Recently switched firewalls....now I'm informed of port scans?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Recently switched firewalls....now I'm informed of port scans?

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    6

    Recently switched firewalls....now I'm informed of port scans?

    Went from ZA to Sygate on one of my machines. I am behind a router with NAT capability.
    So my question is how can someone target one of my machines when I am behind a router?
    How can Sygate pick up the port scan when the public IP address someone uses for a port scan points to my router?

    Any help appreciated.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421

    Re: Recently switched firewalls....now I'm informed of port scans?

    Originally posted here by jim29
    How can Sygate pick up the port scan when the public IP address someone uses for a port scan points to my router?

    If a port scan is hitting the external interface, it won't hit your Sygate unless you are passing unfiltered traffic back to your machine using sygate.

    A decent "edge" firewall will detect the scan 1st regardless of how you pass traffic back to internal
    nodes.

    Make sense?

  3. #3
    Junior Member
    Join Date
    May 2004
    Posts
    6
    "it won't hit your Sygate unless you are passing unfiltered traffic back to your machine using sygate."

    how can I be passing unfiltered traffice back to my machine using sygate? Why would my router even be passing the port scan requests to any of the machines behind it?



    "A decent "edge" firewall will detect the scan 1st regardless of how you pass traffic back to internal nodes."

    Are you saying my router should have detected the scans and not even forwarded them to any of the machines behind it?

    Please elaborate....anyone thks.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by jim29

    how can I be passing unfiltered traffice back to my machine using sygate? Why would my router even be passing the port scan requests to any of the machines behind it?


    Primarily misconfiguration...
    As I was saying, a properly configured "edge" device would prevent your internal node from seeing port scans from an external source... All spoofing aside...

    Are you saying my router should have detected the scans and not even forwarded them to any of the machines behind it?

    Please elaborate....anyone thks.
    Can't really say "should" since I don't know your configuration.

    If it were my setup, I would like my "edge" device to detect port scans before traffic gets to my internal LAN.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i want to know what your calling a "portscan"?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Routers don't detect port scans, firewalls do. If your router isn't doing anymore than NAT'ing then it's doing it's job. and doing it correctly. Let's not get things confused, ss2chef.

    Jim29, let's take this one step at a time, shall we? What router are you using? Does it have firewall capability, if so is, is it turned on? Answering the first question will tell me what type of firewall it is, and thus whether or not it will detect and block a port scan.

    As it stands it sounds like Sygate is doing it's job correctly by alerting you to a "possible" port scan. That's not to say it is a port scan cause there is allot of noise on the interent that can be interpreted as a scan, so don't worry so much right away, okay?
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by KorpDeath
    [B If your router isn't doing anymore than NAT'ing then it's doing it's job. and doing it correctly. Let's not get things confused, ss2chef. [/B]
    How do you mean?

    A router can in-fact have "firewall" capabilities.
    For example, the Cisco router IOS. You can license feature sets with firewall & VPN options.
    It's still a router.

    Generally speaking of course..

  8. #8
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    A cheapo home router may or may not have a firewall. Cisco on the other hand is not going to be found in a house... (typical house). Now to answer your question if the router has no firewall and is using nat, all its doing is forwarding traffic to the internal network. Scans, hack attempts, etc. Its not a hard concept to understand. You seem to think that a router is supposed to do something that it was not made to do or should have that capability. It just isnt true.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  9. #9
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Originally posted here by Darksnake
    A cheapo home router may or may not have a firewall. Cisco on the other hand is not going to be found in a house... (typical house). Now to answer your question if the router has no firewall and is using nat, all its doing is forwarding traffic to the internal network. Scans, hack attempts, etc. Its not a hard concept to understand. You seem to think that a router is supposed to do something that it was not made to do or should have that capability. It just isnt true.
    I didnt see a house or home mentioned...
    Could be a small office...??
    I see many 1700 series Ciscos in small and home offices.
    They can and often do have "that" capability!!

  10. #10
    Junior Member
    Join Date
    May 2004
    Posts
    6
    KorpDeath...and anyone else interested:

    I have a Dlink DI-604 router and it DOES have firewall capability.
    As far as the firewall rules list on the router, anything configured on my virtual server list is "allowed" while everything else is denied because of the following default entry:

    Action Name Source Destination Prototcol

    Deny Default *,* LAN,* IP (0), *



    But before I start mass hysteria and confusion among everyone, I must admit that I realized after reviewing my firewall rules list that I had recently disconnected a playstation 2 from my router which was configured to be in the DMZ. The particular machine that has Sygate took my Playstations' place and therefore has been in the DMZ. So I guess the the firewall rules do not apply to this machine, which explains why I was notified of port scans from the Sygate machine and not by the other machines (which have ZA and are not in the DMZ).

    So I guess in the end both my router and Sygate were doing their jobs respectivally and I inadvertantly started trouble all because I was once addicted to playing madden football online via my Playstation and forgot to disable the DMZ setting!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •