Concerning SOHO routers and Port forwarding -- Is this cor..

[Jbob]

Archived from groups: comp.security.firewalls (More info?)

I was reading some posts over on the DSLReports forums. The discussion was
about firmware and the Port 113 issues. You know stealth vs closed, blah,
blah, blah. One guy responded with something that seemed curious to me so I
thought I'd post it here to see if this was correct. Seems to defeat the
purpose of forwarding to a non existant address in the first place.
****************************************************************************
I'm using 1.45.7 on the "41" without any issues -- when I forward port 113,
I forward it to an active address [WinPC] that does not have the port bound
to any service. I use a PC because using a non-existent address causes two
issues that I want to avoid...

First, a packet forwarded to a non-existent [inactive] address will cause
the switch part of the LinkSys to forward the frame to ALL ports -- this
will effectively send the data [which, could very well be malicious] to all
PCs on my LAN -- the malformed or malicious packet will be recieved by all
PCs on the LAN -- this, in my opinion, is a security hole, if for no other
reason than it leaves your LAN open to flooding. On a switch, any IP address
that does not have a corresponding MAC address in the switch table will be
flooded to all ports -- you may as well use the LAN broadcast address -- a
bad thing, so make sure you know what you're doing.
****************************************************************************

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 4 May 2004 08:20:16 -0500, Jbob spoketh

>I was reading some posts over on the DSLReports forums. The discussion was
>about firmware and the Port 113 issues. You know stealth vs closed, blah,
>blah, blah. One guy responded with something that seemed curious to me so I
>thought I'd post it here to see if this was correct. Seems to defeat the
>purpose of forwarding to a non existant address in the first place.
>****************************************************************************
>I'm using 1.45.7 on the "41" without any issues -- when I forward port 113,
>I forward it to an active address [WinPC] that does not have the port bound
>to any service. I use a PC because using a non-existent address causes two
>issues that I want to avoid...
>
>First, a packet forwarded to a non-existent [inactive] address will cause
>the switch part of the LinkSys to forward the frame to ALL ports -- this
>will effectively send the data [which, could very well be malicious] to all
>PCs on my LAN -- the malformed or malicious packet will be recieved by all
>PCs on the LAN -- this, in my opinion, is a security hole, if for no other
>reason than it leaves your LAN open to flooding. On a switch, any IP address
>that does not have a corresponding MAC address in the switch table will be
>flooded to all ports -- you may as well use the LAN broadcast address -- a
>bad thing, so make sure you know what you're doing.
>****************************************************************************
>

Well, since my Linksys router has been retired (at least from routing,
it's now merely another switch), I cannot test this, but that sounds
very wrong.

Whenever you are forwarding anything to any IP address, the router will
send out an ARP request on all interfaces to find the MAC address that
matches the given IP address in the forwarding table. If none is found,
then the router drops the packet, and nothing other than the ARP request
was sent out on the LAN.

In the event that there is a match, the SYN request will be forwarded to
the MAC address it found, and in the above scenario, an RST will be sent
back to the originator of the SYN request.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Jbob" <nobody@SpamCox.net> wrote in
news:QLWdnZX3i5MJBQrdRVn-gQ@comcast.com:

> I was reading some posts over on the DSLReports forums. The
> discussion was about firmware and the Port 113 issues. You know
> stealth vs closed, blah, blah, blah. One guy responded with something
> that seemed curious to me so I thought I'd post it here to see if this
> was correct. Seems to defeat the purpose of forwarding to a non
> existant address in the first place.
> ***********************************************************************
> ***** I'm using 1.45.7 on the "41" without any issues -- when I
> forward port 113, I forward it to an active address [WinPC] that does
> not have the port bound to any service. I use a PC because using a
> non-existent address causes two issues that I want to avoid...
>
> First, a packet forwarded to a non-existent [inactive] address will
> cause the switch part of the LinkSys to forward the frame to ALL ports
> -- this will effectively send the data [which, could very well be
> malicious] to all PCs on my LAN -- the malformed or malicious packet
> will be recieved by all PCs on the LAN -- this, in my opinion, is a
> security hole, if for no other reason than it leaves your LAN open to
> flooding. On a switch, any IP address that does not have a
> corresponding MAC address in the switch table will be flooded to all
> ports -- you may as well use the LAN broadcast address -- a bad thing,
> so make sure you know what you're doing.
> ***********************************************************************
> *****
>
>

I port forward port 113 to a dummy IP in the DMZ on a Linksys 11S4 router
and have never had a problem in doing so. A couple of scans reported back
that 113 was open and now it is not open. I have been running the router
that way for a couple of years.

Duane