Re: SKY USERS

dennis@home wrote:
"kraftee" <kraftee@b&e-cottee.me.uk> wrote in message
news:etohlq$vth$1@xxxxxxxxxxxxxxxxxx
dennis@home wrote:
Thread info.


Sky don't appear to use transparent proxies.

When you set the default DMZ to a non existant IP on the LAN the
ports register as being stealthed and open if you don't.

uPNP has no effect.


Conclusion:- it looks like the Sky firmware has a bug in it that
leaves the ports open.
It probably doesn't matter.


I haven't got time to trace the packets to see if they actually
cross between the WAN and LAN so I will leave that as an exercise
for the reader.
For now I will leave the DMZ set to a nonexistant address

DMZ set to an existing IP, has to be to enable the use of an hardware
firewall, & I get the anomalous results from all sites mentioned in
the thread (that is the 90.x.x.x IP adress which doesn't show up on
a tracert etc)

That just means you have to fix the problem using rules in your
firewall. Most users don't have a hardware firewall and a router.

True but the sites in question aren't even seeing the ports which have been
opened in my hardware firewall (5004 - 65535 for WIM alone as I said a hell
of a lot just for one program to work)

What it does show is that request arriving on those ports get sent to
somewhere on the LAN side by the router.
They are then going to be refused so the remote end knows something
responded.
Its not really a security risk unless someone can slip a trojan onto
the machine first.

Once again true...

Setting the DMZ just ensures that they are dumped by the router and
not closed by the receiving machine.
Hence they appear to be stealthed.

Which is why at least one poster has placed a dummy IP in the DMZ, I myself
resorted to that at one stage, a long time ago on another ISP.

Stealth isn't all its cracked up to be anyway.
Very few bits of malicious software arrive in that way, it tends to
be stuff installed by the user for whatever odd reason they do it.

That's the rub isn't a lot of noise is being made about port probes inbound,
I wonder if as much care is being made about what is trying to get out.
Router firewalls at best are very basic, which is why I chose to use another
box to do the job for me as this one controls both incoming & outgoing & I
still feel the need to run a soft firewall on all machines as well (belt,
braces & a piece of string approach, if one fails there is another hurdle to
get over etc..)


.

Relevant Pages

  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: How to stealth against ping/echo requests?
    ... I just started using the Online-Armor firewall. ... Some ports are even open. ... Are you behind a router? ... Every time it founds a new LAN, it asks if you want to trust it ...
    (comp.security.firewalls)
  • Re: OWA_Frontend_Firewall
    ... >>the OWA server in the DMZ to the exchange server and DC's on the LAN ... >ISA is a workgroup box not joined to the domain) and that way you only ... >GCs between a DMZ and a firewall. ...
    (microsoft.public.exchange.admin)
  • Re: Windows 2000 Server verliert verbindung ins Internet
    ... >>diese gehen auch über die firewall ... LAN öffnen - da lohnt sich überhaut die DMZ-Konfiguration nicht mehr. ... Möglichkeit: Weg mit der DMZ ... Auf jeden Fall sollte die Firewallkonfiguration ...
    (microsoft.public.de.german.win2000.networking)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)