INFO: PING, TCP, UDP and LinkSys Replies

Author	All Replies
Bill_MI Bill In Michigan Premium,MVM join:2001-01-03 Royal Oak, MI ·EarthLink edited	INFO: PING, TCP, UDP and LinkSys Replies ...or Why A Dummy DMZ is Used By Some Here is how I found the LinkSys replies to inbound packets. These all refer to incoming packets not involved in a known connection and I just verified this on a BEFSR41 firmware 1.39. BWR = the option "Block WAN Request" SPI = the option "Stateful Packet Inspection" DMZ = De-Militarized Zone ON = ENABLED, OFF = DISABLED ICMP (1) The LinkSys will reply to ICMP echo request (ping) only when both SPI and BWR are OFF. This is the only condition you will be "pingable". If either SPI or BWR are ON there will be no reply ("stealth"). ICMP cannot be forwarded or sent to the DMZ. TCP (1) If the TCP port is forwarded or a DMZ is set the LAN PC involved will determine the reply. OTHERWISE... (2) The LinkSys will reply "closed" only when both SPI and BWR are OFF. (3) If either SPI or BWR are ON there will be no reply (aka "stealth"). UDP (1) If the UDP port is forwarded or a DMZ is set the LAN PC involved will determine the reply. OTHERWISE... (2) SPI and BWR do not affect the LinkSys reply which is always an ICMP message "port closed". In earlier firmware UDP behaved like TCP above. This is disputed as desirable or not and some security sites call this the normal response. Also, no-response can be called "open" or "stealth" depending on who you ask. For more info, see Link Logger's thread on this dispute: »UDP Port scans and you What the "Dummy DMZ" does. Now comes the Dummy DMZ. Note that in TCP(1) and UDP(1) the DMZ LAN PC determines the reply. If the DMZ is set to a dummy address a "no-reply" will be forced. In the case of UDP, this is the only way to achieve such "stealth". This is what a dummy-DMZ can be used for but it also brings such packets into the LAN so they can be detected or logged, too. All Comments Welcomed [text was edited by author 2001-07-10 01:04:50]
	to forum · permalink · · 2001-07-10 00:56:11 ·
SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA	So... ... what is the difference between SPI and BWR and based on what criteria and under exactly what conditions would once choose one over the other? Can you show a scenario where they differ???
	to forum · permalink · · 2001-07-10 02:19:41 ·
Bill_MI Bill In Michigan Premium,MVM join:2001-01-03 Royal Oak, MI ·EarthLink	How about that... You noticed! SPI turns off Port Forwarding and makes DMZ ineffective, BWR does not. From what I've found "SPI" may as well be called: "Ignore Forwarding, DMZ and BWR settings" ... a global safety switch? The only port forwarding unaffected by SPI I've found is that done with Port Triggering.
	to forum · permalink · · 2001-07-10 02:36:41 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	other packets? Bill, what about: - IGMP - source routing - source subnet = LAN subnet (e.g. from modem mgmt interface) - private IP addresses (e.g. from modem mgmt interface) Testing this should be easy if you are injecting packets on WAN port of Linky from a PC. How did you test?
	to forum · permalink · · 2001-07-10 02:50:09 ·
Bill_MI Bill In Michigan Premium,MVM join:2001-01-03 Royal Oak, MI ·EarthLink	Nope, no packet injection. Just a sniffer and remote ping (ICMP) telnet (TCP) and DNS/NTP (UDP). I have no easy way of testing PPTP, IPSec. Do you think modem mgmt would be on the ISPs WAN interface? Like RIP? And the closest I've been to multicasting (IGMP stuff) is the attack tests from security sites .
	to forum · permalink · · 2001-07-10 03:38:05 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB	reply to Bill_MI Re: How about that... That is pretty well exactly what I've been using SPI for. Excellent testing Bill, as it puts the meat on the table. Blake
	to forum · permalink · · 2001-07-10 03:50:18 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	reply to Bill_MI Re: other packets? My ADSL modem has a mgmt interface at 192.168.157.100, but cannot be accessed when the modem is actively bridging connections to ISP. Cable modem users that have Motorola Surfboard SB4100 can access modem at 192.168.100.1, for example see this recent post: »neubie surfboard/router question. I've done some testing by unhooking router from modem and connecting to Linux box running nmap. That will test router in Ethernet mode (cable modem users), but not in PPPoE mode (most ADSL users). Under Win98 I've used a trial version of eEye's Iris packet sniffer to inject packets and watch respone. Too expensive for me, Iris is an outstanding tool for analyzing network traffic.
	to forum · permalink · · 2001-07-10 12:13:16 ·
Bill_MI Bill In Michigan Premium,MVM join:2001-01-03 Royal Oak, MI ·EarthLink	Just scanned that thread. I worked with someone online that had an SB3100 on cable and found her 192.168.100.1 (I think it was) interface was sensitive to source IP (like .50 or something). Anyone try that? How do you access it normally? When you're bridging, you cannot access it direct connected? Is it http?
	to forum · permalink · · 2001-07-10 16:13:28 ·
bbarrera Premium,MVM join:2000-10-23 Sacramento, CA clubs:	Sorry, I didn't want to sidetrack this thread onto modem mgmt discussion. I just pointed it out to partly answer your question ("Do you think modem mgmt would be on the ISPs WAN interface?"). I'm still interested in understanding how Linksys responds to unsolicited inbound packets: - IGMP - source routing - source subnet = LAN subnet (e.g. from modem mgmt interface) - private IP addresses (e.g. from modem mgmt interface) Thanks for the great info. Now if only Linksys would explain SPI. At this point SPI sounds like marketing is abusing buzzwords so they can nervously put a check in the competitive matrix. Where's Dilbert you need him?
	to forum · permalink · · 2001-07-10 16:29:10 ·


Tuesday, 07-Oct 16:21:37	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com.republican-creole page compression OFF