Who got pinged -- me or Robocop?

Discussion in 'other firewalls' started by bellgamin, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    On advice of the estimable Blackcat, I am {since yesterday} using a router {I call it Robocop} between me & my DSL connection.

    Now then... I notice that Robocop uses the IP assigned to me by my ISP, whereas my Firewall {Outpost} reports that my computer is on a *different* IP -- the source of which, I knoweth not.

    Now then... I did a Shields Up test. The IP that Shields Up said it was testing was the IP of Robocop, as provided by my ISP. After the test, Shields Up reported that all is well except that it was able to ping me.

    I most definitely have Outpost set NOT to accept pings.

    Three questions, please...
    1) Who accepted the ping -- Outpost or Robocop?
    2) If it was Robocop who accepted the ping, does that constitute a potential vulnerability?
    3) Where did the IP now assigned to my computer come from? {It certainly didn't come from my ISP!}

    grace & peace to all... bellgamin
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Congrats! I believe a router is a good investment.

    1. Robocop actually handled the entire scan - provided it is set up like any normal NAT router. All unsolicited connection attempts are dealt with in a stealth manner, meaning dropped (not replied to out to the Internet, nor forwarded inward to your PC). You can confirm this by scanning your Outpost logs after a scan. There should be no sign of the scan in Outpost.

    2. Many such routers have configuration settings that would allow you to change its functionality related to such things as responding to pings. It seems that the default (if you didn't change it) was simply to respond to pings.

    The question of whether that is good or bad really comes down to the answer to the question: Is stealth a good or bad thing? Opinions will vary greatly on this question. My personal opinion is that stealth is not worth it and replying to pings is simply a normal networking function.

    3. You probably have an address in the range 192.168.x.y now on your PC, which is basically a common private network address in a standard address range. This was probably set via DHCP (when your PC boots it asks Robocop what IP address it wants the PC to use) or was set to a fixed value during the installation and configuration process at router setup time.

    Most ISP's only assign a single public IP address per connection, and your router is using it, so your PC must talk to the router from a different address. What you have now is a simple LAN configuration (local area network) inside your residence. Even if you only have a single PC, it still needs a unique address within the network that sits inside the perimieter of your router (with the rest of the Internet being outside). Using a private address is simply a standard convention.
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Many many thanks LWM. A very clear explanation.

    I located Robocop's config panel. On it I see: "Discard PING from WAN side" with a check box for "Enable." I interpret this somewhat reversely worded option to mean that Default= Ping IS enabled, & if I want Robocop to NOT respond to pings then I should check "Enable." Sheesh! :p

    Per your counsel, I shall leave Ping enabled. {I assume that WAN = wide area network = the internet at large. Correct?}

    You are spot on!

    May God richly bless thee and thine... bellgamin
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Correct, if you do not want to respond to pings, enable that option.

    As LWM commented, you will get varying opinions on this (stealth), but no harm for most and normal to respond to pings.

    Right again, you are 2 for 2 :)

    Regards,

    CrazyM
     
  5. DCER

    DCER Guest

    Hy, I'm new here, just stumbled by :)

    Hum, as far as I know hackers and worms scan the internet for open ports. If they can ping a computer, they will scan various ports of it, if not - they'll consider the mashine dead-not on the net. Which means less traffic with stealth. But if all ports are closed and ok, the scaning is not that much of an issue. The other thing is if you're not visible, then you'll probably not be vaulnerable to some attacks. If you don't exist for the attacker, you won't be his/her target.

    So basicly, use stealth if you don't want to be visible for everyone. You don't get much benefit from it, but then again one can never be too secure.

    Cheers
     
  6. The Gloomy Kestrel

    The Gloomy Kestrel Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    15
    I just checked my firewall / routeur settings...
    By default the settings of my Netgear RP614v2 routeur is to "not" respond to ping requests.
    And it works perfectly like that :)
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Bellgamin,

    If you have not already done so, it would be worth scanning your PC as well as your router (like the name, does it uphold the law? :D) - you can do this either by using a dialup connection for the duration of the scan or by configuring your router (temporarily!) to pass all incoming data to your PC (this may be referred to a DMZ).

    You may find the Outpost forum FAQ Online Scans - What to do with Open and Closed Ports a useful reference here.
     
  8. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Done! Outpost does the job for me! I'm fully stealthed.***

    Also, I learned a lot by reading the excellent FAQ that you linked. By the way, when I temporarily unchecked "Block Intruder's IP" {per the FAQ's guideline} I noticed below it the check block entitled "Also block intruder's subnet mask." It's a bit OT, but please explain what that means.

    Again, thanks to CrazyM, Paranoid, & LWM. I really appreciate your kindness and counsel.

    regards..... bellgamin
    ~~~~~~~~~~~~~~~~
    ***Last night somebody broke into my apartment & replaced everything with exact duplicates, including my computer's firewall. When I pointed this out to my wife, she said: "Do I know you?" Now THAT's what I call stealthed.:D
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Good to hear you're sorted. :) The subnet mask option means that any IP addresses in the same network range (*.*.*.1 - *.*.*.255) will also be blocked. This does have the potential to cause problems for some people though.
     
Thread Status:
Not open for further replies.