW...at-is-masq.html (http://en.tldp.org/HOWTO/IP-Masquerade-HOWTO/what-is-masq.html)
ok, iv just noticed them refering to it as 1:Many NAT which defeats the purpose of this post but whatever :rolleyes: I thought shouldnt what most people call NAT be called IP masquerading?
sorry I dont know much else, I cant help with the first post and that this post is kinda offtopic
Following on from Smilos main 3 points.
The important thing is that you have a firewall, be it on your pc in the form of software or on another pc or router or router/modem that perhaps does the dial up to ADSL or Cable.
On the topic of ports and opening ports. If you have a good firewall like the Stateful Inspection Firewall Benny and TL mention, then it can track conversations between your PC and Internet destinations. If you go a step further the firewall may inspect each packet to ensure that port is actually HTTP traffic so using another protocol over a well known widely used port like port 80 is detected and dropped.
If you have the time and really want to (nerd) learn this type of stuff, get yourself a cheap old PC with two or three NICs on it and install Linux and one of the many free Linux firewalls. Gentoo is a pretty secure distribution.
Edit: NAT is address to address translation, PAT (not the posty) is PORT Address Translation, i.e. many internal LAN addresses to one IP address but distinguished by the firewall by giving each mapping a different port so return traffic goes back to the correct internet IP address.
IP masquerading and NAT are two ways to achieve the same effect, to allow several PC's on a LAN to share a single IP address on the Internet.
IP Masquerading is used in a Linux setup where one Linux box sits as a bridge between the LAN and the Internet.
NAT does something similar but is found within a router rather thanm on a PC.
AFAIK
NAT is Network Address Translation.
Converts one or many addresses to another. 1 to 1, 1 private address becomes 1 public and vice versa. Hit google up for RFC 1918 if you are interested in public and private addressing.
Or you can have many to one. Multiple PC's, as Smilo says hidden behind one real address.
You can use port forwarding in conjunction with NAT. For example, I have three PC's all can browse the internet using a simple many to one. Inbound connections are port forwarded based on the port. So, a port 80 request comes into my public address and is re-routed to my private web server address as it is port 80.
Port 21 goes to a different PC.