inbound firewalling provided by router/NAT

I am very confused about just how much inbound protection I get from being behind a NAT/router. I was under the understanding that, if I’m behind a NAT, I should not be seeing port scans on my machine if it is not in the DMZ, and no port forwarding is set. Yet, at my previous run in with a trojan, I spotted a large bunch of port access attempts in my previous firewall logs (Mcafee)! Can someone tell me just how much inbound protection I get from a router?

Of course this is never to replace CPF-- this laptop does connect to other, more suspect networks on the go --but I would like to know just how much additional protection I get.

Hardware firewalls, that are found in routers, are usually rock solid in rejecting any unsolicited inbound communication. Some routers, by default, have certain ports open (for various reasons, like Telnet for its own control/update).

Web based scans would normally bounce off the hardware firewall if they are deemed to be unsolicited (something that you didn’t specifically request). There cab be a few open ports (as described above), that reach the software firewall. Normally any ports in the router can be closed/stealthed by using the routers own interface/controls.

With a hardware firewall covering the front door (the Net) & software firewall covering the back door (all the programs on your PC), you should be very safe.

Thx for the reply kail; forgive me if I try to get an even clearer picture… ;D

I don’t know of any specific additional firewall capability in my router, so I’m referring to the “firewall” protection inherent to the NAT mechanism, as found in any router HW. I’m concerned about how this NAT-inherent protection holds up in the face of an attack from within. In particular, if I ended up with a trojan on my laptop (has happened in past), will the trojan be able to somehow swing wide open the proverbial “city gates” on the NAT protection and allow (trojan coordinated) inbound attacks? That is, can a malicious agent on the inside of the NAT mechanism subvert its protection?

What’s the make & type of your router?


(Of course the wireless side is tightly nailed down: strong password on router, hide ESSID, 128-bit WEP [alas, have one Win9x machine, so no WPA/WPA2], only allow connections from specified-by-me MAC addresses)

Yes, your router does have a firewall… according to the manufacture (got this from Amazon)…

has a powerful SPI firewall to protect your PCs against intruders and most known Internet attacks, and supports VPN pass-through

Also in the user reviews, they like it. But, most mention that is difficult to set-up.

Heh, I just dug around the settings for the router and indeed there is a firewall setup. I didn’t know about it. It’s disabled by default. By the sound of it, I don’t think I’ll be turning it on; sounds like more headache than benefit. I guess good I have CPF up. ::slight_smile:

If you go to the Linksys web site, they have some pre-set firewall rule sets that you can downlod/print which could help. Such as Max, Med, and Low settings.
It ‘IS’ a good idea to use the internal SPI firewall. Another layer of protection at no cost is always a good idea. ;D

(B) Lee

That sounds interesting, i have a Linksys WRT54GL with the SPI firewall enabled, and uses Comodo for additional security, mainly for outbound control. I couldnt find the pre-set firewall rules on Linksys´s website, could you maybe point me in the correct direction?

You don’t need that. The LinkSys router has a pretty good setup per default. I have one too, and I did nothing. I never see any portscans in my firewall log, and any other unsolicited traffic gets da big boot. You can however turn this function off by logging into the router using a browser of your choice and unchecking the function.

To answer the NAT related question:
NAT by design is not a defensive function. Nor does it provide any firewall functions or is to be considered a “firewall”. NAT (Network Address Translation) was designed to help the ever decreasing available IP addresses. Every device that is to communicate with the Internet, must have a unique IP address (same thing with NetBIOS names, MAC adresses etc.) By using NAT, IP adresses can be used more effectivly.
(Eg.: You can have one public IP address on the “outside” which is seen by the Internet (this will typically be on the interface connected to the Internet), and several privat IP addresses on the inside (all the PC’s connected to built-in HUB/Switch). Pretty much Like your typical aDSL houshold setup. I used to see this type of misconception a few years ago (no offence intended). Most salesreps have gotten their act together by now :slight_smile:

Hope this helps

Do you mean “I did nothing” after turning on the SPI firewall on the router? Because this option is off by default for me. Or “pretty good setup” refers to something else? If you mean you’re runnng with the SPI firewall, is your Net operation still fairly transparent then?

Ah, it’s just as I thought. I was being confused by these outdated opinions that Google was bringing up on the subject; I guess a lot of the Google hits were from “a few years ago”. :slight_smile:

I apologize for being unclear. I meant the default Linksys setup when you take it out of the box. This one only needs minor tweaks if you’re interrested in that sort. I know I am :slight_smile:
My Linksys WRT54G router has been running flawlessly for 2 years now. I might just be lucky, or it might be that this router actually does what it’s designed to do. I can’t say that I remember if I enabled the SPI or not as it is over 2 years since I last configured it. I think it was enabled, but I suspect you’ll tweak the settings anyway. As for transparency, not very likely. I forward the ports I need to forward. The rest is up to the router to figure out :slight_smile:

Thanks for the clearing up, Triplejolt.

I must say I’ve been terribly happy with the router too, and I think I’ve been running it for nearly 3/4 of a year, after getting it because of a huge rebate. It’s been running here flawlessly during that time too.

I’ll give the SPI firewall a spin. I am just worried I’ll keep forgetting to forward ports in CFP and router… :slight_smile: Mind you, I guess I can start using the UPnP functionality in various apps for automatic port forwarding at the router…

Wingnut, I just tried the link I had in my favorites but nothing showed. I guess they most likely have changed something in their support listing and now my link is just a memory. ;D I haven’t used my Linksys in quite awhile as I changed to a Speedstream router.

Have a great week.

(B) Lee

Then why don’t someone make a small program just for monitoring outgoing programs (to allow in/out access) without all the other firwall stuff (as the router takes care of that). There must be a market?

I don’t ned another firewall, I have my router. But I like to moitor my applications anyway :slight_smile:

I would be careful about using UPNP with the firewall, as any program can open ports. This is not desirable.

cheers, rotty

don’t know if anybody is interested but I just made a liitle test with ShielsUp. I first did it whith cpf loaded, and the results were just perfect…nothing failed…all ports stealth and impossible to ping my pc. Then I unloaded, cpf, loaded xp sp2 firewall, and guess what: SAME RESULTS!!! and I finaly unloaded windows firewall and then again: perfect results!!! After that I reduced the strength of my router firewall ( with no software firewall on) and I got a failed test because it was possible to ping my pc. Which means that after all, concerning inbound attacks through ports, the only thing in this word that can protect your pc is a router firewall. I also tried the test with Router firewall off and cpf on, and the test failed again (no open ports, but the ability for a remote machine to ping my pc and get an answer).

Hi, apache255!

First of all, with COMODO’s default packet rules enabled you should be perfectly stealth.

Second, I do have objections against your conclusion: I have been on the Internet WITHOUT a firewall and WITHOUT a router for maaaaany years and nothing happened. Of course, you can only do this if you have closed ALL ports by shutting down several Windows services.

There is a misunderstanding about ‘Ping’. ‘Stealth’ as such is an utopia. If there were nobody at your address, your ISP’s server would send a ‘Host Unreachable’ message to the hacker. So, now that your firewall or your router doesn’t answer anything, and neither does your ISP’s server, the hacker is 100% sure that there’s somebody there ‘protected’ by a firewall and might be even more tempted to attack you than if your ports were just ‘closed’, because behind that firewall some ports may be open…

Paul Wynant
Moscow, Russia

hi p2u, that’s a very interesting answer. But since all ports are stealth, even if it gives a hacker a way to know that there’s someone there, cause otherwise as you said my isp would send him a “host unreachable” answer, how could this hacker do anything if he cannot scan my ports, and does not know which one is open? last question, if you know, cause I really am not a specialist: could u give an example of how a hacker can get through an open port, and what he can do with that. Don’t worry I’m not looking for precise info about hacking, but I just have no idea at all of how someone can use ports to hack a system. And that would be good if sometimes people knew against what exactly they want to protect their machine.

Somebody scanning some of your ports is the least of your worries… I will get back to you through PM to answer your question. This is not exactly a hacker forum.
Until then: Google is king…

Paul Wynant
Moscow, Russia