Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
January 1, 2006, 12:59 am
rate this thread
| I have a DI-704up router in front of 2 boxes. Was wondering if I
| should/can trust the in built firewall ? Can they be breached?, finding
| useful doc's about (that a layman can understand) this router is difficult.
| TIA peter
*IF* it was reachable you are not a Bank or source of highly data/information
effort. Therefore such a task would not be undertaken.
On the Router...
Block WAN access
Block Remote Upgrades
As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any*
| David H. Lipman wrote:
| Dave, can you explain that a bit more? Are you talking about port
| forwarding those to a non-existant IP address?
No. Specifically blocking inbound and outbound communication in both TCP and
UDP in the
range of 135 ~ 139 and the port 445. If NAT is a like a door that is closed but
opened by the right protocol sequence, specifically blocking those posts locks
that door and
nothing will cause that door to be opened.
Happy New Year
On Sun, 01 Jan 2006, in the Usenet newsgroup alt.computer.security, in article
It is not. NAT or Port Forwarding is a technique to forward the packet to
another computer. It _MAY_ change the error message sent back to the remote
host from a ICMP Type 3 Code 3 (Port Unreachable) to an ICMP Type 3 Code 1
(Host Unreachable). The fallacy of this is that your ISP has given you
_one_ IP address, and the "bad guy" is attempting to connect to that one
address. Now, think for a moment who sends back the error message. Why of
course, it's the computer the "bad guy" is attempting to connect to. So the
bad guy sees
Message: 18.104.22.168 does not exist.
which is exactly the same thing that the NAT does - or the same thing as
if you had configured your computer correctly in the first place, and were
not offering services to every one who connects.
The real difference is that the ICMP Type 3 Code 1 (Host Unreachable)
message from the computer that doesn't exist has the same effect as sending
no reply at all - it shows that the computer exists, and was configured by
someone who doesn't know what they were doing. Maybe it's worth looking at
more stuff on this computer, to see what other configuration errors exist.
| I would block everything inbound below 1024 unless you have a require a
| specific server service. If you do ensure you only open the specific
| server service and only to the box required. Most users do not require
| any ports below 1024 exposed.
SOHO Routers often don't differentiate between inbound and outbound. Such a
mean no Internet access.