ToddAndMargo wrote:
> John John - MVP wrote:
>> ToddAndMargo wrote:
>>> John John - MVP wrote:
>>>> ToddAndMargo wrote:
>>>>> Hi All,
>>>>>
>>>>> I would like to test my firewall, but have a NAT box
>>>>> between me and the various firewall tests I know
>>>>> of. Anyone know of a firewall test that shoots
>>>>> through NAT?
>>>>
>>>> NAT would be pretty useless if anything could just "shoot" through
>>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>>> the NAT box for your tests.
>>>>
>>>> John
>>>
>>> Hi John,
>>>
>>> The bad guys know all about NAT. And it is indeed useless
>>> as a firewall.
>>>
>>> The bad guys start with 192.168.0.0/24 and work their way
>>> up. Check your firewall logs, you will see SYN packet probes
>>> on it all the time: about 1/100 if you did not use NAT, but
>>> still enough to do damage. NAT is *not* a firewall -- it is
>>> a common misconception.
>>>
>>> I was hoping to way to test it without redoing anything
>>> on my network.
>>
>> I'm by no means any kind of expert on this but my understanding about
>> NAT is that it will only allow traffic in if the request for the
>> packets originated from within. You say that you have a "NAT box" I
>> assume that to be a router of sorts, check the documentation for your
>> router.
>>
>> John
>
> Hi John,
>
> It is a router.
>
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>
> NAT does not stop incoming requests called SYN (TCP) or
> state "New" (TCP or UDP). It only stops traffic not
> properly addressed to your internal network. Enough
> guessing and the bad guys will find you.

I don't think that is how it works. My router stops SYN floods and
operates in stealth mode, you could be "knocking" all you want but you
ain't gonna come in!

John