[UFO Chicago] NAT and port filtering

Robert B. Moses robert.moses@helioslogic.com
Tue, 28 Jan 2003 11:39:21 -0600

Jesse Becker wrote:
> --- "Robert B. Moses" <robert.moses@helioslogic.com> wrote:
>>I need 3 boxes connected to a Netgear router doing NAT
>>and filtering.
>>None of these boxes run any servers/services...they are
>>simply client 
>>machies that want to browse the WWW and POP off their
>>email. Easy.
> This is straight-forward masquerading.  Nothing fancy here.

:) That is why I started 2nd guessing myself....like in the movies when 
the hero says, "That was easy...a little too easy!"

> Both halves are half right.  ;-)  You don't need to allow
> incoming connections, but you do need to allow return
> traffic for connections that you have established.

Heh heh...maybe my corpus callosum may having some issues...

>>Would blocking/dropping inbound connections 0-1024 be
> Well, the default policy should be a default DROP, except
> where you make holes for valid traffic.

Right, so when all other rules don't "match" for specified action, DROP.
Which brings me to another question, does DROP send the packed to 
/dev/null or does is repsond with a connection refused type of thing.

Thank for refreshing the principle of this issue. I think I'll have to 
experiment a litte. If anyone is interested the culprit in question is 
Netgear's RT314 Internet Gateway Router w/4 port switch.
 From what I can tell it has some nice features: filtering of TCP/UDP as 
well as generic filters based on byte patterns of the packet (hmm that 
sounds closer to SPI...)

well back to work for me...

Robert B. Moses
1300 W. Eddy St., Unit 2
Chicago, IL  60657