Kerio vs. Router NAT - blocking spyware

Mein gott....
no13
\gets dizzy due to techtalk (way too much tech talk)
\wakes up to find David Blaine turning a porcupine into a Windows XP, P4 piece o' crap.

Great Scotty...You haven't answered my question mon ami....
QUOTE "the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in "incoming direction" from "Public/iinternet interface"), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?" UNQUOTE
So...anyone?

 

Why in this world should one wanna stealth his machine with a router when he can do that with his soft firewall? Just turn it on and even with just defaults, all your ports are stealthed. At least mine are with a ZA free or the sygate personal I used prior to ZA. Hard firewalls blocking outbound packets? Not from where I come from but then , its really just a shanty town in Asia. So not in my lifetime! Your router couldn't filter outbound IM even if your life depended on it. It was never intended to do that so I seriously doubt you could set the rules to do otherwise. Of course I could be wrong coming from that po' shanty town in Asia...

 

Are you suggeting that filtering outbound traffic on a network at the router/firewall is not required or good security practice? Does security stop with blocking unsolicited inbound packets?

Granted a lot of routers in use by home users provide only basic NAT, which will deny unsolicited inbound and permit all outbound. Entry level routers are becoming more sophisticated and offering more configuration options in addition to the more advanced router/firewalls that have been around for awhile. For those that have the option to filter traffic inbound and outbound (in addition to basic NAT), a security policy should be applied to both.

Regards,

CrazyM

 

Remember logs are your friend when troubleshooting firewalls.
Anything in your logs that indicate what is being blocked and may require adding to your rules?

Regards,

CrazyM

 

Hi Crazy M,

No, I am not suggesting that it is not good security practice to filter outbound packets. However, a NAT router cannot be expected to do what it was not designed to do. Simply put, machines in the stub domain do not have IP addresses until after they initiate contact with an outside machine. It is the job of the router to assign the IP address under any of the following configurations: Static, dynamic, overloading or overlapping. As such, it would be far better to simply let a soft firewall "filter" outbound packets and leave the NAT router do its primary task of translating/routing packets to the stub domain machines.

Note that the two most compelling problems facing the IP Internet are IP address depletion and scaling in routing and NAT routers were part of the solution since it allowed for IP address duplication as long as the "duplicate" was within the stub domain of a NAT.

I wouldn't consider a home use basic router in the same category of NAT routers that are capable of translating a whole class C or even class A net addresses.
I think this is where the misunderstanding is.

Regards,

Still Longhorn

 

Let me make a few things clear Still Longhorn...
1. the tone of your posts is getting really aggressive, dunno if u mean it, but people have a tendency to *ignore* aggressive posts (I do - I never even spam people... u wanna fight? find someone else - that's my usual thinking)
2.I have a NAT firewall inbuilt along with the ruter...details in manual for SMC7401BRA ADSL BARRICADE by SMC.
3. I am NOT blocking OUTBOUND traffice... I am blocking INBOUND CONNECTION REQUESTS at SELECT PORTS.
please stop misconstruing me. PLEASE.

 

Crazy M
I tried to block all inbound connection requests, but that denies requests to the IM too. I use the router as a LAN server, so even if I block unsolicited attempts using the software firewall, it comes out as slow and everyone can see I'm online... no ports will be open, but there are a lot closed.
I set the rules to "ignore" for "inbound traffic" in "public interface" i.e. internet to "Stealth" a port... terminology isis that of SMC and grc.com...
So my router's firewall protects the LAN entry point (the router itself...which actually has the public internet ip and the LAN entry point ip <192.168.1.1>...while kerio controls traffic in and out of PC which has only the LAN ip assigned to it.. That's all I've understood.
any solutions?

 

Yah sure!

 

QUOTE "the shields up! test at grc.com shows many ports as closed. When I stealth them (using router configs - i apply "ignore" to all tcp packets in all ports in "incoming direction" from "Public/iinternet interface"), then i can't use yahoo messenger, nor can I use ping/tracroute etc. got any solutions?" UNQUOTE

I don't think I misconstrued you! Since when has using YIM, Pinging & Tracerouting been an incoming situation?

I really was sincere in asking questions. Its you who's got an attitude!

I don't wanna argue with you 'cause i don't believe in attacking unarmed people...

 

with reference to reply #33... even Cisco roters have firewalls/packet filters that run on ACL...also you can check out SMC7401BRA ADSL Barricade product manual... I don't get to name it a firewall, they do.
Regards.
no13

 

I was referring to the greenhorn part...

 

with respect to #34
I disabled Ping and traceroute IN by changing ICMP settings. This is a powerful safety valve which even hackers recommend.
Regards.
no13

 

Huh?!

Try this instead: DOS prompt >ping -165510[Targethost i.e.your girl's IP]
Chat with your girl and impress her by pinging her IP address...

I'm out of here! LOL!
Jeesiz....!

 

Ya... right... sure...
NOTE for all users: post #38 is not endorsed by me. i'm not responsible for its after effects.

 

I'm curious again.... How does one disable the ping port (9595) or the traceroute port (33434) by changing ICMP settings? It must be child's play to you but I could never do that...!

 

One disables replies to ICMP echoes and such stuff by disabling certain ICMP codes.
--
The mods.
They're watching.

 

let us all get civil here folks.

pinging and tracert is an outgoing packet as long as I understand this

peace.

not possible, and certain not possible with your kerio firewall, NO13, no prblms.

peace.

 

Wow! You are such a genius! Thanks. I could never have figured that out!

Regards,

Still Longhorn

 

To WSF,

I apologize for my bahaviour.

I come here to browse over discussions and try to analyze bits of information even if just remotely related to "my real workplace situation." I have learned a lot but I do get peeved when the discussion degenerates into
"Look what I read about in school! Ain't I an expert?" sort of thing. There are modules in this forum for that. I may find it amusing but it'll take much more to be impressed.

I don't want to be side-tracked by seemingly official staements of experience by forum participants only to find out that it is not so. You see, every mention of model numbers, processes, exploits, OS, etc get picked up by search engines and displayed on the other side of the world in the monitor of someone looking for a solution to a problem related to what is being discussed here. Now, if I stated something as gospel truth (even if in reality its not so), I unknowingly mislead someone, somewhere.

The puns and tacos are okay...

This may not be the time, nor place for this post.

Again, my apologies.

Still Longhorn

 

The ADSL Barricade™ (SMC7401BRA V.2) is an external USB/Ethernet standards based ADSL modem and Router that provides high-speed Internet access to both the residential and the small and home office (SoHo) user. This new Modem/Router provides unrivaled asymmetric high-speed data transport over a single copper pair linking branch offices, home offices and individual subscribers to their network service providers, including Internet service providers.

This new high-performance ADSL Gateway has an easy-to-use web-based management user interface that can be used to configure and manage your network via a local or remote computer. For added control, this modem can also be managed via the Command Line Interface (CLI), which can be initialized through a Telnet session, or through a Windows-based configuration tool.

It is not a NAT router. Calling it one doesn't make it so. Here lies the confusion...

 

Reading the manual helps. And I never said V.2...whassat??

 

First your router will automatically block all unsolicited inbound packets by virtue of how NAT works (unless you have forwarded anything through). If it is just inbounds you are concerned about, you should not have to use the packet filtering/firewalling feature to stop these.

The system running a software firewall behind the router should not see anything showing up in it's logs inbound. Any scans will be probing the router (your public/WAN IP) and the results will reflect how it responds or does not respond to these. If your ports are all showing as closed, you are still secure.

If setting just inbound deny rules is causing problems, does restoring to the default config (no rules) resolve your issues? Try getting back to a working default base line before exploring the packet filtering any further.

You will need to have a clear understanding how the firewall processes rules as this can vary. Can you have just inbound rules without affecting outbound traffic? Or just outbound without affecting inbound? You may need both if there are any implicit denies that come in to play. Do you need to, or can you, apply rules to the different interfaces of the router?

Next you could define your security policy. Just what do you need the packet filtering to do or accomplish for you over and above what basic NAT provides if anything? Then you can start defining your rules/ACL's and then apply them.

Did I mention you will be digging into and reading your user guide

Regards,

CrazyM

 

Methinks ots going to take 200 mb of plaintext manuals and firewall papers that us kids don't like to read will have to be read.
Anyway... I'll try some stuff ... (or I'll bribe the local nerd or I'll find a friend in a University campus networking team)
Thanks Crazy M