It was open by default! The owner just didn't know to close it.
It doesn't matter what it was by default. It is the owner's responsibility to know how to operate their equipment and configure it to say "this is public" if that's what they want or "this is private" if that is what they want. If due to their own ignorance they set up an AP that told the world "this is public" then noone but the owner can be faulted when the AP gets used by the public.
A store owner who puts up an 'OPEN' sign does intend to make their store publically accessible.
And what about a store owner who puts up an open sign but did NOT intend to make their store open to the public? Because that's exactly what this AP owner did.
And no, they do not deserve it for failing to secure their network. That's like saying I deserve to have my car stolen because I left the keys in it; it's stupid of me, but I did not intend to give anyone license to steal it.
Leaving your keys in your car does not send a message to anyone with common sense that you intend your car to be open to the public. This AP owner was sending such a message.
Ok, you have a point with the prearranged agreement. Bad analogy on my part. That is different from an open AP.
Howver, the point was that you would consider an "access granted" message from a machine acceptable. I don't see how the lack of a prearranged agreement with an AP owner means an access granted message from their equipment is not acceptable
Let me clarify my point. The device does this by default. There is no way to stop it doing so except by setting it up, then logging in and changing the settings to stop it from doing so. As I have no choice but to run an open network for the time it takes to do so, the fact that I have done so cannot be considered as me having given any random passer-by permission to do so.
By extension...........
None of this changes the fact that it is the responsibility of the owner to know what their device is doing at all times and how to securely set it up. If the device cannot be set up and used securely then it is the owners responsbility to not use that device and find one that can be. When buying an AP, it is the responsbility of the purchaser to be aware that it actively advertises its presence and usability to everyone within range on publicly usable frequencies.
If the owner chooses to remain ignorant (for at least three months in this case) then the ignorant owner must live with the consequences, not the random person who completely follows standard protocols, uses public frequencies, and does not in any way circumvent any access control mechanisms.
An entirely automatic function of a network cannot be taken as indicative of its owner's intentions.A person must act to grant permission for another to use some of their resources, inaction is not enough.
There's no such thing as an entirely automatic function of a piece of network equipment. All such function is triggered by a human in some way (right back up to the programmer who wrote the firmware). Knowing that, it is possible to understand the behavior of such a device and control it accordingly (or hire someone who can). There is no inaction. The action taken was to set up a device which advertises its openness by default. The owner's ignorance of that fact is unrelated.
In the case of a shop, we can safely assume that the owner wants us to enter. In the case of a wireless network, we can't, because that isn't what most people operating them want.
It doesn't matter if the majority of people operating open wireless networks want them open or not. They *are* open, and they are the responsbility of the owner.The user simply receives an advertisement for service on a public frequency and accepts the offer. Wether they're open out of ignorance or intent is not the concern of a user. As long as they did not voilate any access control measures then they did their part. Anything else is ignorance on the part of the owner and that is their own responsibility.
Hmmm. When I first installed my AP, it was open.; that was the way the manufacturer supplied it. I had to secure it afterwards. But I certainly never gave it permission to let just anyone come along and use my network. It was entirely automatic -- and permission cannot be granted entirely automatically. There must be some process of informing a person that they are granting permission, and then some action that confirms that they want to do so. This is the simple basic fact of what consent is.
The owner of the AP is responbile for knowing what the AP is doing. The AP comes with documentation telling you how to set up the way you really intend to. If due to your ignorance/incompetence you completely miscommunicate your intentions and inadvertently advertise that permission to connect is granted to some other person, that's not other person's fault. As far as the other person is concerned, it doesn't really matter what was in your mind if a device you are fully responsible for is going around telling everyone that it is OK to connect.
Here's a scenario which is based on a true story of my own: I walk up to a store on the street in the middle of the afternoon. The door is unlocked, I walk inside and start looking around. Then, the alarm goes off. The shop's new employee left out the back door, set the alarm, and forgot to lock the front door. Should I be booked for attempted burglarly or something? The shop keeper intended for the store to be closed, but they made a mistake and left the store in such a state that says "We're open".
Irrelevant, in my mind. All the SSID broadcast told the wardriver was that the AP itself was open. It didn't tell him if the AP's owner knowingly and explicitly intended for the AP to be open -- an automatic connection does not imply consent, IMHO.
In 802.11 there are a few ways to communicate your intent. In this case, every possible means of this communication was saying "I'm open". How else, in your opinion, is an AP owner supposed to communicate an intent of openness to clients?
Since the wardriver in this case took advantage of this situation for three months, it stands to reason that he (the wardriver) intentionally took knowing advantage of the AP owner's ignorance, and thus is at fault.
What does the time duration have to do with it? Do people who knowingly and explicitly intend to run open APs always keep them up for less than 3 months?
His computer said to the AP, "Hi, can I connect?" and the AP said "Sure, hook right on up.".
1. I don't believe that's how unsecured wireless networks work: basically, you just start using them. You might want to use DHCP to get config information, but that's not the same thing at all.
That is how they work. Before the client can do anything (that involves the AP anyway) a process known in the 802.11 spec as "association" must happen which involves the cooperation of the AP. And before that, the client must find out about the AP by receiving a beacon frame. The AP usually sends out beacon frames every so often, or that information can be actively requested by the client through a Probe Request and Probe Response.
2. Who gave the AP permission to grant that permission?
The owner - the only person with legitimate authority to control that permission. I suppose an AP could be hacked by someone to become open, but this guy didn't do that. The open AP was put there in the open state by the owner.
He did not ask them. If he believed they'd be ok with it he probably would have asked and probably gotten permission.
To borrow an analogy from somewhere else in this topic:
Do you call the cell phone company on a pay phone and ask their explicit permission every time you're in the vicinity of a new cell tower and would like to make a cell call? Or do you assume that you have their permission because their equipment is using every available technical means to advertise its availability to you, just as this AP was?
For some reason he chose not to ask. Why?
Perhaps because he had no way of knowing who the owners were or where they were?
Regarding if I have access to someone's wireless network, I like to do a mental test: Would this person let me hook my computer up to their router/switch/hub if I knocked on their door, laptop and network cord in hand?
If the answer's a no, then I don't connect to their wireless either, because that's effectively what I'm doing (minus the courtesy knock).
Actually, this guy effectively did a courtesy knock. He followed all the protocols for establishing a legitimate connection to an access point. His computer did a courtesy knock asking his AP if he could have access. The AP said yes. Now if he sat there and cracked a WEP key or spoofed a legitimate MAC address to gain access, then sure I'd agree and say what he did was closer to sneaking into the house and plugging in without a courtesy knock.
And anyway, it is not unreasonable to think that someone actually intends to run an open AP. Many people do, intentionally. Physically knocking on someone's door, asking to come in and connect to their switch I would never expect to be accepted. Not only that, how I am I suppose to know how to contact the owner? How am I supposed to know that the open AP I've found belongs to a residence rather than the coffee shop across the street which provides an open AP by intention?
Perhaps it was not the owner's intention to run an open AP. Perhaps they didn't know what they were doing. However I don't see why this guy should be fined 500 pounds because the AP owner didn't know what they were doing. If the owners had made the *slightest* effort to communicate the private nature of their AP and the "hacker" had ignored or circumvented that then sure, then sure they might have a case for prosecution.
Was the victim knowingly and intentionally offering his Internet access by having his AP "open"? Most likely, he wasn't, at least knowingly -- given the way wireless internet devices are marketed nowadays (like "plug-and-play" devices), more often than not securing the AP/router is probably the last thing end users have in mind -- if it's on their mind at all.
If the "victim" did not intend for his AP to be open then you cannot possibly fault the guy who connected to it when *every* relevant standard of communicating such an intention had indicated that this was an open AP: The SSID broadcast, the accepted association request, the DHCP response giving him an IP address and telling him to send all his internet bound traffic to that particular router..
This isn't really the same thing. A store that has an open sign is actively inviting people into the store. It's the accepted purpose of the sign to begin with. The same thing with your bus example. A bus is a public form of transportation, so when the door is open, it's common knowledge that it's okay to walk onto the bus.
A better analogy would be if I left my front door unlocked. If I did, is it okay for someone to come in off the street and walk into my house? Hopefully you answer no. If not, then I don't think anything is going to convince you that what this guy did was wrong.
As for your front door being unlocked, no, I agree, that's not OK. A house with an open door is not an accepted standard of indication that it is public.
However every relevant standard indicated to this guy that this AP is public: the SSID broadcast, the accepted association request, the DHCP response giving him an IP address and telling him to send all his internet bound traffic to that particular router... According to every relevant standard, the accepted purpose of every one the mechanisms used by this "hacker" to connect to this AP was to allow for anonymous, public clients to connect.
The 802.11 and other standards provide plenty of ways of indicating a private access point. This AP used none of them, and this guy did not circumvent any of them.
Of course there is. He did not merely "look" at wireless network. He connected to it and was using it. That's hijacking.
This is more like getting into an unlocked car and driving it around just because the owner left the keys in the ignition. Hardly fair or legal.
People leave their cars/houses unlocked. This doesn't mean it's perfectly acceptable to steal/rob them!
If I see a store with a sign labeled 'open' on the front of it, would you consider me a burglar if I walked into it without asking the shopkeeper first? If there's a bus sitting on the curb and the door is open, am I hijacking the bus if I just walk into it? If there's a house with a sign labeled "garage sale" out front am I tresspassing if I start wandering around the front yard looking at things sitting out?
The AP this guy connected to had a big giant sign *actively* saying "OPEN" on it. 802.11 provides many ways to make that sign say CLOSED instead. This AP used none of them. The guy's laptop sent a message to the AP saying "hi, is it ok if I connect" and the AP said back "sure, here's an association for you and an IP address you can use.".
That is because the Bible, unlike science, is inerrant and a constant. Science changes over time. Witness the dozens of scientific theories of creation in the last few decades. Yet Christians have known the true story of Creation for over two thousand years.
First, you're comparing apples and oranges. You could compare the bible with one particular scientific theory, or you could compare religion in general with science in general.
Anyway, the bible is inerrant and a constant only if you disregard evidence of its errors. However by that logic the geocentric model of the solar system is also inerrant and a constant.
Computer Science as an industry is following that of the TV and VCR repair men.
No it isn't. Entire companies don't grind to a halt when their TVs and VCRs break or aren't properly maintained.
Maybe the "PC repair" segment of this industry that involves scrubbing spyware and reinstalling windows 98 on some famly PC is going the way of the TV repair industry... but good riddance I say. Who the hell wants to do that for a living.
If you started studying CS right after the dot-com bubble burst (around 2000, "worst" time to get into IT), you will be very popular right about now.
Not really. I have friends who went in around then and still can't find a job. Yes, hiring is up, but this isn't 1998 again. People who know their shit and have experience are definitely in demand right now. People who have nothing significant to their name other than a newly minted bachelor's degree are not in demand.
Nice feature, but my point was if your systems are protected against known exploits, what's the point of the firewall detecting them? After all, they have to be KNOWN for the firewall to detect them, right?
No, not neccessarily. It can look for the patterns of known, specific attacks, or it can look for general issues. For instance, as I mentioned it can look for shellcode for various platforms occurring in connections, enforce conformance to protocol standards, look for telltale signs of directory traversal and SQL injection in web apps, etc.
If you're going to advocate defenses in depth, relying on the firewall does not support that practice. And if you're already defended against known exploits by other means, the fact that a firewall can detect them is no longer relevant.
I'm not advocating relying on the firewall for all your security... not at all. But it can be a nice addition to help catch your mistakes. Maybe you forgot to fully verify the input of some particular field. Maybe you accidentally hit the wrong option while installing something and it started a network-listening service which shouldn't have been. Maybe you didn't get something patched quickly enough...
And why? So you know there are exploits being run against you? And this helps how? Your goal is to prevent exploits from being SUCCESSFUL, not from being run against you, since they will be run anyway. Check your firewall logs long enough for a big enough company, you'll see every exploit there is. So what?
I think that's what he meant. There are firewalls (checkpoint for example) that look at the application layer traffic and will make sure it conforms to a certain protocol (HTTP, SMTP etc) and can look for suspicious activity like a bunch of '../'-es appearing in query parameters (possible directory traversal) or look for SQL commands, shellcode, etc... it can/will break off the connection or just report it like an IDS.
Why do you care if they speed or not as long as they're driving safely? You're just jealous, but you shoudn't be.
Why do they care if I speed as long as I'm driving safely? Oh, I know, because when I speed it generates revenue for the city and police dept. Am I jealous? Well, I don't know about jealous, but annoyed by the fact that the law doesn't apply nearly as much to them.
You are assuming that the device performing the NAT'ing also has routes from the public IP to the private network and will pass that traffic untranslated.That is a big assumption, especially on a device that is incapable of performing such routing. If the only function of the device is to NAT then you can not pass traffic to the internal side of the network in any manner without matching one of the NAT rules first.
What?! The router HAS to have a route to the lan machines in order for anything to work. That is just a characteristic of any router.
And I don't know what you mean by a route 'from the public IP'. Routes have no such characteristic possibly unless we're talking about policy routing or something like that.
I just tested your theory. I placed a box on the public side of my connection giving it an IP in the same subnet as the public interface. It was directly attached to the same switch and placed in the same VLAN. I made the IP of the NAT device's public interface the second machine's default route. I then tried to pass traffic to any host on the private side network of the NAT device. Snooping both networks on a span port on each switch showed no traffic passing through the NAT device..(ignore) Allow WAN,* LAN,10.0.0.1 TCP,25.(because) Allow WAN,* LAN,10.0.0.31 TCP,4000-23.(slashcode) Allow WAN,* LAN,10.0.0.31 TCP,4000.(sucks) Allow WAN,* LAN,10.0.0.1 TCP,22.(big hairy) Allow WAN,* WAN ICMP,8.(donkey) Allow WAN,* LAN,10.0.0.1 *,53.(gonads) Allow WAN,* LAN,10.0.0.17 *,6112.(often) Allow WAN,*:6881-6889 LAN,*:6881-6889
There are 2 routes on this device, one for the 10/8 network on the private interface and the default route on the public interface. IP forwarding is not enabled. Oh, and the public interface uses PPPoE, so compromise anything else on this same segment and try to pass traffic to it without hitting a device that will apply its own routing rules overriding your static route.
What kind of firewall is this? What is it running?
Was the public interface of the router using PPPoE in your test or configured a different way?
Was the outside host using PPPoE or just plain ethernet?
How exactly is the pppoe interface configured? As a point-to-point interface, or does it have a/32 netmask?
If you don't believe NAT has any security benefits, then you must believe that stateful inspection has no security benefits either. (And if you believe that, then you don't know anything about network security.)
'stateful inspection' is usually a term used to describe firewalls, not NAT. NAT does maintain state of course for its own uses... so disregarding the nitpicking, what stateful inspection are you referring to? That as used by nat, or as used by a firewall?
Ok, then you've proven that not only do you know nothing about network security, but you don't know anything about networks at all.
Why don't you just read the rest of this thread where I've already demonstrated this. Better yet, why don't you *actually try* setting up a machine that does NAT ONLY and see what happens to packets that get sent in to machines on the inside from one on the outside.
By necessity NAT implementations must include a state table;
Yes, that state table is used by NAT for TRANSLATING, not FILTERING...
Inbound packets are destined for the *NAT DEVICE*, not for your internal network.
No, they don't have to be. You have no guarantee that packets coming in to your outside interface HAVE to have a destination address of your routers outside IP. Read the rest of this thread, I explained how elsewhere.
Because the router offers no services by default to the WAN interface.
The router doesn't need to if it is forwarding packets to something that is (which is waht a router does by definition, forwards packets).
You said "A NAT router will accept all inward connections by default". I refuted this. Windows XP SP2 is a NAT router that does not accept all inward connections by default.
Windows XP SP2 is not just a "NAT router". It is a router performing NAT *as well as* filtering. My statement may have been a little ambiguous I admit, but that's what I meant. router+NAT alone, strictly defined, won't filter.
No, no, no! Do you know what you're talking about? Do you correctly understand how NAT works? A NAT router has an internal IP address and an external IP address. Incoming connection attempts on the external IP address are not magically forwarded to clients on the internal network.
Yes, 100% correct. Connections to the public IP on your router won't be forwarded in unless port forwarding (another form of NAT) is set up to send them in. However... to attack your internal machines through this vulnerability I won't be sending packets to your external IP, I'll be sending them to your internal ones. See this post for info on how that might be possible with RFC1918 addresses. If your router is doing basic routing + nat proper only, they'll go straight in.
Slashdot Mirror
It doesn't matter what it was by default. It is the owner's responsibility to know how to operate their equipment and configure it to say "this is public" if that's what they want or "this is private" if that is what they want. If due to their own ignorance they set up an AP that told the world "this is public" then noone but the owner can be faulted when the AP gets used by the public.
And what about a store owner who puts up an open sign but did NOT intend to make their store open to the public? Because that's exactly what this AP owner did.
Leaving your keys in your car does not send a message to anyone with common sense that you intend your car to be open to the public. This AP owner was sending such a message.
Ok, you have a point with the prearranged agreement. Bad analogy on my part. That is different from an open AP.
Howver, the point was that you would consider an "access granted" message from a machine acceptable. I don't see how the lack of a prearranged agreement with an AP owner means an access granted message from their equipment is not acceptable
None of this changes the fact that it is the responsibility of the owner to know what their device is doing at all times and how to securely set it up. If the device cannot be set up and used securely then it is the owners responsbility to not use that device and find one that can be. When buying an AP, it is the responsbility of the purchaser to be aware that it actively advertises its presence and usability to everyone within range on publicly usable frequencies.
If the owner chooses to remain ignorant (for at least three months in this case) then the ignorant owner must live with the consequences, not the random person who completely follows standard protocols, uses public frequencies, and does not in any way circumvent any access control mechanisms.
There's no such thing as an entirely automatic function of a piece of network equipment. All such function is triggered by a human in some way (right back up to the programmer who wrote the firmware). Knowing that, it is possible to understand the behavior of such a device and control it accordingly (or hire someone who can). There is no inaction. The action taken was to set up a device which advertises its openness by default. The owner's ignorance of that fact is unrelated.
It doesn't matter if the majority of people operating open wireless networks want them open or not. They *are* open, and they are the responsbility of the owner.The user simply receives an advertisement for service on a public frequency and accepts the offer. Wether they're open out of ignorance or intent is not the concern of a user. As long as they did not voilate any access control measures then they did their part. Anything else is ignorance on the part of the owner and that is their own responsibility.
The owner of the AP is responbile for knowing what the AP is doing. The AP comes with documentation telling you how to set up the way you really intend to. If due to your ignorance/incompetence you completely miscommunicate your intentions and inadvertently advertise that permission to connect is granted to some other person, that's not other person's fault. As far as the other person is concerned, it doesn't really matter what was in your mind if a device you are fully responsible for is going around telling everyone that it is OK to connect.
Here's a scenario which is based on a true story of my own: I walk up to a store on the street in the middle of the afternoon. The door is unlocked, I walk inside and start looking around. Then, the alarm goes off. The shop's new employee left out the back door, set the alarm, and forgot to lock the front door. Should I be booked for attempted burglarly or something? The shop keeper intended for the store to be closed, but they made a mistake and left the store in such a state that says "We're open".
In 802.11 there are a few ways to communicate your intent. In this case, every possible means of this communication was saying "I'm open". How else, in your opinion, is an AP owner supposed to communicate an intent of openness to clients?
What does the time duration have to do with it? Do people who knowingly and explicitly intend to run open APs always keep them up for less than 3 months?
That is how they work. Before the client can do anything (that involves the AP anyway) a process known in the 802.11 spec as "association" must happen which involves the cooperation of the AP. And before that, the client must find out about the AP by receiving a beacon frame. The AP usually sends out beacon frames every so often, or that information can be actively requested by the client through a Probe Request and Probe Response.
The owner - the only person with legitimate authority to control that permission. I suppose an AP could be hacked by someone to become open, but this guy didn't do that. The open AP was put there in the open state by the owner.
To borrow an analogy from somewhere else in this topic:
Do you call the cell phone company on a pay phone and ask their explicit permission every time you're in the vicinity of a new cell tower and would like to make a cell call? Or do you assume that you have their permission because their equipment is using every available technical means to advertise its availability to you, just as this AP was?
Perhaps because he had no way of knowing who the owners were or where they were?
Actually, this guy effectively did a courtesy knock. He followed all the protocols for establishing a legitimate connection to an access point. His computer did a courtesy knock asking his AP if he could have access. The AP said yes. Now if he sat there and cracked a WEP key or spoofed a legitimate MAC address to gain access, then sure I'd agree and say what he did was closer to sneaking into the house and plugging in without a courtesy knock.
And anyway, it is not unreasonable to think that someone actually intends to run an open AP. Many people do, intentionally. Physically knocking on someone's door, asking to come in and connect to their switch I would never expect to be accepted. Not only that, how I am I suppose to know how to contact the owner? How am I supposed to know that the open AP I've found belongs to a residence rather than the coffee shop across the street which provides an open AP by intention?
Perhaps it was not the owner's intention to run an open AP. Perhaps they didn't know what they were doing. However I don't see why this guy should be fined 500 pounds because the AP owner didn't know what they were doing. If the owners had made the *slightest* effort to communicate the private nature of their AP and the "hacker" had ignored or circumvented that then sure, then sure they might have a case for prosecution.
If the "victim" did not intend for his AP to be open then you cannot possibly fault the guy who connected to it when *every* relevant standard of communicating such an intention had indicated that this was an open AP: The SSID broadcast, the accepted association request, the DHCP response giving him an IP address and telling him to send all his internet bound traffic to that particular router..
As for your front door being unlocked, no, I agree, that's not OK. A house with an open door is not an accepted standard of indication that it is public.
However every relevant standard indicated to this guy that this AP is public: the SSID broadcast, the accepted association request, the DHCP response giving him an IP address and telling him to send all his internet bound traffic to that particular router... According to every relevant standard, the accepted purpose of every one the mechanisms used by this "hacker" to connect to this AP was to allow for anonymous, public clients to connect.
The 802.11 and other standards provide plenty of ways of indicating a private access point. This AP used none of them, and this guy did not circumvent any of them.
If I see a store with a sign labeled 'open' on the front of it, would you consider me a burglar if I walked into it without asking the shopkeeper first? If there's a bus sitting on the curb and the door is open, am I hijacking the bus if I just walk into it? If there's a house with a sign labeled "garage sale" out front am I tresspassing if I start wandering around the front yard looking at things sitting out?
The AP this guy connected to had a big giant sign *actively* saying "OPEN" on it. 802.11 provides many ways to make that sign say CLOSED instead. This AP used none of them. The guy's laptop sent a message to the AP saying "hi, is it ok if I connect" and the AP said back "sure, here's an association for you and an IP address you can use.".
He did. His computer said to the AP, "Hi, can I connect?" and the AP said "Sure, hook right on up.".
As mentioned several posts up, he did. His computer said "hi, can I connect", and the AP said "sure, here you go".
If that wasn't the intention of network operator due to their own incompetence, then that is their fault not the fault of the guy who connected.
First, you're comparing apples and oranges. You could compare the bible with one particular scientific theory, or you could compare religion in general with science in general.
Anyway, the bible is inerrant and a constant only if you disregard evidence of its errors. However by that logic the geocentric model of the solar system is also inerrant and a constant.
No it isn't. Entire companies don't grind to a halt when their TVs and VCRs break or aren't properly maintained.
Maybe the "PC repair" segment of this industry that involves scrubbing spyware and reinstalling windows 98 on some famly PC is going the way of the TV repair industry... but good riddance I say. Who the hell wants to do that for a living.
Not really. I have friends who went in around then and still can't find a job. Yes, hiring is up, but this isn't 1998 again. People who know their shit and have experience are definitely in demand right now. People who have nothing significant to their name other than a newly minted bachelor's degree are not in demand.
No, not neccessarily. It can look for the patterns of known, specific attacks, or it can look for general issues. For instance, as I mentioned it can look for shellcode for various platforms occurring in connections, enforce conformance to protocol standards, look for telltale signs of directory traversal and SQL injection in web apps, etc.
I'm not advocating relying on the firewall for all your security... not at all. But it can be a nice addition to help catch your mistakes. Maybe you forgot to fully verify the input of some particular field. Maybe you accidentally hit the wrong option while installing something and it started a network-listening service which shouldn't have been. Maybe you didn't get something patched quickly enough...
I think that's what he meant. There are firewalls (checkpoint for example) that look at the application layer traffic and will make sure it conforms to a certain protocol (HTTP, SMTP etc) and can look for suspicious activity like a bunch of '../'-es appearing in query parameters (possible directory traversal) or look for SQL commands, shellcode, etc... it can/will break off the connection or just report it like an IDS.
how all your sentences
end with a linefeed
sort of like prose
perhaps your intention
or not i suppose
Why do they care if I speed as long as I'm driving safely? Oh, I know, because when I speed it generates revenue for the city and police dept. Am I jealous? Well, I don't know about jealous, but annoyed by the fact that the law doesn't apply nearly as much to them.
What?! The router HAS to have a route to the lan machines in order for anything to work. That is just a characteristic of any router.
And I don't know what you mean by a route 'from the public IP'. Routes have no such characteristic possibly unless we're talking about policy routing or something like that.
What kind of firewall is this? What is it running?
Was the public interface of the router using PPPoE in your test or configured a different way?
Was the outside host using PPPoE or just plain ethernet?
How exactly is the pppoe interface configured? As a point-to-point interface, or does it have a
'stateful inspection' is usually a term used to describe firewalls, not NAT. NAT does maintain state of course for its own uses... so disregarding the nitpicking, what stateful inspection are you referring to? That as used by nat, or as used by a firewall?
Why don't you just read the rest of this thread where I've already demonstrated this. Better yet, why don't you *actually try* setting up a machine that does NAT ONLY and see what happens to packets that get sent in to machines on the inside from one on the outside.
Yes, that state table is used by NAT for TRANSLATING, not FILTERING...
No, they don't have to be. You have no guarantee that packets coming in to your outside interface HAVE to have a destination address of your routers outside IP. Read the rest of this thread, I explained how elsewhere.
The router doesn't need to if it is forwarding packets to something that is (which is waht a router does by definition, forwards packets).
Windows XP SP2 is not just a "NAT router". It is a router performing NAT *as well as* filtering. My statement may have been a little ambiguous I admit, but that's what I meant. router+NAT alone, strictly defined, won't filter.
Yes, 100% correct. Connections to the public IP on your router won't be forwarded in unless port forwarding (another form of NAT) is set up to send them in. However... to attack your internal machines through this vulnerability I won't be sending packets to your external IP, I'll be sending them to your internal ones. See this post for info on how that might be possible with RFC1918 addresses. If your router is doing basic routing + nat proper only, they'll go straight in.
Great, so now I have to set up NAT to translate all of my peer's addresses to some other unuused RFC1918 addresses.
That is so much simpler and better than just having enough routable space for everyone, isn't it.