[TriLUG] OT: Router vs Firewall, Was: OT: strange happenings - self booting server?

Ryan Leathers ryan.leathers at globalknowledge.com
Fri Apr 14 12:41:37 EDT 2006


Sorry, not much time, but the best way to understand it is to try an
example

netcat is the easiest way to get started since it is readily had with
any distro.

man nc
google "shell shoveling"

set one up and play with it some.

then learn about "stateful packet filtering"
you'll discover how a "stateful firewall" prevents your nc shovel
again, google is your friend



On Fri, 2006-04-14 at 12:23 -0400, William Sutton wrote:
> For those of us interested in learning more but who had no clue what you 
> just said (>me<)...could you kindly translate? :)
> 
> -- 
> William Sutton
> 
> 
> On Fri, 14 Apr 2006, Ryan Leathers wrote:
> 
> > Brian,
> > 
> > NAT does not give you stateful inpection.  Imagine the example of shell
> > shoveling.  Through some exploit, an outbound connection is made from
> > your network, through the NAT, to some destination.  Said exploit
> > permits a shell to be tossed at the destination so the remote attacker
> > now has an interactive connection right through your NAT.  (People
> > sometimes use netcat to do this, thwarting the office security policy)
> > Obviously, preventing the exploit in the first place is desirable, but
> > if you are using a stateful firewall there is an excellent chance you'll
> > be protected from this kind of exploit.
> > 
> > Ryan
> > 
> > On Fri, 2006-04-14 at 10:48 -0400, Brian Henning wrote:
> > > Okay, since there's still a lot I have to learn, I'll ask the question:
> > > 
> > > What do you gain from having a firewall behind a NAT router with no port 
> > > forwards?  Speaking only in terms of inbound protection, of course. 
> > > Obviously a firewall can filter traffic in both directions.  Can one not 
> > > depend on a forwardless NAT router to simply drop all incoming 
> > > connection attempts?  Are there packets, or methods of connecting, that 
> > > can somehow sneak through such a NAT setup and reach machines on the inside?
> > > 
> > > In all the networks I administer, firewall + router is the standard 
> > > operating procedure, so I'm just interested in more of the reasons why 
> > > it's a good idea (that is, I don't need any convincing to start doing it).
> > > 
> > > As always, both lengthy explanations and links to reading material are 
> > > appreciated equally. :-)
> > > 
> > > Cheers,
> > > ~B
> > > 
> > > P.S. A linux box with iptables configured on the "reject everything but 
> > > _____" principle counts as "good," right? :-)
> > > 
> > > 
> > > 
> > > Cristobal Palmer wrote:
> > > > So the backstory is that we (Brian + Cerient) ate lunch, and I told
> > > > Brian about this... *ahem* ...friend of mine who insisted to me that a
> > > > router is always a firewall. When I say insisted, I mean he followed
> > > > me after I'd gotten up and left the room. I mean he emailed me the
> > > > next morning to follow up on his insistence.
> > > > 
> > > > I... uhh... have some weird friends. Seriously though, get a good
> > > > firewall everybody. The internets are dangerous.
> > > > 
> > > > Vice-chair-ily yours,
> > > > CMP
> > > > 
> > 
> > 




More information about the TriLUG mailing list