The value of a NAT firewall (router) vs. a software firewall

I checked the log of my software firewall, and I've noticed a large number of attempts (quite some time ago, early August) of 'unwanted attempts to establish a connection', apparently by my ISP (or so it seems) ! 'dns' was part of the name of the 'sender'.

UDP packets, different ports, different numbers. They went straight through the NAT filter in my router !

My router will stop a lot, but not everything.

I guess this proves the value of a software firewall. Cheap routers with SPI ? That SPI can't be much more than some basic packet filtering.

I wonder what that was all about

 

I have no idea.

I probably initiated some outbound connection.

The log indicated a variety of 'unsolicited attempts'.

I won't post a log.

But one, two or three years ago I had stuff passing my router, to be caught in my software firewall, some innocent, some malicious.

 

A router is only good if its configured well. Most NAT router have common ports open by default. So check your config.
Another thing is that older CPE had older network processor/chipset, which limits their packet processing and detail storage abilities.

 

I think the router is about 2 years old.

According to ShieldsUp at www.grc.com and another test, all ports are closed/blocked, a few stealth. (At least some ports mentioned in the log were not stealthed).

 

I agree with LowWaterMark, even using the cheapest of routers, nothing unsolicited should be getting thru inbound. Of course you may be seeing late returning packets from earlier DNS requests, I have seen that here years ago, and it was in fact pretty common for a while with my ISP. It's also possible for UDP packets to "sneak in" via an existing TCP connection via the browser, I have seen and "caught" that also, although it is fairly rare, and has no real payoff or reason for anyone doing it, yet I have seen it.

Unless the router is malfunctioning in some weird way, it may just be the software firewall giving you bogus logging info for some reason. If a router is failing, I don't even think it let's any traffic thru, so it's probably not that.

Anyhow, my vote and guess goes to late DNS packets returning and the software firewall sees them as inappropriate or unsolicited because they are so late. You can tell if this is the case by looking at the IP of the packet coming in and checking against your ISP's DNS server IP(s). Also the remote port would be 53.

 

'unsolicited'. What if I initiate a connection, but receive something else than I wanted ? A router can do only so much. And by the way, port 53 was not in the list, lots of different ports.

And what if I 'log in' (http, https or both) into, for example, Ebay ?
Then you have an established connection, maybe the router would let some things through that my software firewall would not.

 

I guess the question is what do you mean by this? Precisely what do you mean by "something else"?

Blue

 

This goes nowhere. Post the exact router type, settings used and attach the logs or don't ask if you are not willing to give out any information whatsoever.

 

Fly, if you're worried, just dump the router and buy a new one, even a brand new one for $40 or so will serve you well. In a nutshell, none of this should be happening, so if you suspect it is, then buy a new one, problem solved. I, and many many others, have used a router and no software firewall with no issues at all, for years...

 

Software firewalls will report "attacks" they are on the most part badly writtern and unable to tell the difference between an attack and network traffic.

 

That's the question, isn't it ? What was/is 'something else' ?

 

I just wanted to mention the issue, it wasn't a request for help.

And in a way, I 'don't ask'.

As I've been saying before, a router won't protect you from everything.
Not the cheap home routers.

Feel free to disagree.

 

Well...., everything encompasses a lot.

If you're talking about unsolicited inbound attacks, cheap home routers work absolutely fine. You can configure some to not protect you, but that requires active intervention on your part.

By the way, things just don't go through a NAT "filter" (the term used in the original post) since it is not a filter. It's an network address translation (hence the NAT) table. For things to "get through", there have to be table entries to direct it to the proper private (i.e. not Internet routable) IP address. If that entry doesn't exist, the packet is dropped.

Read the El Cheapo Router Challenge at DSLReports if you haven't as yet. Then examine First winner - El Cheapo Router Challenge. Are some things possible? Sure, but if these are the things that keep you awake at night, it's only because the tinfoil is scratchy.

Blue

 

I'm not worried.

And I agree that completely unsolicited inbound attacks would be stopped, but I'll stop here or wel'll be going in circles.

 

Fair enough.

Blue