Discussion:
zone alarm and FC2 iptable software firewall bypassed when using ADSL modem
Mark Farnell
2005-03-04 19:56:59 UTC
Permalink
I used to have a dial-up connection for my dual boot (Win98 and Fedora Core
2) computer and both Zone alarm and iptables functioned correctly and pased
all the stealth-mode tests from ShieldUP in
http://www.grc.com
However when I recently switched to ADSL using the DSE D-link DSL-302G modem
supplied by my ISP (for free), both Zone Alarm and iptables failed the
Shield-UP tests as my computer changes its behaviour, it start responding to
TCP pockets and ICMP echo-requests. Also, the ports are not "stealthed".
No-matter how I've change the rules in /etc/sysconfig/iptables, for example:
blocking icmp echo-replies

-A OUTPUT -p icmp --icmp-type echo-reply -j DROP

The computer still did not change its behaviour and still replying to ICMP
echo requests.

I think it is because the firewall in the modem is not as secure as the
rules in my computer and since my computer connect to the modem by an
ethernet cable, therefore data from the modem is considered as intranet
rather than internet, and therefore these data from the modem could bypass
the firewall. Am I correct?

Now, how can I make data went through the modem pass through the software
firewall in my computer (as in the dial-up connection) again?

Thanks!

Mark

_________________________________________________________________
Need more speed? Get Xtra JetStream @ http://xtra.co.nz/jetstream
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Mark Foster
2005-03-04 20:15:41 UTC
Permalink
The reason the behavior changed is that the DSL-302G is a NAT device; so
your Router is now dropping all packets (not your firewall).

See if the router has a DMZ configuration option, and set that up.

Your ISP will be able to provide some help with doing this.

Note the Router does not have a 'firewall' it simply has a state where
traffic that is not forwarded through it by a ruleset in the Router is
dropped in a given fashion. Note also the difference between 'rejecting' a
packet and 'dropping' a packet. Finally note that ICMP Ping is returned
by default in many DSL devices, you need to turn this off manually (or
forward ICMP to an internal machine which then drops it) if you don't wish
this behavior to continue.

Mark.
Post by Mark Farnell
I used to have a dial-up connection for my dual boot (Win98 and Fedora Core
2) computer and both Zone alarm and iptables functioned correctly and pased
all the stealth-mode tests from ShieldUP in
http://www.grc.com
However when I recently switched to ADSL using the DSE D-link DSL-302G modem
supplied by my ISP (for free), both Zone Alarm and iptables failed the
Shield-UP tests as my computer changes its behaviour, it start responding to
TCP pockets and ICMP echo-requests. Also, the ports are not "stealthed".
blocking icmp echo-replies
-A OUTPUT -p icmp --icmp-type echo-reply -j DROP
The computer still did not change its behaviour and still replying to ICMP
echo requests.
I think it is because the firewall in the modem is not as secure as the
rules in my computer and since my computer connect to the modem by an
ethernet cable, therefore data from the modem is considered as intranet
rather than internet, and therefore these data from the modem could bypass
the firewall. Am I correct?
Now, how can I make data went through the modem pass through the software
firewall in my computer (as in the dial-up connection) again?
Thanks!
Mark
_________________________________________________________________
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
with "unsubscribe adsl" in the body of the message
--
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to ***@lists.unixathome.org
with "unsubscribe adsl" in the body of the message
Loading...