[Help] Router and IP Address

[Xero]

Hey,

I'm a complete moron when it comes to this and I was wondering how I can set up an IP or at least a way for me to allow others to connect to me when I'm using a router. I also have the XP firewall on if it makes a difference. I can't seem to get it to work. I keep getting 192.168.0.157 as my ip.

Thanks

[OPaul]

Hey,

I'm a complete moron when it comes to this and I was wondering how I can set up an IP or at least a way for me to allow others to connect to me when I'm using a router. I also have the XP firewall on if it makes a difference. I can't seem to get it to work. I keep getting 192.168.0.157 as my ip.

Thanks

585087512[/snapback]

First turn off the XP firewall because that will just complicate matters, it's not needed if your behind a router.

If your wanting people that are on the other side of your router to connect to you, i.e people on the Internet, then you need to forward the port of what every application they will be connecting to to your machine. You should be able to do this with the web interface on the router, consult it's manual as you didn't say which router you have. Then if you want someone to connect to you you'll need to give them the external IP address of the router, go to the following page to get that.

http://www.whatismyip.com/

[Xero]

So if I forward the correct ports and use that ip it should work fine?

[OPaul]

So if I forward the correct ports and use that ip it should work fine?

585087556[/snapback]

Theoretically.

[darkhooda]

What program are you wanting incoming connections into? Web server, BitTorrent, FTP, SMTP, etc. And just to make sure, you aren't talking about how you can't go onto internet right?

[Xero]

It's Serv-U.

[Porsche Design]

First turn off the XP firewall because that will just complicate matters, it's not needed if your behind a router.

[/url]

585087535[/snapback]

Really, what if my router does not have Firewall?

[+BudMan]

^ If your router does NAT, which I would assume it does - or why are you running a router in the first place? Then all INBOUND traffic is blocked, unless you have requested it or forwarded it. So there really is no need for a firewall on the inside of a NAT router - unless you have to treat your local private network as hostile. Are you worried about the machine next to you on your lan? If not - then no, there really is no point to running a firewall behind a NAT router.

[ripped]

^ If your router does NAT, which I would assume it does - or why are you running a router in the first place?  Then all INBOUND traffic is blocked, unless you have requested it or forwarded it.  So there really is no need for a firewall on the inside of a NAT router - unless you have to treat your local private network as hostile.  Are you worried about the machine next to you on your lan?  If not - then no, there really is no point to running a firewall behind a NAT router.

585091387[/snapback]

are you serious? unless he's splurged and is running some nice cisco router, anything else he feels like running will only HELP him out. it's all configuration anyway, so as long as he does it correctly, let the windows firewall run.

my guess is he has a belkin, dlink, or linksys router, and to say that those routers will keep you safe is like saying that some gum and some prayer will keep a dam from bursting.

ripped :huh:

[OPaul]

are you serious?  unless he's splurged and is running some nice cisco router, anything else he feels like running will only HELP him out.  it's all configuration anyway, so as long as he does it correctly, let the windows firewall run.

my guess is he has a belkin, dlink, or linksys router, and to say that those routers will keep you safe is like saying that some gum and some prayer will keep a dam from bursting.

ripped :huh:

585091402[/snapback]

It makes no difference how expensive the router is, it's still a router and it still will be using NAT. The only purpose of running a software firewall would be if your some total paranoid freak and need to block outgoing traffic.

[ripped]

nicer routers have a built in hardware firewall - NAT is great, but it's not a firewall, and it does not replace one. using it as your only source of protection is not the route to take. even a software firewall isn't the way to go (but it's not a bad idea if you cannot afford a true hardware firewall).

saying that NAT will protect you is not true. it's a common misconception, but not true, mostly because it only protects you from something that is looking to START the conversation with your PC. if your PC starts it, then NAT does nothing to stop it. that's why software firewalls can be fooled as well...only a stateful firewall is going to monitor everything.

and being a paranoid freak these days is what everyone should be. one of my clients had his identity stoten from his PC.

ripped :blink:

[OPaul]

nicer routers have a built in hardware firewall - NAT is great, but it's not a firewall, and it does not replace one.  using it as your only source of protection is not the route to take.  even a software firewall isn't the way to go (but it's not a bad idea if you cannot afford a true hardware firewall).

saying that NAT will protect you is not true.  it's a common misconception, but not true, mostly because it only protects you from something that is looking to START the conversation with your PC.  if your PC starts it, then NAT does nothing to stop it.  that's why software firewalls can be fooled as well...only a stateful firewall is going to monitor everything.

and being a paranoid freak these days is what everyone should be.  one of my clients had his identity stoten from his PC.

ripped :blink:

585091505[/snapback]

...soo basically that's what I just said... software firewalls block outgoing connections, if your into that kind of thing.

[ripped]

you also said it wasn't needed.

i disagreed and said that NAT is not enough. we can end it there, since you believe one thing, and i believe another.

[+BudMan]

dude, there is no need for a software firewall behind a NAT firewall, unless you need to threat your local network as HOSTILE. Do you need to do this?

For starters the xp firewall does not log or block outbound traffic - so what good is behind a NAT router? Also as you said - software firewalls can be fooled, I agree - its just a piece of software. So since INBOUND traffic is blocked by the NAT router, and you have to be a complete IDIOT to run code you do not know is safe, and you can log outbound traffic at the router anyway.

And you are running a an up to date VIRUS scanner, explain again why you would need or even want to be running a software firewall?? Give me one example it is going to protect me against - just one! I fail to see the point of looking at every packet that has already been allowed into my network by my router, due to me requesting said packet, or me telling the router to forward traffic on such a port to such a port on one of my machines.

Software firewalls cause more issues than any help they might possible do. For starters most the people running them - do not have even the basic understandings of what they do, or how, or for that matter even why.

Do not get me wrong - if you are NOT behind a router, say on the road with your laptop -- sure. Or if you have a lot of strange machines on your local lan (treat it as hostile).

Please give just ONE example of an exploit your software firewall will protect someone from. Just ONE! That you would not have to be a complete and utter moron to fall victim too. Being behind a NAT router, an no not in the DMZ - and NOT running uPnP. You know exactly what ports are open, and why - etc..

[Caledai]

u might want 2 make ur ip manual depending on what the dhcp lease time is.

[El_Cu_Guy]

dude, there is no need for a software firewall behind a NAT firewall, unless you need to threat your local network as HOSTILE. Do you need to do this?

:woot: :woot: :woot: :woot: :woot: :woot: :woot: :woot:

Almost all NAT boxes have rudimentary packet filtering capabilities, although the number and complexity of filters is often limited.

Turning on port forwarding means traffic for the forwarded ports is forwarded to the specified computer automatically, without the protection of NAT. (Most NAT routers do at least basic packet filtering, in addition to NAT. So there is some protection, but not specifically against unsolicited traffic.) In this circumstance you can add a software firewall, or run a more complex and expensive hardware firewall or firewall appliance.

Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls. They can inexpensively provide good protection for individual computers on your network in the event that one of the computers gets infected.

Software firewalls can also watch for trojans, viruses, or unauthorized legitimate software, trying to connect out. Unlike external firewalls and NAT routers, software firewalls know what is going on inside your computer, they can see which program is trying to get out, and whether that program has changed since the last time it tried to get out.

The downside of software firewalls is that they can be shutdown by users, stalled or terminated by other software on the PC malfunctioning, and certain viruses and trojans disable them or shut them down. External firewalls and NAT routers are simpler devices that are less likely to have problems that cause them to fail dangerously.

Ideally a software firewall should be an additional layer of protection behind an NAT router or firewall. For homes a free version of a software firewall is normally adequate for this additional layer of protection.

Edited December 14, 2004 by El_Cu_Guy

[+BudMan]

Please give me "ONE" example of why I would need to run one? Like I said, I do not run unsafe code - and my virus scanner is up to date. NO unwanted traffic is allowed into my network. I do not directly provide any services on my workstations to the public net. Um how exactly is one of my boxes going to get infected? And then how exactly is it going to exploit one of my other boxes, when they are all up to date with patches?

Please just give "ONE" example of something that would infect my machine - FROM the outside, through my NAT router - just one dude! I only want one.

So your saying I should use the resources of my machine to check and filter EVERY packet in and out of my machine -- for why? For what reason should I lower the performance of my machine, double checking every packet that has already been OK by the router? Or is from one of other up todate, virus scanner running, also behind the router - not providing services to anything. And then have that other machine also check every packet back and forth?

I never said they were costly - I just do NOT see the point of running one, do you wear 2 condoms? Its an un-necessary drain on the resources of my machine, that just causes more config and most likely headaches for the person that does not understand why they can not play that new head to head game they just bought - it's just not talking to the machine next to him, etc..

[El_Cu_Guy]

Unfortunately you seem to believe that your experiences online are not unique. You forget that there are other which are quite careless. My post was describing why NAT is not some magical protection that people should rely on as their only form of protection.

Please give me "ONE" example of why I would need to run one?

Turning on port forwarding means traffic for the forwarded ports is forwarded to the specified computer automatically, without the protection of NAT.

This seems to be a common answer to a number of remote connectivity issues on this board. Wouldn't you agree?

Um how exactly is one of my boxes going to get infected? And then how exactly is it going to exploit one of my other boxes

This makes me think that you are one of those people that still believes the AlphaShield to be unhackable.

when they are all up to date with patches?

Do your run Windows on any box? It's a shame that not all vulnerabilities have been patched. Microsoft is known for leaving holes unpatched. It's Security Through Obscurity has resulted in Microsoft failing to acknowledge vulnerabilities or when, if at all, a patch will be issued. Vulnerabilities exist and go unpatched even though widely known.

Again I state that my post was mostly a rebuttal to people that believe that NAT is the only protection they should rely on. I would also like to restate that no firewall is 100%.

[OPaul]

How about I qualify my original statement then. Only idiots who download trojans and other software that gives out personal information need a software firewall.

[El_Cu_Guy]

How about I qualify my original statement then. Only idiots who download trojans and other software that gives out personal information need a software firewall.

You seriously believe that don't you? I run a software firewall on the very computer I'm using to write this post. I certainly don't download trojans or software such as you described.

You can learn a lot from a honeypot.

[Caledai]

No computer should be without a software firewall. even a computer that is only used by experts.

especially computers used by multiple ppl.

I run NAT. and ZA on all computers.

Mine is a laptop - I take it into all diff networks so I don't trust anyone elses fw. But even on home computers.

How many kids download new styles or screensaver for their computer not knowing what is installed. What about worms spreading over a internal network because your son opened an email on his computer inside your firewall.

[uni_fin]

I work as a Information Security Specialist, and I personally have chosen the path to rather teach people to be paranoid than to trust that they are safe when they might not be.

While NAT is an OK solution for many, it is not a true firewall. As the name itself clarifies, it is only Network Address Translation. It only says that this address here equals to that address there. It is the packet filtering that does the rulebase. And there's the difference. If possible, always try to get a hardware that supports stateful inspection. If that is not possible and you use a NAT-device with packet filtering, it really is not that bad of an idea to run some SW fw that supports SI.

What is the difference between PF and SI then that makes it so important? Well first of all the reason why most devices are only packet filtering is because it is they tend to be very inexpensive, quite fast and often easy to configure. The packets are forwarded only using the packet information in question, meaning if the packet passes the rule it is then forwarded.

Stateful Inspection on the otherhand, builds a sort of a dynamic state table that keeps track of which connections are actually valid and which ones are not. Therefore, with SI firewall only those packets that are part of a valid, established connection are allowed thorugh the firewall.

And for the record, it is always a bad idea to first suggest somebody to turn off the firewall if they are having connectivity problems. Somebody already used the condom example here, so I use the same example to say that it's kinda like saying that "if it doesn't feel good enough, take off the condom." Would you do that?

Hope I made any sense. Anyways, the point was, if using a NAT device you often are relatively safe. But you shouldn't trust solely on it if it is a cheap one, and double security is always better than possibly no security.

Just my 2 cents :)

edit: Oh, and always assume that the end users does not know what he is doing and understands none of the threats in the 'net these days :yes:

[lunamonkey]

No computer should be without a software firewall.  even a computer that is only used by experts.

especially computers used by multiple ppl. 

I run NAT.  and ZA on all computers.

Mine is a laptop - I take it into all diff networks so I don't trust anyone elses fw.  But even on home computers.

How many kids download new styles or screensaver for their computer not knowing what is installed.  What about worms spreading over a internal network because your son opened an email on his computer inside your firewall.

585103556[/snapback]

Well that's budman's point exactly. Your lan can be treated as hostile, so you should use a software firewall. He's still correct. Read his statements again.

Budman - "unless you need to threat your local network as HOSTILE."

[+BudMan]

Well that's budman's point exactly. Your lan can be treated as hostile, so you should use a software firewall. He's still correct. Read his statements again.

Budman - "unless you need to threat your local network as HOSTILE."

585104573[/snapback]

Thanks for the backup there luna! - someone pays attention ;)

And I did not say take off the condom, I asked why would you wear 2? And yes if it did not feel right, I would take off that 2nd one! ;) Which is my point!! And I am still waiting for the "ONE" example of how something will infect my machine through my NAT router, and not trigger my virus scanner - but my software FW will stop it or warn me of it? I just want "1" - if you can give me just "1" example, I will admit that there is possible some need for you to run a software firewall behind a NAT router. Until this time - I see it as wearing that 2nd condom, and a waste of resources - which causes the user more issues than protection.

As lunamonkey so nicely pointed out for you - I have mentioned it alteast twice in this thread - if you need treat your local network as hostile! Then by all means you should have some protection. And I never said or suggested you shouldn't - but when you are behind a border device, be it a NAT router with or without SI, or a personal PIX. And you have some clue to how it works, (ie your not putting yourself in the DMZ every time you want something to work - or using uPnP that could open ports you do not know are open, etc..) then I see no point to running a software firewall.

Until you can give me atleast "1" example of some type of exploit that can get through my plain ole NAT router, and some software FW will protect me against. I will stand by this advice. Remember - no services are provided to the net.

[uni_fin]

Before I type my reply, I have to say that I seriously think that I should have used another example than that condom one.. but here goes :D

I don't see that using packet filtering NAT router and a SW FW simultaniously as using two condoms, but more like using a condom and a spermacide. You see, as we all know condoms have a success rate of about 98%. If I wanted to be 100% sure, I'd have to use something else in addition to that.

But for as for your one exploit request, I regrettably can not give you one since I would have to dig into device-specific data. There is really no one example that goes to every device, but rather some exploits that work on some devices etc.

There are flaws in those devices more or less, thats why there are firmware upgrades.

Another debate would be that do we need to be 100% sure or are we satisfied with the calculated risk? Well, it depends. I prefer being as sure as I can, even if the downside is a slight performance decrease.

If your router has the latest firmware and has no known exploits on it, then the answer is no, you probably don't need additional protection. But the question for most people/unknown hardware remains is that can you really be sure of it.

And you are absolutely correct on that if you know what you are doing, chances are you are safe. Joe Average really doesn't know, thats why additional security is my preferred method when advising people :)

[+BudMan]

Well said uni_fin, and I do agree with you on most of it. I just differ in advice I would give, I do not actively advise people to turn off their firewalls when they get a router, etc.. Unless there is issues with getting something to work on their local lan - that is being blocked by their firewall, or other local network issues that the FW could be an issue with. And if asked - I give my honest opinion, and that is I do not see the point in running one. And until I see atleast one possible exploit/hack that is not bug related to a specific device, etc.. then no I see no point in running it.

But I do actively suggest to people that they get behind a NAT router, I could really care less one brand over the other, etc.. But if you can afford highspeed access - you can afford a border device! Period end of story - and not doing so, is asking for trouble - even with a software firewall. I see software firewalls as 10 year old condoms (more likely get a hole than not, etc..). Better than not wearing anything - but is it even worth it?

And yes I will agree with you 110% - there is NO such thing as 100% security, once the box is connected to a network - more than likely there is someway into it, etc..

I see more issues from software firewalls, then any protection from them. Just look at this board - how many posts about this does not work, that does not work - I'm being hacked!!! (icmp packet, or plain old background traffic).

Yes I can understand to error on the side of caution - but there is a fine line between being secure, and wearing the tinfoil hat, and causing more harm than good.

Edited December 15, 2004 by BudMan