Bruce,
I think if anyone here knows exactly how for instance ZoneAlarm works, they
wouldn’t be able to tell you because they would be bound by non-disclosure
agreements etc.
But the comment from Benson, I can expand a bit on:
If you have a router that supports NAT, the packet will be re-addressed by
the router so that it looks like an internal one from your network. So a
packet is sent from the outside by 146.192.32.11:4612 to your 160.9.9.3:80
via the 160.9.9.1 router. The packet will then be given a unique port
number and an internal IP address to match the local network: so the sender
will look like 160.9.9.42:36721. There’s obviously no way you can tell that
this packet came from anywhere outside your local network, unless your
software is inside the router.
So, as others stated, the easy solution for making a firewall is to have
separate network connections (internal network and outside network), where
the connection to the outside is viewed with high suspicion, and the
internal one is a less strict rule of what’s allowed and not. You probably
still want to check for suspicious activity on the internal network
(unusually large packets sent to identified ports, for instance), just in
case someone decides to run “Bombs’r’us” software on their machine…
You don’t necessarily have to have two network cards as such, you may well
have a situation where the external port is a USB ADSL or Cable modem, and
the internal network is 100Mb/s ethernet.
Mats
xxxxx@lists.osr.com wrote on 11/19/2004 03:07:43 PM:
one scenario is when I will block all incoming packets
from Internet to protect port 135,445. Local packets
are allowed. If an arbitary attacker spoof ip source
as local ip he can send exploits to these ports.
So first time I had had a solution, block packets on
Medium = NdisWan. So if a had a dsl-router, the
internet packets come from local ethernet. Does
anybody have an solution to detect internet packets?
or is there no need to filter when i have a dsl
router?
What do other firewalls?
— Benson Margulies wrote:
>
> > You need to look at the From address. Once a packet
> > travels onto your
> > net, you have no way of identifying whether it came
> > through your router
> > or was locally generated. However, it’s worse. If
> > your router is doing
> > NAT, it will have translated the from address its
> > own address on the
> > local net.
> >
> > If your router is not doing NAT, and your machine
> > has two IP addresses:
> > one on the local net and one on the outside net,
> > then you can detect a
> > spoofed packet because it will have a routable from
> > address and a
> > non-routable to address.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf
> > Of Bruce Raynold
> > Sent: Friday, November 19, 2004 2:38 AM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] NDIS - Is it an Internet Packet?
> >
> >
> > Hi all,
> >
> > I have developed an NDIS IM driver for my firewall.
> > When I got an
> > packet, I want to know if it is from internet or
> > from local networks.
> > (connect via DSL-Router included). How can I solve
> > this problem. I need
> > this to protect from hijacking. Example: We receive
> > an packet from
> > 172.16.2.4. This in an RFC private IP. I want to
> > block it when its from
> > Internet.
> >
> > Plz help me, snippets are welcome
> >
> > Regards,
> > Bruce Raynold
> >
> > ________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > http://mail.yahoo.com — Questions? First check the
> > Kernel Driver FAQ
> > at http://www.osronline.com/article.cfm?id=256 You
> > are currently
> > subscribed to ntdev as: xxxxx@dchbk.us To
> > unsubscribe send a blank
> > email to xxxxx@lists.osr.com
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
>
>
> Do you Yahoo!?
> Meet the all-new My Yahoo! - Try it today!
> http://my.yahoo.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@3dlabs.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
> ForwardSourceID:NT000078F2