CZ said:
Francis:
Most end user firewalls are stateless (or primarily so)
not these days, ime, most modern 'end-user' firewalls are stateful,
otherwise it's just a glorified packet filter with a set of rules. the XP
built-in firewall, ZoneAlarm (free and Pro), among others all do stateful
packet inspection
Generally, neither a NAT nor a router are referred to as packet filters.
not true, NAT routers are considered a type of packet filter as they are
designed to Allow, Reject or Drop inbound/outbound *packets* based on IP
address and/or Port number. thus, a NAT router IS, technically speaking, a
type of of packet filter. a Router, on the other hand, does not typically
perform packet filtering, it's job is simply to route packets.
A NAT does address translation and port matching per a port table, a
router routes packets between two interfaces per a routing table, and a
packet filter makes a forward/discard decision based on info in the packet
headers.
a Router, when referring to the devices used to connect together public and
private networks, is a device that is designed to efficiently route
(forward) packets b/w the disparate networks, and they do this by 'talking'
(using ICMP protocols) to other routers to determine the best route, thus
they are constantly updating their routing tables. the key difference here
is that an internet Router dynamically adjusts its routing tables based on
complex rules and the state of the other networks (routers) that it's
connected to. it's job is fairly straightforward, but also complex in that
it must make complex decisions on the fly on how to most efficiently route
traffic in all directions, and then dynamically adjust itself if network
conditions change. a NAT router for broadband internet does not do this,
its routing tables are static.
a NAT router is, by definition, a router because it not only performs
address translation b/w the LAN-WAN interfaces, but it also forwards/routes
packets b/w the two interfaces according to rules configured in the NAT
router's *routing* table. the NAT router's routing table is not nearly as
complex as an internet router's would be, but still, it can be manually
configured to add new routes, although most people don't have a need to do
this, the NAT router auto-configures its routing table based on the IP
addresses assigned to the WAN and LAN interfaces. one could, for example,
add new static routes to the NAT's routing table that would enable the
router to route traffic b/w two or more private networks and the internet.
Not exactly.
Private IP addresses are routable, as I do it frequently in test
scenarios. It depends upon the routers routing table.
the private IP address range, 10.x.x.x/8, 172.16.x.x/12, 192.168.x.x/16 are
examples of private IP netblocks, they are intended to be used internally on
private networks (intranets), these addresses are NOT routable on public
networks, packets headered with a destination from the private address range
will be DROPPED by the internet gateway (router) the moment it leaves the
host on the internal network. the router is misconfigured if this does not
happen, but it would still have a difficult time for a packet destined for a
private network to traverse the internet since NO router on the internet
would route the packet.
IMO, re: a NAT-router, a router port accepts the packet, passes it to the
NAT (which makes an address change), then the packet is compared to the
router's routing table and is sent to the designated router port.
you mean the NAT router's port forwarding table (not routing table, that's
something different). the NAT router statefully inspects outgoing packets,
that is, it examines the packet headers of outgoing traffic, retains a log
of what host (port) solicited the outbound connection and then in-turn, maps
inbound connections to the the correct LAN ports.
A key issue here is that outside initiated inbound packets with the WAN
port address are dropped by the NAT (as they do not have a match in the
NAT's port table), not by the router.
And, an outside initiated inbound packet with a private IP address would
not be picked up by the router.
*unsolicited* inbound connections are dropped by the router, solicited
connections are forwarded to the appropriate port. private IPs, as
previously stated, are non-routable on the internet, so it's not something
the NAT router would have to deal with. however, there is nothing to
prevent the WAN interface on the NAT router from obtaining and using a
private IP address from the ISP. the NAT router doesn't care if the address
on the WAN inteface is from private or public netblock. so, it is possible
to have private IPs on both sides (interfaces) of the router, but then
packets destined for the internet will not get routed over the WAN interface
because the converse is also true, public IPs are not routable in the
private address space. this scenario can occur with some ISPs when the
ADSL/Cable modem is not able to obtain a valid external address from the
DHCP server (usually an authentication issue) b/w the subscriber's broadband
modem and the ISP. even more interesting is that the external address
assigned by the ISP has usually been NAT'd too, but that's beyond the scope
of this discussion.
Agreed, except that I would want more than just an application gate type
of firewall (eg. ZA free) which does not also do packet filtering for
outbound packets (Sygate does both, ZA free does not). Actually, I find
using ZA free (an application gate f/w) together with BlackIce (an ID) to
be a fairly good end user f/w setup.
when you refer to 'packet filtering on outbound packets', you are speaking
about an application-level firewall, right? ZAF is a stateful firewall, but
does not block outbound traffic based on source or content. the Pro version
does. however, ZoneAlarm (free edition) does perform outbound packet
inspection based on protocol, that's how it's able to block outbound traffic
on the NetBIOS ports, etc. i'm not familiar with BlackIce, aside from it's
ominous sounding name. XP SP2's firewall is stateful and monitors outbound
traffic at the application and protocol level.