I use Kerio v4, and I have a NAT firewall in my Router cum ADSL modem.
If I configure the Router (which i should, because all traffic is routed through lan), not only am I saving bandwidth, but also performance overheads. But its a pain to configure, because I need to congigure it one rule at a time. I basically need to block some 150 or so adservers whose ip's I've collected. Right now, the bandwidth penalty is very high (because my rule list is HUGE)... One failure and wham, I'll need to reconfigure all 200 of them (incl. the 50 rules for ICMP/ping etc.)

Do I have any options? Can anyone tell me how I can download Router NAT Firewall's rule list...
I use a router by SMC.

-{ Quote: "I basically need to block some 150 or so adservers whose ip's I've collected. Right now, the bandwidth penalty is very high (because my rule list is HUGE)... One failure and wham, I'll need to reconfigure all 200 of them" }-
If it is denying outbound connections to ad servers have you considered using a hosts file: Blocking Unwanted Parasites with a Hosts File (http://www.mvps.org/winhelp2002/hosts.htm).

-{ Quote: "(incl. the 50 rules for ICMP/ping etc.)" }-
That is a lot of rules for just ICMP :o

-{ Quote: "Do I have any options? Can anyone tell me how I can download Router NAT Firewall's rule list...
I use a router by SMC." }-
I am not familiar with that router or it's rules capabilities. Most firewalls will work on an implicit deny model (anything not permitted is denied). Keep this in mind when creating rule sets and focus on what you want to allow to keep the number of rules manageable. If you can provide a few more details on the router's capabilities, your current rule set, we might be able to offer some suggestions. Also keep in mind things like ads are probably dealt with easier on the PC's themselves with browser options, hosts file or proxy than on the router.

Regards,

CrazyM

Thanks about the hosts file - Does it have a large performance penalty too?
I used to have the customized hosts file winMe but i forgot all about it when I upgraded to Xp.

Using a hosts file should not impact performance. There are different ones available, varying in size and sites covered. You can easily edit them yourself if you want. The MVPs hosts file in the link above is one of the smaller ones.

Regards,

CrazyM

Hey... got a larger hosts file? (171kb feels huge enough, but is there more??)

Edit: Should i use proxomitron or something? I think the performance penalty is higher there, but I'm not sure... Also, I'm using Kerio, and it doesn't have component control... I used Thermite (link on PC Flank) - If I let the program start, it defeats the firewall. Is there any generic rule for such activity?

It's pointless blocking adservers by IP number as they change IP numbers very frequently to try to stop people doing that

It's much better to use the hosts file to block by name as that rarely changes and new ones can be easily added

Good point about adserver names...but my original question is...
Is there any util that can get me my ruleset backed up from *hardware NAT Firewall*?
I fear that this may be an extremely stupid question, bvut I must know.


Just out of sheer pig-mindedness, I'm going into network programming from next semester onwards(side hobby in college)...So if the util. doesn't exist I'll try to make it.

you can try blocklist manager by B.I.S.S

you find a whole internet community there specialized in merging blocked IP's, names of which should blocked and firewalls/tools for blocking such things you want. a lot of firewalls are covered and now use also the snort import (intrusion prevention) the link:
http://www.bluetack.co.uk/modules.php?name=Content&pa=showpage&pid=1

Got something else in same category? Proxomitron - how is it?

proximitron is perfect. I use it with kye-u filters and you find it here in the privacy area.

will do. I'll report back 24 hrs after i installs it. okies?

you should post it in the privacy area if you want to go further with proximitron app.

bye

Ok
But wha happened to NAT rules? I think u cn back up Cisco's ACL... what about other router manufacturers? Is it possible?

-{ Quote: "Ok
But wha happened to NAT rules? I think u cn back up Cisco's ACL... what about other router manufacturers? Is it possible?" }-
The documentation for your router should tell you if it has an option to backup the configuration. As for other routers, configuration options will vary a great deal from basic NAT routers to ones that also provide firewalling, ACL's and more. So to answer your question, yes it is possible, but will depend on the router.

Regards,

CrazyM

Thanks. I guess this thread can be closed now, unless someone can show me a util/source code for backing up SMC routers' ruleset.
Thread should be considered closed if no reply in 24hrs., I guess.

You could take a look at SMC Networks Forum (http://www.broadbandreports.com/forum/smc) and post there if a search does not turn up anything.

Regards,

CrazyM

I have 'nother question
the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in incoming direction from Public/iinternet interface), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?

Your router blocks outgoing packets? Just asking....

How many machines are hiding behind your NAT router? I'm really curious about your configuration...

My router blocks what it likes, and just 1 pc is behind router.

A Network Address Translator that blocks outgoing packets... Uhh, OK...
I was just curious...

The router has an inbuilt firewall, my dear dear greenhorn (surely, you jest!)

Yes. I guess you're right... You should know better since its your configuration and you made the rules, right? I really don't know anything about a single PC VPN behind a NAT router that blocks outbound packets that's why I'm here at WSF to ask you and the more knowledgeable members questions. I wish I did so I could contribute something to the discussion. I'm sorry...

Just poking fun man... don't be offended (you saw them throing tacos at each other...the MODS do that!!!)
Anyways...I DON'T HAVE A CLUE WHAT'S VPN (virtual private network..yes...err.. after that - total blank) ... be slo to judge ppl...I'm not knowledgable, i don't even kno WHY I have a router when only a DSL modem would have done...we're all here to learn...
<read my sig. - comments??>

You just don't have a router. You have a NAT router! A computer that can hide more than just a subnet or an entire class c.
NAT's basic operation is as follows. The addresses inside a stub domain can be reused by any other stub domain. For instance, a single Class A address could be used by many stub domains. Regardless of configuration (static, dynamic, overloading or overlapping) communication is initiated from addresses from within the stub domain thus it would be illogical to configure a NAT to block outbound packets.

NAT only allows connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. You can browse the Internet and connect to a site, and even download a file; but somebody else cannot latch onto your IP address and use it to connect to a port on your computer.

I don't throw tacos 'cause I'm not a mod. Now who's the greenhorn?

Mein gott....
no13
\gets dizzy due to techtalk (way too much tech talk)
\wakes up to find David Blaine turning a porcupine into a Windows XP, P4 piece o' crap.

Great Scotty...You haven't answered my question mon ami....
QUOTE "the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in "incoming direction" from "Public/iinternet interface"), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?" UNQUOTE
So...anyone?

Why in this world should one wanna stealth his machine with a router when he can do that with his soft firewall? Just turn it on and even with just defaults, all your ports are stealthed. At least mine are with a ZA free or the sygate personal I used prior to ZA. Hard firewalls blocking outbound packets? Not from where I come from but then , its really just a shanty town in Asia. So not in my lifetime! Your router couldn't filter outbound IM even if your life depended on it. It was never intended to do that so I seriously doubt you could set the rules to do otherwise. Of course I could be wrong coming from that po' shanty town in Asia...

-{ Quote: "Regardless of configuration (static, dynamic, overloading or overlapping) communication is initiated from addresses from within the stub domain thus it would be illogical to configure a NAT to block outbound packets." }-
Are you suggeting that filtering outbound traffic on a network at the router/firewall is not required or good security practice? Does security stop with blocking unsolicited inbound packets?

Granted a lot of routers in use by home users provide only basic NAT, which will deny unsolicited inbound and permit all outbound. Entry level routers are becoming more sophisticated and offering more configuration options in addition to the more advanced router/firewalls that have been around for awhile. For those that have the option to filter traffic inbound and outbound (in addition to basic NAT), a security policy should be applied to both.

Regards,

CrazyM

-{ Quote: "Great Scotty...You haven't answered my question mon ami....
QUOTE "the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in "incoming direction" from "Public/iinternet interface"), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?" UNQUOTE
So...anyone?" }-
Remember logs are your friend when troubleshooting firewalls.
Anything in your logs that indicate what is being blocked and may require adding to your rules?

Regards,

CrazyM

Hi Crazy M,

No, I am not suggesting that it is not good security practice to filter outbound packets. However, a NAT router cannot be expected to do what it was not designed to do. Simply put, machines in the stub domain do not have IP addresses until after they initiate contact with an outside machine. It is the job of the router to assign the IP address under any of the following configurations: Static, dynamic, overloading or overlapping. As such, it would be far better to simply let a soft firewall "filter" outbound packets and leave the NAT router do its primary task of translating/routing packets to the stub domain machines.

Note that the two most compelling problems facing the IP Internet are IP address depletion and scaling in routing and NAT routers were part of the solution since it allowed for IP address duplication as long as the "duplicate" was within the stub domain of a NAT.

I wouldn't consider a home use basic router in the same category of NAT routers that are capable of translating a whole class C or even class A net addresses.
I think this is where the misunderstanding is.

Regards,

Still Longhorn

Let me make a few things clear Still Longhorn...
1. the tone of your posts is getting really aggressive, dunno if u mean it, but people have a tendency to *ignore* aggressive posts (I do - I never even spam people... u wanna fight? find someone else - that's my usual thinking)
2.I have a NAT firewall inbuilt along with the ruter...details in manual for SMC7401BRA ADSL BARRICADE by SMC.
3. I am NOT blocking OUTBOUND traffice... I am blocking INBOUND CONNECTION REQUESTS at SELECT PORTS.
please stop misconstruing me. PLEASE.

Crazy M
I tried to block all inbound connection requests, but that denies requests to the IM too. I use the router as a LAN server, so even if I block unsolicited attempts using the software firewall, it comes out as slow and everyone can see I'm online... no ports will be open, but there are a lot closed.
I set the rules to "ignore" for "inbound traffic" in "public interface" i.e. internet to "Stealth" a port... terminology isis that of SMC and grc.com...
So my router's firewall protects the LAN entry point (the router itself...which actually has the public internet ip and the LAN entry point ip <192.168.1.1>...while kerio controls traffic in and out of PC which has only the LAN ip assigned to it.. That's all I've understood.
any solutions?

-{ Quote: "The router has an inbuilt firewall, my dear dear greenhorn " }-

Yah sure!

-{ Quote: "3. I am NOT blocking OUTBOUND traffice... I am blocking INBOUND CONNECTION REQUESTS at SELECT PORTS.
please stop misconstruing me. PLEASE." }-

QUOTE "the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in "incoming direction" from "Public/iinternet interface"), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?" UNQUOTE

I don't think I misconstrued you! Since when has using YIM, Pinging & Tracerouting been an incoming situation?

I really was sincere in asking questions. Its you who's got an attitude!

I don't wanna argue with you 'cause i don't believe in attacking unarmed people...

with reference to reply #33... even Cisco roters have firewalls/packet filters that run on ACL...also you can check out SMC7401BRA ADSL Barricade product manual... I don't get to name it a firewall, they do.
Regards.
no13

I was referring to the greenhorn part...

with respect to #34
I disabled Ping and traceroute IN by changing ICMP settings. This is a powerful safety valve which even hackers recommend.
Regards.
no13

-{ Quote: "with respect to #34
I disabled Ping and traceroute IN by changing ICMP settings. This is a powerful safety valve which even hackers recommend.
Regards.
no13" }-

Huh?!

Try this instead: DOS prompt >ping -165510[Targethost i.e.your girl's IP]
Chat with your girl and impress her by pinging her IP address...

I'm out of here! LOL!
Jeesiz....!

Ya... right... sure...
NOTE for all users: post #38 is not endorsed by me. i'm not responsible for its after effects.

I'm curious again.... How does one disable the ping port (9595) or the traceroute port (33434) by changing ICMP settings? It must be child's play to you but I could never do that...!

One disables replies to ICMP echoes and such stuff by disabling certain ICMP codes.
--
The mods.
They're watching.

let us all get civil here folks.

pinging and tracert is an outgoing packet as long as I understand this ;)

peace.-{ Quote: " I disabled Ping and traceroute IN by changing ICMP settings" }-

not possible, and certain not possible with your kerio firewall, NO13, no prblms.

peace.

-{ Quote: "One disables replies to ICMP echoes and such stuff by disabling certain ICMP codes.
" }-

Wow! You are such a genius! Thanks. I could never have figured that out!

Regards,

Still Longhorn

Tone it down guys. Discuss the topic and the technology, not the other posters.

To WSF,

I apologize for my bahaviour.

I come here to browse over discussions and try to analyze bits of information even if just remotely related to "my real workplace situation." I have learned a lot but I do get peeved when the discussion degenerates into
"Look what I read about in school! Ain't I an expert?" sort of thing. There are modules in this forum for that. I may find it amusing but it'll take much more to be impressed.

I don't want to be side-tracked by seemingly official staements of experience by forum participants only to find out that it is not so. You see, every mention of model numbers, processes, exploits, OS, etc get picked up by search engines and displayed on the other side of the world in the monitor of someone looking for a solution to a problem related to what is being discussed here. Now, if I stated something as gospel truth (even if in reality its not so), I unknowingly mislead someone, somewhere.

The puns and tacos are okay...

This may not be the time, nor place for this post.

Again, my apologies.

Still Longhorn

The ADSL Barricade™ (SMC7401BRA V.2) is an external USB/Ethernet standards based ADSL modem and Router that provides high-speed Internet access to both the residential and the small and home office (SoHo) user. This new Modem/Router provides unrivaled asymmetric high-speed data transport over a single copper pair linking branch offices, home offices and individual subscribers to their network service providers, including Internet service providers.

This new high-performance ADSL Gateway has an easy-to-use web-based management user interface that can be used to configure and manage your network via a local or remote computer. For added control, this modem can also be managed via the Command Line Interface (CLI), which can be initialized through a Telnet session, or through a Windows-based configuration tool.

It is not a NAT router. Calling it one doesn't make it so. Here lies the confusion...

Reading the manual helps. And I never said V.2...whassat??

-{ Quote: "I tried to block all inbound connection requests, but that denies requests to the IM too." }-
First your router will automatically block all unsolicited inbound packets by virtue of how NAT works (unless you have forwarded anything through). If it is just inbounds you are concerned about, you should not have to use the packet filtering/firewalling feature to stop these.

-{ Quote: "I use the router as a LAN server, so even if I block unsolicited attempts using the software firewall, it comes out as slow and everyone can see I'm online... no ports will be open, but there are a lot closed." }-
The system running a software firewall behind the router should not see anything showing up in it's logs inbound. Any scans will be probing the router (your public/WAN IP) and the results will reflect how it responds or does not respond to these. If your ports are all showing as closed, you are still secure.

-{ Quote: "I set the rules to "ignore" for "inbound traffic" in "public interface" i.e. internet to "Stealth" a port... terminology isis that of SMC and grc.com...
So my router's firewall protects the LAN entry point (the router itself...which actually has the public internet ip and the LAN entry point ip <192.168.1.1>...while kerio controls traffic in and out of PC which has only the LAN ip assigned to it.. That's all I've understood.
any solutions?" }-
If setting just inbound deny rules is causing problems, does restoring to the default config (no rules) resolve your issues? Try getting back to a working default base line before exploring the packet filtering any further.

You will need to have a clear understanding how the firewall processes rules as this can vary. Can you have just inbound rules without affecting outbound traffic? Or just outbound without affecting inbound? You may need both if there are any implicit denies that come in to play. Do you need to, or can you, apply rules to the different interfaces of the router?

Next you could define your security policy. Just what do you need the packet filtering to do or accomplish for you over and above what basic NAT provides if anything? Then you can start defining your rules/ACL's and then apply them.

Did I mention you will be digging into and reading your user guide ;)

Regards,

CrazyM

Methinks ots going to take 200 mb of plaintext manuals and firewall papers that us kids don't like to read will have to be read. :(
Anyway... I'll try some stuff ... (or I'll bribe the local nerd or I'll find a friend in a University campus networking team)
Thanks Crazy M