Understanding NAT, Firewalls, TCP/IP

[Alan Krueger]

Some online voting schemes give one vote per IP. This discriminates
against people behind NAT, but to the outside world everyone behind
the NAT looks like one person.

This is unfair anyway, since multi-user systems have existed for
decades. Not everything is a PC. A Unix server doesn't necessarily
have more than one IP address per user, but could serve multiple desktop
sessions on terminals.

 

[Dimitri Maziuk]

Alan Krueger sez:

....
I really wish Microsoft had taken an outbound connection blocking
approach as well in Windows Firewall, at least made it configurable. It
only blocks inbound connections I'm not as concerned about some server
on my laptop being vulnerable, I'm more concerned about malware
infecting IE and silently phoning home, though it would (in theory)
block malware from listening at a port for controller probes.

Bwahahahaha. The sole reason for having egress filtering is
because Microsoft software works well only as an infection
vector. They haven't done anything to change that in 20 years,
what makes you think they're gonna start now?

Especially now that they reserve the right to collect any
information they like from your computer and quietly send
it to their business affiliates as they see fit. You really
think they'd give you a tool to stop them?

Dima

 

[Nigel Wade]

I really wish Microsoft had taken an outbound connection blocking
approach as well in Windows Firewall, at least made it configurable. It
only blocks inbound connections I'm not as concerned about some server
on my laptop being vulnerable, I'm more concerned about malware
infecting IE and silently phoning home, though it would (in theory)
block malware from listening at a port for controller probes.

The problem with personal firewalls' outbound blocking is that it makes you feel
warm and cosy, whilst providing little in the way of real protection.

If your machine has become infected because you are logged in with
administrative rights (and how many Windows users don't have admin rights?),
then the malware also has administrative rights. Code which executes with
administrative rights can tunnel straight through your "firewall" without you
even noticing. The "firewall" only warns you about well behaved applications,
and you don't really need protecting from these.

So, what you end up with is a piece of software which annoys you and interferes
with normal operations, whilst providing little real protection. If you really
want outbound protection it should be done on a router, where malware on the
client can't affect, or control, it (unless you've been lured into enabling
UPnP on the router firewall).

Inbound protection is the really important thing you need, and the Windows
firewall does provide some protect against that.

 

[Nigel Wade]

Both of the home NATers that I've had have included firewalls. The first (a
cheap thing) had only simple firewalling, but it was there and was turned on by
default. IIRC it blocked "random" outgoing connections by default (but that
was some time ago and I could be wrong). My current NATing router features a
decidedly more elaborate firewall, and that certainly shipped in a default
configuration disallowing outbound connections on arbitrary ports.

I was basing the statement on my limited knowledge of home NAT routers. The only
ones I've used had the firewall disabled by default. They had very basic input
port blocking on 137,139,443 setup by default, but the real firewall was not
setup.

Oh, and it doesn't and won't -- as a matter of manufacturer's security
policy -- support UPnP.

It's an abomination. After all, what's the point in spending good money on a
firewall to protect your network, and then allowing software to poke holes in
it?

I /could/ allow outgoing connections on any ports I liked, but I see no good
reason to do so for any except a very small number of protocols. I
/definitely/ wouldn't open up a port in order to take part in a BitTorrent-like
distribution scheme.

We are not allowed to, by local networking policy. P2P of any kind is outlawed,
including BitTorrent carrying legitimate content.

 

[Dimitri Maziuk]

Nigel Wade sez:

The problem with personal firewalls' outbound blocking is that it makes you feel
warm and cosy, whilst providing little in the way of real protection.

It's a problem with any reactive security scheme. E.g. antivirus
program makes you feel warm and cosy while a brand new virus is
free to infect your box -- until AV vehdor updates their VDF and
you download and install it. Nontheless, it's better than nothing.

Dima

 

[Steve Horsley]

That's what I was worried about. I think I will have to organise this
around traditinal HTTP.

Note that you have the option of running some other home-brew
protocol over port 80. This will get you out of many places that
do egress filtering by port (protocol) number.

But I think that there may be a number of places where outgoing
connections to port 80 are blocked because everyone is expected
to go through a company-run proxy server that does content
filtering.

Steve

 

[Alan Krueger]

If your machine has become infected because you are logged in with
administrative rights (and how many Windows users don't have admin rights?),
then the malware also has administrative rights. Code which executes with
administrative rights can tunnel straight through your "firewall" without you
even noticing. The "firewall" only warns you about well behaved applications,
and you don't really need protecting from these.

Worse, IIRC, they provide some mechanism for software to automatically
add exceptions to blocks on listening sockets anyway, to ensure that
"legitimate" software won't inconvenience the users. This would be the
first target of something trying to circumvent Windows Firewall, as it
could silence all warnings before trying to do anything.