|
Posted by Moe Trin on September 5, 2007, 4:01 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Tue, 04 Sep 2007, in the Usenet newsgroup comp.security.firewalls, in article
>Moe Trin wrote:
>> Tam wrote:
>>> In that case the firewall should 'remember' that the requestwas sent
>>> and handle the reply when it comes. It is stored in the state table
>>> huh?
>>
>> Yes, but only for a limited time. Who ever configured the firewall
>> set the time to short.
>
>Though I regard Norton as complete and useless crap I do admit that finding
>acceptable timeout values for UDP answer packets is a bit od a problem
>problem for any stateful packet filter implementation because UDP is a
>stateless protocol.
The timeout IF YOU FEEL THAT YOU NEED THIS should be based on the way
DNS works, not the way UDP works. A sane resolver setup will try to
query a name server and wait a few seconds for a reply of some kind. It
is possible, that the server queried MIGHT be down at the moment. In *nix,
this query is allowed to wait five seconds before the resolver tries a
second query to a different server. If the second (and possible third)
query fails, the resolver again tries the "first" name server, and
this time waits twice as long - ten seconds. Is that a realistic
timeout for a firewall? Probably not, but it's a hint from people who
know how the Domain Name Service works.
Except in special circumstances, ALL DNS traffic uses UDP, which is a
connectionless protocol. At the protocol level, there is no indication
that a remote system has replied to you, and no indication to the remote
system that you received OR DID NOT RECEIVE a packet it sent. Thus, all
timeouts are handled by the _application_ and not the UDP network.
The other problem users never think about is that no name server knows
about all hosts. When your resolver "asks a question", the name server
you ask will look to see if it knows the answer (is the data cached).
If not, it has to ask from the root domain on down in a multi-step
process. The question "what is the address of FOO.BAR.BAZ.QUX.COM"
starts by asking one of the root servers - the reply comes back
".COM - ask the .com nameservers at [3 to 12 possible IP addresses]".
Your name server asks one of those, and gets told ".QUX.COM - ask the
qux.com name servers at [2 or more addresses]". Your name server asks
one of them, and is told to ask the .baz.qux.com nameservers at another
set of addresses - and when you finally find the addresses of the
.bar.baz.qux.com nameservers, THEY will tell you the IP address you have
been searching for. In this case, that's five UDP packet exchanges
that have to work. (In fact, most name servers have cached at least
many of the addresses of the top level name servers, so you can probably
skip that first query.)
Those users who are in domains like demon.co.uk, t-ipnet.de, tiscali.fr
and similar may realize that not all of the world is a .com or .net or
similar. In fact, there are 8 top-level domains with four letters (such
as .info or .arpa), 12 top-level domains with three letters (such as
.com or .edu), and 253 top-level domains of two letters. There are also
two (rarely used) top-level domains of SIX letters (.museum and .travel)
for a total of 275 top level domains in official Internet namespace.
>TCP connections are easier to handle for a filter because of flags and
>sequence numbers.
See RFC1035 - the header of a DNS query and response have a sequence
number in the first two octets of the query and response. These
so-called firewalls _could_ inspect those numbers if they wanted to,
but that's to much work. Likewise, this crap software screams about
attacks, and they _could_ do something to protect the user from
further attacks by simply blocking the "attacking" host for an hour or
two - wonder why the brane-ded a$$holes who create these programs didn't
implement that. Maybe they know they are lying when they report this
stuff as an attack. To bad the users don't understand the joke.
Old guy
|
|
Posted by Chuck on September 4, 2007, 5:22 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Kris wrote:
> Tam writes:
>> My question is why would my local norton fireall report that the
>> router portscanned me? The report says that network traffic from the
>> netgear matches the signature of a known attack.
>>
>> Attacking Computer : 192.168.0.1, 53
>> Action Taken : Block
>> Destination Address : 192.168.0.2, 55841
>> Traffic Description : UDP, 53
>>
>> Am I right in guessing that the, e.g. 53, is a port? And isnt port 53
>> used for DNS? What is the netgear doing and should I be worried?
>>
>> Thanks for any light shed on this.
>
> Your PC sent a DNS request to the router. The router sent back a reply.
> It is normal.
>
> PS. Norton often - specifically, stuff designed for home users - often
> causes problems. For 99% of people who don't need/want to monitor or
> block outgoing data, the in-built Windows (XP SP2/Vista) firewall works
> fine. A firewall isn't usually necessary if you are behind a NAT router,
> as it likely has its own firewall.
Having a 2nd firewall secures your PC and limits the spread of any
malware should it ever get behind the NAT firewall. If you don't have
wireless and never allow a laptop on your network it's probably not an
issue. But imagine a laptop that gets infected while somewhere else,
then connects to your network. If you're relying solely on the NAT
firewall, your whole network just got compromised.
Or imagine all those poor saps who thought WEP would secure their
wireless LAN. Anyone driving by with the right software, could get
behind the NAT firewall in minutes.
IMO every computer on the network should have it's own firewall in
addition to the NAT firewall.
|
|
Posted by Volker Birk on September 5, 2007, 12:53 am
If you were Registered and logged in, you could reply and use other advanced thread options > Having a 2nd firewall secures your PC and limits the spread of any
> malware should it ever get behind the NAT firewall.
Unfortunately no.
> IMO every computer on the network should have it's own firewall in
> addition to the NAT firewall.
Better configure your systems correctly.
Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"
|
|
Posted by Chuck on September 5, 2007, 10:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> Having a 2nd firewall secures your PC and limits the spread of any
>> malware should it ever get behind the NAT firewall.
>
> Unfortunately no.
>
>> IMO every computer on the network should have it's own firewall in
>> addition to the NAT firewall.
>
> Better configure your systems correctly.
>
> Yours,
> VB.
Double firewalling is standard industry practice. Do you disagree? If so
I hope you are not working as a network administrator.
|
|
Posted by Volker Birk on September 5, 2007, 10:51 am
If you were Registered and logged in, you could reply and use other advanced thread options > Double firewalling is standard industry practice. Do you disagree?
Yes.
Especially the "Personal Firewall" nonsense is counter-productive. I
don't have any problems with the Windows-Firewall, though, if it's
configured correctly.
> If so
> I hope you are not working as a network administrator.
I do not. I'm CTO ;-)
Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"
|
| Similar Threads | Posted | | Netgear FVS318 and Netgear (ProSafe) VPN Client problem through firewalls | July 15, 2004, 9:17 am |
| Netgear FVS114 with Netgear DG814 with Single IP Address | February 26, 2007, 7:48 pm |
| How did netgear do that? | December 5, 2004, 6:30 pm |
| Netgear VPN | April 19, 2007, 7:54 am |
| NETGEAR WGT 624 Log Viewer? | November 6, 2004, 2:06 pm |
| Netgear FVS338 | April 25, 2005, 7:52 pm |
| Netgear FR114P | May 21, 2005, 8:19 pm |
| Netgear FR114P` | September 5, 2005, 11:11 pm |
| netgear fsm7326 | September 14, 2005, 8:16 am |
| NetGear FVS124G | April 6, 2006, 9:47 am |
|
XML site map