RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
David said: ...So long as you allow _any_ data (even de-encapsulated over say a userspace TCP relay) to pass between the Internet and your PC, there is a way it can be used to compromise you. Dropping ports makes it marginally harder, but not hard enough for the truely motivated. A common example of this folly is to limit people to say 80/443, which prevents people from doing anything they like. It does _no_ _such_ _thing_, it's trivial to set up a tunnel over 443 or 80 and get any access you want. It does require some knowledge, but it's easy to implement... Agreed. So, we take one step further along this restrictive path... As Nick said: ...why let any machine other than the mailserver get out on port 25?...) - but it's also possible to extend this logic and restrict outward 80/433 to a proxy server - and set various policies etc on that. With this in place, and access to the proxy server restricted then the cute tricks with 'nc'and similar shouldn't work. - steve = http://www.commarc.co.nz (This e-mail has been scanned by MailMarshal)
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 25 Sep 2003, Steve Brorens wrote: David said: A common example of this folly is to limit people to say 80/443, which prevents people from doing anything they like. It does _no_ _such_ _thing_, it's trivial to set up a tunnel over 443 or 80 and get any access you want. It does require some knowledge, but it's easy to implement... Agreed. So, we take one step further along this restrictive path... As Nick said: ...why let any machine other than the mailserver get out on port 25?...) - but it's also possible to extend this logic and restrict outward 80/433 to a proxy server - and set various policies etc on that. With this in place, and access to the proxy server restricted then the cute tricks with 'nc'and similar shouldn't work. Doesn't help. The point I was making was that you are allowing, by some means, data to flow between the Internet and internal machines. That proxies are involved does not help in any way. Let's say you wish to allow your users access to HTTP over SSL services. This can be proxied, as you've noted, but how the proxy implements this is by providing a simple TCP relay, using an HTTP method called CONNECT. CONNECT will, unless configured explicitly or filtered, you to connect to any arbitrary port. It has to implement it this way because the SSL exchange must terminate in the browser, so the proxy cannot do anything other than relay the connection. So, we've restricted what port it can connect to, but none the less if you have a willing external endpoint, you can still connect without any interference from the proxy to 443. So you build a tunnel over that, a simple tool to have a listening port on your local machine, and connections to it result in a connection to the proxy, a CONNECT request, and then just relay the traffic back and forth. It's even simpler than that if you're only looking for SSH. Add Port 443 to your sshd_config and grab yourself a copy of Putty for win32. Tick the proxy options for HTTP proxies, and you're away laughing. Alright, you say, I'll just set up application-level inspection to ensure you're not hijacking 443 for other purposes. Such inspection will look for an SSL exchange, but beyond that it can't do anything else since the payload will all be encrypted. No problem, run stunnel, which does tunneling over SSL for arbitrary ports. Security is _always_ a balance, between effort/cost and actual improvement in security. Simple things, like just reducing how many ports Joe Random PC can talk on is simple and works well against most of people wanting to do something they shouldn't. But, you suffer very serious diminishing returns for expending more and more effort, and you _still_ won't be perfect. You can go pretty far in this stuff, locked down PCs, 802.1x, and it's not cheap. But someone will work a way around it. It just takes time. - -- David Zanetti | (__) #include geek/unix.h | ( ooMooo http://hairy.geek.nz/ | /(_O ./ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/cjm0T21+qRy4P+QRAt1nAJ4rgigbvON1DAd1+evhfeiDgxOGBQCfWE2/ ZxsyrinSldemBdYbm+AMMI4= =CQxG -END PGP SIGNATURE-
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
Hi again, So is each workstation making a separate PPTP connection to the router? No, the pptp tunnel is from the client's PC through to the server on the internet, the router has to do network address (and port?) translation. Or are they making a PPTP connection to the remote VPN server on the net? Yes. If its the second choice then any DSL router should do the job. Not so... can only establish one VPN session at a time to the same server. (Dynalink and D-link expressly say their ADSL routers can't handle more than one connection to the same VPN server at the same time - don't quite know why they are so limited). Thanks, Bryce Stenberg. -Original Message- From: CF [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 11:08 a.m. To: Linux Users Group Subject: Re: OT -ADSL router capable of multiple VPN connections to same serve r? On Wed, 2003-09-24 at 10:13, Bryce Stenberg wrote: This is quite off topic but as a number of people reading this list seem to have wide experience I thought I'd give it go Always worth a try. I need to find a multiport ADSL router (for connecting to phone line) that has the ability to allow multiple simultaneous VPN sessions (using PPTP) through to the same VPN server on the internet. There use to be a model from Nokia (the M1122) that sold for around $500 to $600 and did this but that is no longer available in New Zealand. I have tried various Dynalink and D-Link models but they are limited to only one session connecting to the same internet VPN server. So is each workstation making a separate PPTP connection to the router? Or are they making a PPTP connection to the remote VPN server on the net? If its the second choice then any DSL router should do the job. I need multiport model as this is for tiny networks of typically two to four computers (each computer needs to be able to establish their own VPN session to the server out on the internet). Or, does anyone know what telecom did with all the Nokia M1122 routers that they use to rent to people in the early Jetstream(?) days, and then took them back as people purchased their own routers? (maybe their is a warehouse somewhere full of them?). They appear to have dissappeared. Try www.graysonline.co.nz who sometimes have M1122 listed. DISCLAIMER: http://www.hrnz.co.nz/eDisclaimer.htm
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, 2003-09-24 at 12:06, Bryce Stenberg wrote: So is each workstation making a separate PPTP connection to the router? No, the pptp tunnel is from the client's PC through to the server on the internet, the router has to do network address (and port?) translation. Or are they making a PPTP connection to the remote VPN server on the net? Yes. Very odd - its as though the implementation of NAT isn't stateful (not sure if thats the right word?) If its the second choice then any DSL router should do the job. Not so... can only establish one VPN session at a time to the same server. (Dynalink and D-link expressly say their ADSL routers can't handle more than one connection to the same VPN server at the same time - don't quite know why they are so limited). http://www.trademe.co.nz/structure/listings/listings_search_results.asp?searchtype=GENERALsearchstring=m1122 Theres two there at the moment, and none on grays.co.nz Does IPCOP do anything to help in this instance? http://www.ipcop.org/1.3.0/en/admin/html/vpnaw.html That says VPNs are possible, terminated from the IPCOP box.
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
this appears to be the tecnical reason: Q. I cannot connect from more than one computer at the same time. A. PPTP uses protocol GRE (47) for it's tunnel. When two clients behind a single NAT firewall connect to the same PPTP server, their source IP address will be rewritten by their firewall. In this case, the GRE sockets in two pptpctrl processes will be reading GRE packets from both clients. The only way to distinguish between those two clients is to filter them by destination call ID number found in the GRE header. In order for the client NAT firewall to correctly rewrite the PPTP server's replies, please check Philip Craig's netfilter pptp helper module available from the Netfilter CVS server: cvs -d :pserver:[EMAIL PROTECTED]:/cvspublic login When it asks you for a password type `cvs' cvs -d :pserver:[EMAIL PROTECTED]:/cvspublic co netfilter-extensions/helpers/pptp It will be integrated in KernelMod, but until then, you'll have to build it yourself. from http://poptop.sourceforge.net/dox/qna.html do you have alternatives like: 1. using a linux firewall instead of a dumb nat router/modem? 2. use a better vpn like ipsec? On Wed, 24 Sep 2003 12:06:47 +1200 Bryce Stenberg [EMAIL PROTECTED] wrote: Hi again, So is each workstation making a separate PPTP connection to the router? No, the pptp tunnel is from the client's PC through to the server on the internet, the router has to do network address (and port?) translation. Or are they making a PPTP connection to the remote VPN server on the net? Yes. If its the second choice then any DSL router should do the job. Not so... can only establish one VPN session at a time to the same server. (Dynalink and D-link expressly say their ADSL routers can't handle more than one connection to the same VPN server at the same time - don't quite know why they are so limited). Thanks, Bryce Stenberg. -Original Message- From: CF [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 11:08 a.m. To: Linux Users Group Subject: Re: OT -ADSL router capable of multiple VPN connections to same serve r? On Wed, 2003-09-24 at 10:13, Bryce Stenberg wrote: This is quite off topic but as a number of people reading this list seem to have wide experience I thought I'd give it go Always worth a try. I need to find a multiport ADSL router (for connecting to phone line) that has the ability to allow multiple simultaneous VPN sessions (using PPTP) through to the same VPN server on the internet. There use to be a model from Nokia (the M1122) that sold for around $500 to $600 and did this but that is no longer available in New Zealand. I have tried various Dynalink and D-Link models but they are limited to only one session connecting to the same internet VPN server. So is each workstation making a separate PPTP connection to the router? Or are they making a PPTP connection to the remote VPN server on the net? If its the second choice then any DSL router should do the job. I need multiport model as this is for tiny networks of typically two to four computers (each computer needs to be able to establish their own VPN session to the server out on the internet). Or, does anyone know what telecom did with all the Nokia M1122 routers that they use to rent to people in the early Jetstream(?) days, and then took them back as people purchased their own routers? (maybe their is a warehouse somewhere full of them?). They appear to have dissappeared. Try www.graysonline.co.nz who sometimes have M1122 listed. DISCLAIMER: http://www.hrnz.co.nz/eDisclaimer.htm -- Nick Rout [EMAIL PROTECTED]
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, 24 Sep 2003 12:41:16 +1200 CF [EMAIL PROTECTED] wrote: Does IPCOP do anything to help in this instance? http://www.ipcop.org/1.3.0/en/admin/html/vpnaw.html That says VPNs are possible, terminated from the IPCOP box. thats an ipsec vpn, quite different to pptp. it creates a tunnel from router to router (although it may work router to single computer too). He'd need to change the setup at the server end. if he could put an ipcop box at each end, and set up ipsec, all the boxes at the client end would be like on the same lan as the server at the server end, thru an encrypted tunnel. I do it from time to time from home to work as I have an ipcop box at each end. it can be a hassle if you don't have well known fixed ip addresses at each end. I tend these days to set up an ssh tunnel if i have a specific need to get at something at the other end. I wish i was better at ascii art... -- Nick Rout Barrister Solicitor Christchurch, NZ Ph +64 3 3798966 Fax + 64 3 3798853 http://www.rout.co.nz [EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
Hi Nick, Good to actually see the technical reasons for it - I wonder why only the Nokia bothered making their router work for it. I'm very constrained in what can be used - and that is a router at most clients sites - the users have no expertise, but can manage plug their network cables here and that other one over there and turn it on. They don't want yet another computer just to get a connection. However, we have now purchased one of the Nokia M1122's from Trademe. Thank you. Bryce Stenberg. -Original Message- From: Nick Rout [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 12:48 p.m. To: [EMAIL PROTECTED] Subject: Re: OT -ADSL router capable of multiple VPN connections to same s erve r? this appears to be the tecnical reason: Q. I cannot connect from more than one computer at the same time. A. PPTP uses protocol GRE (47) for it's tunnel. When two clients behind a single NAT firewall connect to the same PPTP server, their source IP address will be rewritten by their firewall. In this case, the GRE sockets in two pptpctrl processes will be reading GRE packets from both clients. The only way to distinguish between those two clients is to filter them by destination call ID number found in the GRE header. In order for the client NAT firewall to correctly rewrite the PPTP server's replies, please check Philip Craig's netfilter pptp helper module available from the Netfilter CVS server: cvs -d :pserver:[EMAIL PROTECTED]:/cvspublic login When it asks you for a password type `cvs' cvs -d :pserver:[EMAIL PROTECTED]:/cvspublic co netfilter-extensions/helpers/pptp It will be integrated in KernelMod, but until then, you'll have to build it yourself. from http://poptop.sourceforge.net/dox/qna.html do you have alternatives like: 1. using a linux firewall instead of a dumb nat router/modem? 2. use a better vpn like ipsec? On Wed, 24 Sep 2003 12:06:47 +1200 Bryce Stenberg [EMAIL PROTECTED] wrote: DISCLAIMER: http://www.hrnz.co.nz/eDisclaimer.htm
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, 24 Sep 2003 14:03, you wrote: They don't want yet another computer just to get a connection. Indeed! But they _do_ want another computer to protect them from all the evil-doers out there. You should see my log files with all the cracking attempts. -- Sincerely etc., Christopher Sawtell
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
and with a NAT router/modem they do get that protection to a large degree. Nothing gets in without a pinhole set by the user (same as ipcop) or a flaw in the router (possible, also possible with ipcop). you don't get to control what goes out (same on ipcop, although a rewrite of the iptables stuff would control that), and you don't get much logging. nevertheless most people are quite safe from outside connections behind a NAT router/modem. On Wed, 24 Sep 2003 14:53:33 +1200 Christopher Sawtell [EMAIL PROTECTED] wrote: On Wed, 24 Sep 2003 14:03, you wrote: They don't want yet another computer just to get a connection. Indeed! But they _do_ want another computer to protect them from all the evil-doers out there. You should see my log files with all the cracking attempts. -- Sincerely etc., Christopher Sawtell -- Nick Rout [EMAIL PROTECTED]
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, Sep 24, 2003 at 03:09:01PM +1200, Nick Rout wrote: and with a NAT router/modem they do get that protection to a large degree. Nothing gets in without a pinhole set by the user (same as ipcop) or a flaw in the router (possible, also possible with ipcop). nevertheless most people are quite safe from outside connections behind a NAT router/modem. You seem pretty sure about this. -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
..and I found some on Trademe. -Original Message- From: Nick Rout [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 3:09 p.m. To: [EMAIL PROTECTED] Subject:Re: OT -ADSL router capable of multiple VPN connections to sames erve r? and with a NAT router/modem they do get that protection to a large degree. Nothing gets in without a pinhole set by the user (same as ipcop) or a flaw in the router (possible, also possible with ipcop). you don't get to control what goes out (same on ipcop, although a rewrite of the iptables stuff would control that), and you don't get much logging. nevertheless most people are quite safe from outside connections behind a NAT router/modem. On Wed, 24 Sep 2003 14:53:33 +1200 Christopher Sawtell [EMAIL PROTECTED] wrote: On Wed, 24 Sep 2003 14:03, you wrote: They don't want yet another computer just to get a connection. Indeed! But they _do_ want another computer to protect them from all the evil-doers out there. You should see my log files with all the cracking attempts. -- Sincerely etc., Christopher Sawtell -- Nick Rout [EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
I am with Nick on this one. After using IPCop for a while I realised that my ADSL router with NAT did everything which I used IPCop for, so I retired the IPCop box. Robert Never test the depth of the water with both feet. -Original Message- From: Matthew Gregan [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 3:29 p.m. To: [EMAIL PROTECTED] Subject:Re: OT -ADSL router capable of multiple VPN connections to sames erve r? On Wed, Sep 24, 2003 at 03:09:01PM +1200, Nick Rout wrote: and with a NAT router/modem they do get that protection to a large degree. Nothing gets in without a pinhole set by the user (same as ipcop) or a flaw in the router (possible, also possible with ipcop). nevertheless most people are quite safe from outside connections behind a NAT router/modem. You seem pretty sure about this. -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, Sep 24, 2003 at 03:53:02PM +1200, wrote: I am with Nick on this one. After using IPCop for a while I realised that my ADSL router with NAT did everything which I used IPCop for, so I retired the IPCop box. How does your ADSL router handle source routed packets? -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
Perhaps I should have worded .. .everything which I deliberately used IPCop for. -Original Message- From: Matthew Gregan [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 3:56 p.m. To: [EMAIL PROTECTED] Subject:Re: OT -ADSL router capable of multiple VPN connections to sames erve r? On Wed, Sep 24, 2003 at 03:53:02PM +1200, wrote: I am with Nick on this one. After using IPCop for a while I realised that my ADSL router with NAT did everything which I used IPCop for, so I retired the IPCop box. How does your ADSL router handle source routed packets? -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, 24 Sep 2003 15:29:10 +1200 Matthew Gregan [EMAIL PROTECTED] wrote: On Wed, Sep 24, 2003 at 03:09:01PM +1200, Nick Rout wrote: and with a NAT router/modem they do get that protection to a large degree. Nothing gets in without a pinhole set by the user (same as ipcop) or a flaw in the router (possible, also possible with ipcop). nevertheless most people are quite safe from outside connections behind a NAT router/modem. You seem pretty sure about this. it depends on your degree of paranoia. if people on the inside are running stuff like kazaa, icq, msn, spyware, etc then there are security risks. I do know that nat is not state of the art firewalling. however behind a nat box you cannot have code red or similar attack your box. by similar I mean an attack that connects to a port on your box and compromises via a vulnerability. there is still a possibility of compromising the nat box, and its not as easily upgraded as, eg, an ipcop box. there is still the possibility of someone pinging the crap out of your nat box and eating your bandwidth. there is still the possibility of someone compromising a wireless device on your lan and eating your bandwidth/launching nasty attacks/spams from your lan. many corporate style firewalls prevent outwards packets on a port by port and even machine by machine basis (why let your staff use any port other than 80, 443?? why let any machine other than the mailserver get out on port 25?). your average nat router won't do that (linux can, but ipcop doesn't). since i started writing this matthew commented on source routed packets - i had to try and work out what that meant! I guess it depends on the tcpip stack in the router. pass. I didn't say nat boxes were perfect, I said they offer a reasonable level of protection. i look forward to Matthew expanding on this, for the education of us all. -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED] -- Nick Rout Barrister Solicitor Christchurch, NZ Ph +64 3 3798966 Fax + 64 3 3798853 http://www.rout.co.nz [EMAIL PROTECTED]
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
On Wed, Sep 24, 2003 at 04:05:36PM +1200, wrote: Perhaps I should have worded .. .everything which I deliberately used IPCop for. You weren't using IPCop as a firewall? NAT does not provide the same protection as a packet filter or firewall. I tried to hint at this with my question about source routed packets, but you didn't seem to get it. -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
I cannot remember the details now but I used the fairly standard IPCop settings with a couple of pinholes enabled. Robert Never test the depth of the water with both feet. -Original Message- From: Matthew Gregan [mailto:[EMAIL PROTECTED] Sent: Wednesday, 24 September 2003 4:11 p.m. To: [EMAIL PROTECTED] Subject:Re: OT -ADSL router capable of multiple VPN connections to sames erve r? On Wed, Sep 24, 2003 at 04:05:36PM +1200, wrote: Perhaps I should have worded .. .everything which I deliberately used IPCop for. You weren't using IPCop as a firewall? NAT does not provide the same protection as a packet filter or firewall. I tried to hint at this with my question about source routed packets, but you didn't seem to get it. -mjg -- Matthew Gregan |/ /|[EMAIL PROTECTED]
RE: OT -ADSL router capable of multiple VPN connections to same s erve r?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 24 Sep 2003, Matthew Gregan wrote: NAT does not provide the same protection as a packet filter or firewall. That depends on a lot of factors and exactly what you define as a packet filter or a firewall. There's a few misunderstandings I've seen on this subject in the list, so some clarity with the correct terms is probably a good idea. A stateless packet filter will provide very little protection against inbound data, due to it's lack of state awareness. In order for a stateless filter to work, you have to allow all empherical ports (that's ports 1024-65535) as a destination port to your address because those are the ports used for the local end of the connection. Remember: TCP has _two_ ports, a remote destination port and a local source port. Thus, to allow _any_ outbound connection, even if you are limiting such connections to only specific destination ports, you must allow a very large swath of incoming ports, or nothing will go. You can mitigate some of this by dropping packets which only have SYN set, since these will invariably be initiating a connection. However, this hack only works for TCP, for UDP you have to allow everything regardless. A statefull packet filter will record what packets initiated a connection in a given direction, and use those records to decide when to allow reverse traffic (commonly called connection tracking). As such, a statefull firewall does not need to open all empherical ports, it simply looks at the incoming packet and only passes it on if it already has an existing connection listed. This works with all IP protocols, including UDP. Statefull packet filters are therefore inherently less risky than stateless filters. NAT is typically implemented as a side effect of crossing some boundry. NAT requires a similar idea of connection state as a statefull filter because there needs to be some way to untranslate the incomming packets. As a result, you end up with more or less the same results using NAT as a statefull filter. Neither NAT, nor plain statefull filtering, will provide any more or less security than each other, simply because they are the same thing. What matters is how you configure what is allowed to initate a connection. On that point, most people are generally correct, in that you still do have some risk if you allow all out, but denying all but specific ports outwards is not the magic bullet people may think it is. So long as you allow _any_ data (even de-encapsulated over say a userspace TCP relay) to pass between the Internet and your PC, there is a way it can be used to compromise you. Dropping ports makes it marginally harder, but not hard enough for the truely motivated. A common example of this folly is to limit people to say 80/443, which prevents people from doing anything they like. It does _no_ _such_ _thing_, it's trivial to set up a tunnel over 443 or 80 and get any access you want. It does require some knowledge, but it's easy to implement. - -- David Zanetti | (__) #include geek/unix.h | ( ooMooo http://hairy.geek.nz/ | /(_O ./ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/cSB0T21+qRy4P+QRAm0RAKCdGs5Llf1oFDOIpMshSS6BToFY5QCeOMLW 9/1SEjA/xdKxYw59quq+J/w= =OSzL -END PGP SIGNATURE-
Re: OT -ADSL router capable of multiple VPN connections to same s erve r?
post of the month, thanks for the explanation. On Wed, 24 Sep 2003 16:41:21 +1200 (NZST) David Zanetti [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 24 Sep 2003, Matthew Gregan wrote: NAT does not provide the same protection as a packet filter or firewall. That depends on a lot of factors and exactly what you define as a packet filter or a firewall. There's a few misunderstandings I've seen on this subject in the list, so some clarity with the correct terms is probably a good idea. A stateless packet filter will provide very little protection against inbound data, due to it's lack of state awareness. In order for a stateless filter to work, you have to allow all empherical ports (that's ports 1024-65535) as a destination port to your address because those are the ports used for the local end of the connection. Remember: TCP has _two_ ports, a remote destination port and a local source port. Thus, to allow _any_ outbound connection, even if you are limiting such connections to only specific destination ports, you must allow a very large swath of incoming ports, or nothing will go. You can mitigate some of this by dropping packets which only have SYN set, since these will invariably be initiating a connection. However, this hack only works for TCP, for UDP you have to allow everything regardless. A statefull packet filter will record what packets initiated a connection in a given direction, and use those records to decide when to allow reverse traffic (commonly called connection tracking). As such, a statefull firewall does not need to open all empherical ports, it simply looks at the incoming packet and only passes it on if it already has an existing connection listed. This works with all IP protocols, including UDP. Statefull packet filters are therefore inherently less risky than stateless filters. NAT is typically implemented as a side effect of crossing some boundry. NAT requires a similar idea of connection state as a statefull filter because there needs to be some way to untranslate the incomming packets. As a result, you end up with more or less the same results using NAT as a statefull filter. Neither NAT, nor plain statefull filtering, will provide any more or less security than each other, simply because they are the same thing. What matters is how you configure what is allowed to initate a connection. On that point, most people are generally correct, in that you still do have some risk if you allow all out, but denying all but specific ports outwards is not the magic bullet people may think it is. So long as you allow _any_ data (even de-encapsulated over say a userspace TCP relay) to pass between the Internet and your PC, there is a way it can be used to compromise you. Dropping ports makes it marginally harder, but not hard enough for the truely motivated. A common example of this folly is to limit people to say 80/443, which prevents people from doing anything they like. It does _no_ _such_ _thing_, it's trivial to set up a tunnel over 443 or 80 and get any access you want. It does require some knowledge, but it's easy to implement. - -- David Zanetti | (__) #include geek/unix.h | ( ooMooo http://hairy.geek.nz/ | /(_O ./ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE/cSB0T21+qRy4P+QRAm0RAKCdGs5Llf1oFDOIpMshSS6BToFY5QCeOMLW 9/1SEjA/xdKxYw59quq+J/w= =OSzL -END PGP SIGNATURE- -- Nick Rout Barrister Solicitor Christchurch, NZ Ph +64 3 3798966 Fax + 64 3 3798853 http://www.rout.co.nz [EMAIL PROTECTED]