The value of a NAT firewall (router) vs. a software firewall

Discussion in 'other firewalls' started by Fly, Aug 30, 2008.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I checked the log of my software firewall, and I've noticed a large number of attempts (quite some time ago, early August) of 'unwanted attempts to establish a connection', apparently by my ISP (or so it seems) ! 'dns' was part of the name of the 'sender'.

    UDP packets, different ports, different numbers. They went straight through the NAT filter in my router !

    My router will stop a lot, but not everything.

    I guess this proves the value of a software firewall. Cheap routers with SPI ? That SPI can't be much more than some basic packet filtering.

    I wonder what that was all about o_O
     
    Last edited: Aug 30, 2008
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Even the cheapest of routers should not be letting any normal unsolicited packets in. Are you sure those were not related to activity that originally started on your system but were blocked because they were late? (A common occurrence is late replies from DNS lookups being rejected by a software firewall but not a router. A lot of people see that.)

    Without posting specific logs of these events, people can't do much more than speculate. If you post a log, the only field you need to block out is your public IP address. Leave all other fields visible so people can help you figure out what that traffic was.
     
  3. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I have no idea.

    I probably initiated some outbound connection.

    The log indicated a variety of 'unsolicited attempts'.

    I won't post a log.

    But one, two or three years ago I had stuff passing my router, to be caught in my software firewall, some innocent, some malicious.
     
  4. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    A router is only good if its configured well. Most NAT router have common ports open by default. So check your config.
    Another thing is that older CPE had older network processor/chipset, which limits their packet processing and detail storage abilities.
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I think the router is about 2 years old.

    According to ShieldsUp at www.grc.com and another test, all ports are closed/blocked, a few stealth. (At least some ports mentioned in the log were not stealthed).
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I agree with LowWaterMark, even using the cheapest of routers, nothing unsolicited should be getting thru inbound. Of course you may be seeing late returning packets from earlier DNS requests, I have seen that here years ago, and it was in fact pretty common for a while with my ISP. It's also possible for UDP packets to "sneak in" via an existing TCP connection via the browser, I have seen and "caught" that also, although it is fairly rare, and has no real payoff or reason for anyone doing it, yet I have seen it.

    Unless the router is malfunctioning in some weird way, it may just be the software firewall giving you bogus logging info for some reason. If a router is failing, I don't even think it let's any traffic thru, so it's probably not that.

    Anyhow, my vote and guess goes to late DNS packets returning and the software firewall sees them as inappropriate or unsolicited because they are so late. You can tell if this is the case by looking at the IP of the packet coming in and checking against your ISP's DNS server IP(s). Also the remote port would be 53.
     
  7. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    'unsolicited'. What if I initiate a connection, but receive something else than I wanted ? A router can do only so much. And by the way, port 53 was not in the list, lots of different ports.

    And what if I 'log in' (http, https or both) into, for example, Ebay ?
    Then you have an established connection, maybe the router would let some things through that my software firewall would not.
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I guess the question is what do you mean by this? Precisely what do you mean by "something else"?

    Blue
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    This goes nowhere. Post the exact router type, settings used and attach the logs or don't ask if you are not willing to give out any information whatsoever.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Fly, if you're worried, just dump the router and buy a new one, even a brand new one for $40 or so will serve you well. In a nutshell, none of this should be happening, so if you suspect it is, then buy a new one, problem solved. I, and many many others, have used a router and no software firewall with no issues at all, for years...
     
  11. Rapid Dr3am

    Rapid Dr3am Registered Member

    Joined:
    Jun 14, 2008
    Posts:
    60
    Software firewalls will report "attacks" they are on the most part badly writtern and unable to tell the difference between an attack and network traffic.
     
  12. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    That's the question, isn't it ? What was/is 'something else' ?
     
  13. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I just wanted to mention the issue, it wasn't a request for help. :)

    And in a way, I 'don't ask'.

    As I've been saying before, a router won't protect you from everything.
    Not the cheap home routers.

    Feel free to disagree. :)
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Well...., everything encompasses a lot.

    If you're talking about unsolicited inbound attacks, cheap home routers work absolutely fine. You can configure some to not protect you, but that requires active intervention on your part.

    By the way, things just don't go through a NAT "filter" (the term used in the original post) since it is not a filter. It's an network address translation (hence the NAT) table. For things to "get through", there have to be table entries to direct it to the proper private (i.e. not Internet routable) IP address. If that entry doesn't exist, the packet is dropped.

    Read the El Cheapo Router Challenge at DSLReports if you haven't as yet. Then examine First winner - El Cheapo Router Challenge. Are some things possible? Sure, but if these are the things that keep you awake at night, it's only because the tinfoil is scratchy.

    Blue
     
  15. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I'm not worried.

    And I agree that completely unsolicited inbound attacks would be stopped, but I'll stop here or wel'll be going in circles.
     
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Fair enough.

    Blue
     
Loading...
Thread Status:
Not open for further replies.