Hi All,

I would like to test my firewall, but have a NAT box
between me and the various firewall tests I know
of. Anyone know of a firewall test that shoots
through NAT?

Many thanks,
-T

ToddAndMargo wrote:
> Hi All,
>
> I would like to test my firewall, but have a NAT box
> between me and the various firewall tests I know
> of. Anyone know of a firewall test that shoots
> through NAT?

NAT would be pretty useless if anything could just "shoot" through it.
Open (forward) a port in the box or temporarily disable/bypass the NAT
box for your tests.

John

John John - MVP wrote:
> ToddAndMargo wrote:
>> Hi All,
>>
>> I would like to test my firewall, but have a NAT box
>> between me and the various firewall tests I know
>> of. Anyone know of a firewall test that shoots
>> through NAT?
>
> NAT would be pretty useless if anything could just "shoot" through it.
> Open (forward) a port in the box or temporarily disable/bypass the NAT
> box for your tests.
>
> John

Hi John,

The bad guys know all about NAT. And it is indeed useless
as a firewall.

The bad guys start with 192.168.0.0/24 and work their way
up. Check your firewall logs, you will see SYN packet probes
on it all the time: about 1/100 if you did not use NAT, but
still enough to do damage. NAT is *not* a firewall -- it is
a common misconception.

I was hoping to way to test it without redoing anything
on my network.

-T

ToddAndMargo wrote:
> John John - MVP wrote:
>> ToddAndMargo wrote:
>>> Hi All,
>>>
>>> I would like to test my firewall, but have a NAT box
>>> between me and the various firewall tests I know
>>> of. Anyone know of a firewall test that shoots
>>> through NAT?
>>
>> NAT would be pretty useless if anything could just "shoot" through it.
>> Open (forward) a port in the box or temporarily disable/bypass the NAT
>> box for your tests.
>>
>> John
>
> Hi John,
>
> The bad guys know all about NAT. And it is indeed useless
> as a firewall.
>
> The bad guys start with 192.168.0.0/24 and work their way
> up. Check your firewall logs, you will see SYN packet probes
> on it all the time: about 1/100 if you did not use NAT, but
> still enough to do damage. NAT is *not* a firewall -- it is
> a common misconception.
>
> I was hoping to way to test it without redoing anything
> on my network.

I'm by no means any kind of expert on this but my understanding about
NAT is that it will only allow traffic in if the request for the packets
originated from within. You say that you have a "NAT box" I assume that
to be a router of sorts, check the documentation for your router.

John

John John - MVP wrote:
> ToddAndMargo wrote:
>> John John - MVP wrote:
>>> ToddAndMargo wrote:
>>>> Hi All,
>>>>
>>>> I would like to test my firewall, but have a NAT box
>>>> between me and the various firewall tests I know
>>>> of. Anyone know of a firewall test that shoots
>>>> through NAT?
>>>
>>> NAT would be pretty useless if anything could just "shoot" through
>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>> the NAT box for your tests.
>>>
>>> John
>>
>> Hi John,
>>
>> The bad guys know all about NAT. And it is indeed useless
>> as a firewall.
>>
>> The bad guys start with 192.168.0.0/24 and work their way
>> up. Check your firewall logs, you will see SYN packet probes
>> on it all the time: about 1/100 if you did not use NAT, but
>> still enough to do damage. NAT is *not* a firewall -- it is
>> a common misconception.
>>
>> I was hoping to way to test it without redoing anything
>> on my network.
>
> I'm by no means any kind of expert on this but my understanding about
> NAT is that it will only allow traffic in if the request for the packets
> originated from within. You say that you have a "NAT box" I assume that
> to be a router of sorts, check the documentation for your router.
>
> John

Hi John,

It is a router.

The trouble with NAT is that the bad guys just slap their
guess as to what your internal off Internet address on
to their probe. They find you very quickly if your internal
off Internet address is 192.168.0.xxx. (Recommendation:
pick an internal address other than 192.168.0.0/24 or
192.168.1.0/24.)

NAT does not stop incoming requests called SYN (TCP) or
state "New" (TCP or UDP). It only stops traffic not
properly addressed to your internal network. Enough
guessing and the bad guys will find you.

NAT is *NOT* a firewall. You take you rear end in your hands
if you rely on NAT to protect you from port probes.

-T

ToddAndMargo wrote:
> John John - MVP wrote:
>> ToddAndMargo wrote:
>>> John John - MVP wrote:
>>>> ToddAndMargo wrote:
>>>>> Hi All,
>>>>>
>>>>> I would like to test my firewall, but have a NAT box
>>>>> between me and the various firewall tests I know
>>>>> of. Anyone know of a firewall test that shoots
>>>>> through NAT?
>>>>
>>>> NAT would be pretty useless if anything could just "shoot" through
>>>> it. Open (forward) a port in the box or temporarily disable/bypass
>>>> the NAT box for your tests.
>>>>
>>>> John
>>>
>>> Hi John,
>>>
>>> The bad guys know all about NAT. And it is indeed useless
>>> as a firewall.
>>>
>>> The bad guys start with 192.168.0.0/24 and work their way
>>> up. Check your firewall logs, you will see SYN packet probes
>>> on it all the time: about 1/100 if you did not use NAT, but
>>> still enough to do damage. NAT is *not* a firewall -- it is
>>> a common misconception.
>>>
>>> I was hoping to way to test it without redoing anything
>>> on my network.
>>
>> I'm by no means any kind of expert on this but my understanding about
>> NAT is that it will only allow traffic in if the request for the
>> packets originated from within. You say that you have a "NAT box" I
>> assume that to be a router of sorts, check the documentation for your
>> router.
>>
>> John
>
> Hi John,
>
> It is a router.
>
> The trouble with NAT is that the bad guys just slap their
> guess as to what your internal off Internet address on
> to their probe. They find you very quickly if your internal
> off Internet address is 192.168.0.xxx. (Recommendation:
> pick an internal address other than 192.168.0.0/24 or
> 192.168.1.0/24.)
>
> NAT does not stop incoming requests called SYN (TCP) or
> state "New" (TCP or UDP). It only stops traffic not
> properly addressed to your internal network. Enough
> guessing and the bad guys will find you.

I don't think that is how it works. My router stops SYN floods and
operates in stealth mode, you could be "knocking" all you want but you
ain't gonna come in!

John

John John - MVP wrote:

> I don't think that is how it works. My router stops SYN floods and
> operates in stealth mode, you could be "knocking" all you want but you
> ain't gonna come in!
>
> John

Hi John,

The is a good feature to have. But, is not NAT. It is an
additional feature. I was specifically referring only to NAT.

What scares me is people with $15.00 routers with NAT thinking
it is a real firewall.

-T

ToddAndMargo wrote:
> John John - MVP wrote:
>
>> I don't think that is how it works. My router stops SYN floods and
>> operates in stealth mode, you could be "knocking" all you want but you
>> ain't gonna come in!
>>
>> John
>
> Hi John,
>
> The is a good feature to have. But, is not NAT. It is an
> additional feature. I was specifically referring only to NAT.
>
> What scares me is people with $15.00 routers with NAT thinking
> it is a real firewall.

I think that your assessment of how easily NAT can be broken is
overblown, consider this, if your firewall tests can't make it through
your NAT box it isn't as flimsy as you make it out to be! If anyone is
that worried they can put their private IP address in the Class A range
and give the hackers a "few" more doors to knock on. But I do have to
agree with you that you get what you pay for and that a $15 router may
not be the best thing to have between your network and the internet!

John

John John - MVP wrote:
> I think that your assessment of how easily NAT can be broken is
> overblown, consider this, if your firewall tests can't make it through
> your NAT box it isn't as flimsy as you make it out to be!

You are missing the point. The firewall test sites that don't shoot
through NAT do not tag the secondary off internet address on to
their attack packets. In those tests, everything comes back perfect
because they are being rejected by the router.

Now if the test site took your secondary off Internet address from
your initial SYN packet to log into their site and probed you, the
router would pass their probes right through.


> If anyone is
> that worried they can put their private IP address in the Class A range
> and give the hackers a "few" more doors to knock on. But I do have to
> agree with you that you get what you pay for and that a $15 router may
> not be the best thing to have between your network and the internet!
>
> John

Best Buy is ready and waiting for the $15.00 crowd: their Geek Squid
will happily wipe your hard drive clean and reinstall windows for you!

ToddAndMargo wrote:
> John John - MVP wrote:
>> I think that your assessment of how easily NAT can be broken is
>> overblown, consider this, if your firewall tests can't make it through
>> your NAT box it isn't as flimsy as you make it out to be!
>
> You are missing the point. The firewall test sites that don't shoot
> through NAT do not tag the secondary off internet address on to
> their attack packets. In those tests, everything comes back perfect
> because they are being rejected by the router.
>
> Now if the test site took your secondary off Internet address from
> your initial SYN packet to log into their site and probed you, the
> router would pass their probes right through.
>
>
>> If anyone is that worried they can put their private IP address in the
>> Class A range and give the hackers a "few" more doors to knock on.
>> But I do have to agree with you that you get what you pay for and that
>> a $15 router may not be the best thing to have between your network
>> and the internet!
>>
>> John
>
> Best Buy is ready and waiting for the $15.00 crowd: their Geek Squid
> will happily wipe your hard drive clean and reinstall windows for you!

Squid was a typo. :-)

He who pays the least, pays the most

In article <#2gS5#zzJHA.4116@TK2MSFTNGP04.phx.gbl>,
ToddAndMargo@invalid.com says...
>
> Hi All,
>
> I would like to test my firewall, but have a NAT box
> between me and the various firewall tests I know
> of. Anyone know of a firewall test that shoots
> through NAT?

LOL, NAT doesn't have things "Shoot Through" it, that would break NAT.

If you want to test, most of those cheap, crappy, NAT routers have a
fake DMZ IP address, just map the DMZ to the same IP as your computer.
The DMZ IP gets all traffic that you have not created rules for, in most
NAT routers.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Forget my last post I was wrong, you need to format your hd and reinstall
windows.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9999fre@rohio.com (remove 999 for proper email address)


"Leythos" <spam999free@rrohio.com> wrote in message
news:004bdcc4$0$14705$c3e8da3@news.astraweb.com...
> In article <#2gS5#zzJHA.4116@TK2MSFTNGP04.phx.gbl>,
> ToddAndMargo@invalid.com says...
>>
>> Hi All,
>>
>> I would like to test my firewall, but have a NAT box
>> between me and the various firewall tests I know
>> of. Anyone know of a firewall test that shoots
>> through NAT?
>
> LOL, NAT doesn't have things "Shoot Through" it, that would break NAT.
>
> If you want to test, most of those cheap, crappy, NAT routers have a
> fake DMZ IP address, just map the DMZ to the same IP as your computer.
> The DMZ IP gets all traffic that you have not created rules for, in most
> NAT routers.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <7gJMl.25461$BZ3.21524@newsfe12.iad>, spam9999free@rrohio.com
says...
>
> Forget my last post I was wrong, you need to format your hd and reinstall
> windows.

The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

In article <7gJMl.25461$BZ3.21524@newsfe12.iad>, spam9999free@rrohio.com
says...
>
> Forget my last post I was wrong, you need to format your hd and reinstall
> windows.


The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9999fre@rohio.com (remove 999 for proper email address)


"

In article <7gJMl.25461$BZ3.21524@newsfe12.iad>, spam9999free@rrohio.com
says...
>
> Forget my last post I was wrong, you need to format your hd and reinstall
> windows.

The above post was not by Leythos, it was a faked post and shows the
lack of ethics and lack of Honesty of Butts and his sock TrollBuster.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9999fre@rohio.com (remove 999 for proper email address)