NAT router and/or software firewall?


What type of firewall do you folks primarily use to prevent penetration attempts on your work stations?  Do you think a NAT router provides enough security?  Do you use a software firewall?  I’m just curious about this as I’m always looking for ways to improve security on my work stations.
Thanks for any and all replies.


Nat is fine by itself if you aren’t forwarding any ports. If you are then you should have a local firewall and if you’re uber paranoid a local ids.

Personally I run linux and don’t forward any ports so I feel pretty safe.

Thanks, jesus.  I appreciate the feedback.  :smile:
Yeah, I also feel reasonably safe on my Slackware boxes behind the NAT router.  I’m not forwarding any ports or running a server.  I scan for rootkits on occasion and keep my units patched.  I’m not running a software firewall as I think the router is keeping me fairly well protected.  I added port 69 to /etc/hosts.deny.

Routers are only good for stopping inbound connections. For outbound, you need a software firewall with a flexible rules set you can easily control. This is to keep any unauthorised  outbound connections you or someone on the network may have due to a compromise.
I highly recommend running some type of IDS (intrusion detection system) on your linux box to help with security.
Routers can be easily bypassed with the use of exploits (there are several methodologies in which this can be done, such as layering.) and if you or someone on the network is compromised, an unauthorized outbound connection is very likely, most likely being that of some type of reverse connection to defeat the NAT. This is where a software firewall would serve you well. Sitting behind a router alone is not good enough, regardless of whether or not you are forwarding ports or running server(s) You might feel pretty safe, but as I said, they can be easily bypassed.
Exploits are very complex, and there are ways to effectively scan and attack while initiating IDS and firewall evasion.
Scanning for root kits on a regular basis is a good idea, as is monitoring traffic with tcpdump. A firewall helps, and an IDS is neccessary, because it monitors everything from port scanning, to port binding, to shell injections, it goes on and on.

Here are some links to a couple of good IDS’s you might want to look at.

Here are a couple of links for some software firewalls for linux.

Firehol is pretty good as it utilizes sniffing, and works to help you control your iptables.
You remember I mentioned to you about iptables before? You can control access from remote ip’s and ip ranges with your iptables.

Tcpdump should already be installed on your Slackware system.
For more information on tcpdump, you can go here. … p.html#use

All these things are pretty much essential if you truly want to feel secure.
I can’t stress to people enough on the fact that you can not afford to take security lightly, but when it comes down to it, it’s really all up to you.
You may think, well I don’t really do much, and I don’t place myself in places where I might be targeted, but that is naive. Tons of hackers scan random ip ranges looking for a vulnerable machine. A lot of times a hack is nothing more than a random opportunity.

Anyways, you know what I do hitest, and you can take it for what it’s worth :wink:

Cheers all.

Somewhat true maybe just poorly worded. A ‘router’ will filter outbound as well but if your local host is compromised you might put other machines on your LAN at risk.

Don’t bother putting the IDS on the outside network card unless you’re curious about all the  (mostly) harmless traffic on the net.  I suppose you could hone your IDS to alert you for only really scary things but chances are you’re not that important to anybody.

Unless of course you have a good outbound ruleset on your ‘router’.

tcpdump is pretty much useless for detecting an attack unless you know exactly what you’re looking at or are at a loss for ideas and are grasping at straws to find out whats going on. I would know I’ve done DDOS mitigation as a large part of my job for the past 3 years… it’s also been my experience that snort is pretty much useless in a large scale environment.  On the internal nic on your firewall it’d yield useful results though.

Iptables/Netfilter is the firewall for linux, the rest of these are pretty much configuration utilities and nothing more. Obviously good for a newbie :smile:

Dont take me too seriously though I suck at my job :wink:

Interesting discussion gentlemen, thanks for the excellent feedback:)


Haha. I’m not offering you $27 hr then. :smiley:

I’ve only been hacked once in 7 or 8 years running multiple servers.
Goddam idiot user who could not remember her password and I got pissed off after a dozen times and allowed dictionaryword password dictionaryword. Then forgot to disable shell access… duh
3 years later gave a new machine the same hostname and the probing attacks began instantly…

You weren’t offering 27/hr anyway :wink:  but if you were I’d probably be damn good at my job.  If you offer me 10.00/hr I can be the forest gump of IT techs. My heart will be all there but my competence not so much.

Anyway I got ‘hacked’ once back in the day… I was running and older version of communigate ‘pro’ because the russians hadn’t made a hack for the new one that called home.  They used my server to send an assload of spam. That was the last day I used any program with ‘pro’ in the name.  

edit: I see you’re a cunning negotiator. You’ve managed to take 1.00/hr off my wage. I hate you.

:smiley: Did I forget to mention HongKong dollars?
I prefer the Columbo troubleshooting method. Seemingly stupid questions until you discover the dork has an extension cord with the ground lug chopped off and running into the bathroom shaver plug.
Or my all-time fave from the Pentium days, the keyboard & mouse didn’t work when he got home because he thought it was a car and turned the keys on the front to start it, and locked them…
Forrest Gump could be Mayor here… or ‘the new Principal’… :astonished:

LMAO  :smiley:

I think joel’s worth the money, just make sure he shaves his beard everyday, :smile:

OMG two rezooms in the mailbox from Vanc… with degrees… for the p/t ‘assistant’ position.
Is it that bad down there?

It’s pretty bad yup. I’ve decided to employ though myself I much prefer it.  I work half as often and make the same amount  :smiley:

I KNOW… Resurrecting an old thread is plain evil, but I was reading through, gutted I missed the thread (cos, well, its what I do :wink:… but I just want to be a pedant…

IDS will only ever give you an insane amount of logs… You need an IPS which actually goes inline and kiss the traffic dead! :smile:

Shutting up now!