Re: firewall test and NAT

John John - MVP wrote:
ToddAndMargo wrote:
John John - MVP wrote:
ToddAndMargo wrote:
Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

NAT would be pretty useless if anything could just "shoot" through it. Open (forward) a port in the box or temporarily disable/bypass the NAT box for your tests.

John

Hi John,

The bad guys know all about NAT. And it is indeed useless
as a firewall.

The bad guys start with 192.168.0.0/24 and work their way
up. Check your firewall logs, you will see SYN packet probes
on it all the time: about 1/100 if you did not use NAT, but
still enough to do damage. NAT is *not* a firewall -- it is
a common misconception.

I was hoping to way to test it without redoing anything
on my network.

I'm by no means any kind of expert on this but my understanding about NAT is that it will only allow traffic in if the request for the packets originated from within. You say that you have a "NAT box" I assume that to be a router of sorts, check the documentation for your router.

John

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.

-T

.

Relevant Pages

  • Re: firewall test and NAT
    ... off Internet address is 192.168.0.xxx. ... Port probes are looking for any open Port, and if they don't find one, they move on to the next possible victim without ever responding with an ACK to the Server. ... SRC is my NAT router on my 1st Ethernet port ... "John John" sends a message to "ToddAndMargo", NAT forwards the message and remembers this, it "waits" for a reply from ToddAndMargo and when the reply arrives from ToddAndMargo NAT sends it to John John. ...
    (microsoft.public.windowsxp.general)
  • Re: Using a Linksys router, should I also use Zonealarm? Internet Acceptable Use Policy
    ... my browser's access to the Internet is restricted. ... I thought it was the company's firewall extending a slap on my ... > public internet to access corporate network. ... > NAT is Network Address Translation. ...
    (microsoft.public.security)
  • Re: Whats the difference between NAT and a FIREWALL?
    ... NAT is network address translation: basically a router that routes between ... company/home users) get on the internet with just one public IP address from ... A firewall is any router that has rules on it that filter ... A proxy server is a server that acts as a router, but at a higher level on ...
    (comp.security.firewalls)
  • Re: Please Help me to block the hackers
    ... It's typical to use a firewall and NAT with private IP address ranges. ... NAT device in order to reach the internet. ...
    (microsoft.public.security)
  • Re: any suggestion for a good hardware firewall
    ... have had 4 or 5 computers on the public internet for quite some time.. ... I'm not clear on how to configurea firewall for this network situation. ... has a need for 5 IP or he would have already used a simple NAT device to ... want a cheap firewall appliance ...
    (comp.security.firewalls)
Loading