As I saw right after posting the comment...
Hey it's the weekend, nobody's paying me to think...
LOL Exactly!
We get paid to think on forums? Whom do I send the bill to?
As for the aberrant results, I'm still unsure of whether the router itself retains
some settings after a power cycle (not a full reset) or if it's ISP level intervention.
As it stands, the only difference between 100% success and Ping Failure is enabling the Block WAN request on my router:
View attachment 69197
With Sevens firewall, mint's firewall and the routers firewall all turned off - I'm still stealthed, even though by rights, I should be wide open to the world.
The other 'fun' little side effect of all this enabling/disabling firewalls is that one of my µtorrent instances is now completely blocked, even with all it's former working settings back in place. (I have two instances running simultaneously)
One is fine, yet the other claims it's blocked by a
disabled Windows Firewall. I do not think my router likes to be turned off...
Essentially, I'm well off without being 100% sure why :huh:
So, that's inbound covered. Where are the tests for testing outbound connections?
See, basic "firewall" technique we usually use are called NAT, NAT = Network Address Translation. What does it mean? How does that affect your supposedly naked PC... See, the world see "you" from the internet is only by your public IP address, the IP address your DSL modem/Broadband router (DOCSIS cable connection) got from your ISP. From the internet your "network" looked like one host, because it only see one IP address. Now, how did NAT protects you? It's very simple... NAT, which technically do "translations" and keeps records of what goes where.
Example, you browsed to yahoo.com through firefox - take note, every packet in this example will have number '80' it's "
target port" tag (it's the standard listen port on HTTP servers), the "
sender port" tag most of the time will be filled with random port number.Ok, let's continue... What happen is, your computer with private IP (let's say 192.168.0.100) contacted your router (192.168.0.1) asking to be routed to "yahoo.com". Let's say your IP public IP address that you got from your ISP is '60.10.10.5'. Now here's where the NAT magic begins - every packet your computer send supposedly to yahoo has
destination tag filled with "yahoo.com", these packets are destined to "yahoo.com", but each packet has it's
sender tag also, so that when "yahoo.com" got your packet, it knows where to send the reply packets (the website data). Now, the magic process is, every packet that leaves your computer will have it's
sender tag filled with '192.168.0.100', this IP address is not route-able, so your router will switch the
sender tag IP address with it's PUBLIC IP (60.10.10.5). When the packet leaves your computer, the
sender tag is '60.10.10.5', which results when "yahoo.com" replies, the replies will get sent to your router/broadband modem/broadband router (your gateway). Now, when the replies arrived at your gateway, the packets will get dissected once more, changing the
sender tag from '60.10.10.5' to '192.168.0.100' so that your computer doesn't confuse or reject the packet. All of this is done for every packets that's coming to and going from your router to each of it's destinations. Now how can this simple mechanism protects you? It's easy... Since your router keeps a list of what your computer(s) requests to what/where/when, it also knows what is NOT requested, see the logic? If say some kid from china has your IP and try to send something to your public IP - which then arrived at your router, the packets will be checked against a list of hosts that you previously asked for, and this Chinese IP address is not one of them... So, by default the packets from the Chinese IP gets dropped off just like that, as if nothing happens. See, this is the basic principal of how NAT works. The rogue packets won't even be able to reach your computer, regardless if your computer has firewall or not.
Now about the PING test. In computer networks there are several protocols, some of them are TCP, UDP, ICMP, BGP, and many more. For data exchange, we usually use TCP or UDP, in my example just now - everything runs on TCP. Now that is for data exchange, computer network also have the "troubleshooting" purposes protocol, that is ICMP. PING is an ICMP message, the "echo". If a host is online, it should reply a PING request (with a PONG). This protocol is working on another level, it doesn't go through the NAT, it only arrives at your router and that's it. To protect you, some routers have the capability to "ignore" these ICMP "echo" messages so that if there's anyone on the net that's trying a PING sweep, your router won't answer - thus the host on your IP address is presumed offline, saving you.
Now, after everything done, you are safe to browse the net, watch youtube, update your status in facebook, read the news, listen to last.fm, and so on... But then you bumped to an issue. As you understand, NAT will drop everything that's not in it's list as if it's a rogue packet. If you play an online game, and you're hosting a session, your computer will "listen" to requests off of the Internet. Now... this is getting frustrating - IF your router doesn't have the list requests and your computer doesn't request anything (it's on "listening" mode), you won't be able to create any game session, your friends won't be able to join your game, because every attempt they make will be dropped by your router. HOLY CRAP !!! But wait, there's a way to "poke a hole" in NAT, it's called "Port Forwarding". In a sense, "Port Forwarding" will forward EVERY packets that arrived at the router that has specific port number in them. When you host a game, usually the game will tell you that it will be using one or more ports (say you're playing CoD:MW2, it uses 1500, 3005, 3101, 27000-27050, 28960 ports). So, to make a hole in your NAT or effectively saying to your router that every packets that are arrived at those ports are to be sent (and translated of course) directly to your PC, you need to make a "Port forwarding rule". Usually in modern routers it has UPnP, it's the magical protocol that will make a hole in your firewall without you making any changes to it (automatically generates a "Port forwarding rule" by it self), sometimes without your consent. In a more conventional router (Cisco business/cloud class routers), usually you need to create your own port forwarding rule, it doesn't have UPnP or UPnP is disabled by default because of security reasons. In some routers it's called "Virtual server". Now, if you're a security concise person, you don't want UPnP running... but on the other hand, it will save your time in configuring port forwarding. I personally disable UPnP because of the security reasons. Imagine you got infected by some new undetected malware botnet client, and it uses UPnP to poke a hole in your firewall and contacted it's master server, the whole NAT firewall technique cannot save you, because the request are made from inside, and what's inside poke a hole to your defense so that what's from outside can go in... That is terrible... But, you know... consumers - they want it easy
and secure, which is almost impossible...
Enough ramblings for now, close to 5 AM over here...
zzz2496
P.s: I can no longer hold back... Somethings are need to be straighten out about firewalls
)
