FW NAT and Keep State

Re WiFi set up with three computer access (MAC access enabled).

I know a little about Firewalls in relation to Packet Filtering, I
know enough to confuse myself rather than, like many, live in blissful
ignorance.

I recently installed broadband, as I enjoy a 'fiddle' I bought a
slightly more user definable router than the norm, I got a Vigor 2600.

It uses NAT by default, this shows Stealth on Steve Gibson's site and
I have been told that with NAT there is no real need to have any
inbound protection as NAT takes care of it.

When I used my Linux machine as a server I had 'mangle' enabled (I
think this is NAT) and then there was a rule for any inbound packets
to be associated or related otherwise they would be dropped.

My router has an option on the 'rules' set up to tick 'keep state' and
I am wondering if this is an option only to be used for other
functions such as DMZ or open ports (I am guessing here).

Geoff Lane

Geoff Lane <(E-Mail Removed)> writes:

> I know a little about Firewalls in relation to Packet Filtering, I know
> enough to confuse myself rather than, like many, live in blissful
> ignorance.

I see what you mean ;8)

> It uses NAT by default, this shows Stealth on Steve Gibson's site and
> I have been told that with NAT there is no real need to have any
> inbound protection as NAT takes care of it.

Find whoever told you that and give 'em a swift kick in the whassits.

NAT is simply `network-address translation' - the router takes a packet
going from A to B, and adjusts either the source or destination IP# so it
appears to come from Y (SNAT) or be going to Z (DNAT).

SNAT/masquerading:
It means that you can have an IP# allocated by your ISP terminate on the
router, yet still hide your boxes behind it, and outgoing connections will
have their source IP#s changed from your private LAN's addresses to that of
the router (and the source-port changed as well, so it knows to undo the
damage later).

DNAT:
Or, you can enable services (web, mail, sshd, etc) on machines behind the
router with their private addresses internally, having incoming connections
to specific ports being DNATted -the destination IP# changed- to specific
boxes inside.

Hence NAT is not in any way a form of filtering. It is not a substitute for
filtering. To say `the box does NAT therefore you need not filter' is
tripe. NAT facilitates; it's best in conjunction with a restrictive
filtering firewall; arguably there's more requirement for a firewall as
well so you can e.g. block INVALID packets before you DNAT them to an
internal private box (eek).

> When I used my Linux machine as a server I had 'mangle' enabled (I think
> this is NAT)

Nope, NAT takes place in the `nat' table in iptables. The `mangle' table is
mostly used for things like ToS-mangling.

> and then there was a rule for any inbound packets to be associated or
> related otherwise they would be dropped.

This is wise

> My router has an option on the 'rules' set up to tick 'keep state' and I
> am wondering if this is an option only to be used for other functions
> such as DMZ or open ports (I am guessing here).

It'll be the same kind of state that you get by using the state module in
iptables, yes. I'm not sure what the significance in this case is, whether
it merely means "make a note of everything new going out" or both that and
"only allow established/related stuff back in", but that's for you to find
out from your favourite manual :8)

~Tim
--
Cries of mercy rise like rockets |(E-Mail Removed)
Through the paths of the redeemed |http://spodzone.org.uk/

On Fri, 05 Dec 2003 11:16:57 +0000, Tim Haynes
<usenet-(E-Mail Removed)> wrote:

>Geoff Lane <(E-Mail Removed)> writes:
>
>> I know a little about Firewalls in relation to Packet Filtering, I know
>> enough to confuse myself rather than, like many, live in blissful
>> ignorance.
>
>I see what you mean ;8)

>> My router has an option on the 'rules' set up to tick 'keep state' and I
>> am wondering if this is an option only to be used for other functions
>> such as DMZ or open ports (I am guessing here).
>
>It'll be the same kind of state that you get by using the state module in
>iptables, yes. I'm not sure what the significance in this case is, whether
>it merely means "make a note of everything new going out" or both that and
>"only allow established/related stuff back in", but that's for you to find
>out from your favourite manual :8)

Manual - set up pamphlet more like it.

The CD based manual does not appear to go in to the tecnicalities or
ecxplanations or how it works.

Thanks for an in depth reply.

The router's NAT facility appears to show me in stealth mode and I
still run ZoneAlarm on the two main computers.

A handheld with pocketpc2003 will have to rely, until I learn a bit
more, on the router's NAT for protection.

Geoff Lane

In message <(E-Mail Removed)>, Tim Haynes wrote:

> Geoff Lane <(E-Mail Removed)> writes:
>
>
>> It uses NAT by default, this shows Stealth on Steve Gibson's site and
>> I have been told that with NAT there is no real need to have any
>> inbound protection as NAT takes care of it.
>
> Find whoever told you that and give 'em a swift kick in the whassits.
>
> NAT is simply `network-address translation' - the router takes a packet
> going from A to B, and adjusts either the source or destination IP# so it
> appears to come from Y (SNAT) or be going to Z (DNAT).
>
It can provide crude filtering of inbound stuff in that unless you tell it
where to forward incoming traffic, it will just eat it because it has
nothing better to do with it. However, it offers no defence to
locally-originated stuff opening links to dodgy external places so it's
only a one-way firewall at best.

Dave
--
mail: da (E-Mail Removed) (without the space)
http://www.llondel.org/
So many gadgets, so little time...

On Fri, 05 Dec 2003 11:16:57 +0000, Tim Haynes
<usenet-(E-Mail Removed)> wrote:


>> I know a little about Firewalls in relation to Packet Filtering, I know
>> enough to confuse myself rather than, like many, live in blissful
>> ignorance.
>
>I see what you mean ;8)
>
>> It uses NAT by default, this shows Stealth on Steve Gibson's site and
>> I have been told that with NAT there is no real need to have any
>> inbound protection as NAT takes care of it.
>
>Find whoever told you that and give 'em a swift kick in the whassits.
>
>NAT is simply `network-address translation' - the router takes a packet
>going from A to B, and adjusts either the source or destination IP# so it
>appears to come from Y (SNAT) or be going to Z (DNAT).

To his credit I think he was referring to incoming protection rather
than referring to problems with outgoing packets.

What he generally was saying was that as all private IP addresses are
hidden to the outside world then nothing uninvited can really get in.
I appreciate that does depend on the common sence of the users within
the local network.

Geoff Lane
Welwyn Hatfield Computer Club - Hertfordshire, UK
www.whcc.co.uk - Online facilities for non locals