[KLUG Members] Re: Broadband firewalls -- [continued] flawed logic and analysis ...
Jamie McCarthy
members@kalamazoolinux.org
Sun, 8 Dec 2002 14:37:44 -0500
Bryan J. Smith writes:
> You are exploitable by the things that your box does not bother
> to address.
I don't have time to get into this. I don't think you know
as much as you think you know.
Some of what you say is valid, some of it isn't. For example,
you write:
> NAT is an ultra-simple mechanism for mapping a transport layer
> port to a private address. If an external system addresses the
> mapped port on your NAT device, you _can_ route _directly_ to
> an internal/private IP! By means of the so-called "firewall"
> that is supposed to protect you!
This isn't an issue, and I don't have time to educate you as to
why. Basically, this attack method you describe is only possible
if you've compromised a machine I have contacted or a router
between us (and that has nothing to do with a firewall).
Let's cut to the chase.
My home network's IP number is 24.247.221.123. Go ahead and tell
me what's insecure about my network. Everyone reading this is
welcome to portscan me and try to exploit something on my LAN,
just please tell me in email if you succeed.
I'll save you some time: you'll get no responses to ICMP ping or
any TCP port. And I have no proprietary IP protocols running.
nmap -sU may or may not show you many allegedly open UDP ports.
Good luck trying to exploit those.
Your only complaint which might be valid is that I can't configure
the MR314 to block outgoing connections from spyware and trojans.
I don't see this as significant in my case. I don't install
spyware or trojans; I practice safe downloads. If I run
untrustworthy code on my machine, I'm in deep trouble already.
A firewall might tip me off if I run a particularly dumb trojan
that initiates connections to a unique port somewhere, but I would
expect that if it's going to contact the black-hat's server to
open up its root shell or send my private data, it's going to do
it on port 80 -- and no firewall will stop outgoing connections on
port 80.