NAT +SPI blocks outgoing webservices

T

the-one1

2[H]4U
Joined
Jan 16, 2003
Messages
2,982
When I turn on SPI on my HP hn200w router, people outside cant access my webserver or and services., But with SPI off, everything is fine and dandy. I would like SPI on but I cant. Any ideas?
 
Ok first of all, just in case you weren't aware of this, "turning SPI on" is the same thing as "turning the firewall feature on". SPI = Stateful Packet Inspection, which is a specific type of firewall. When you turn SPI off, you are turning off your firewall, and your machine is completely open, available, and vulnerable from the outside.

What you need to do is turn SPI on and "open ports" or "forward ports". Your router manual or online documentation should tell you how to do that. You normally need to open port 80 for webserver access. What other kinds of access do you want to grant?

- Qualm
 
Router has NAT, thats how routers work, or else it would be a switch. Has all the ports needed forwarded to the server. NAT block access to other ports from the internet. SPI seems to block all ports forwarded too.
I know how a router works and all, just wondering what SPI is secifically blocking and why.
 
Stateful inspection is a firewall architecture that works at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection tracks each connection traversing all interfaces of the firewall and makes sure they are valid. An example of a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.
As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

** Taken from my TAC pages here at work. :D **

I think you are a bit confused since NAT is NETWORK ADDRESS TRANSLATION not port forwarding. It is thought of as a type of firewall but all it really does is use one set of IP addresses for internal traffic and a second set of addresses for external traffic. Basically keeps your internal network from conflicting with other networks.

I think you need to open the ports needed for the type of traffic you expect (HTTP, FTP, TELNET, etc.) in your firewall...
 
I know what NAT is, in uber simple terms, it magically directs traffic from one ip to another in the router. And I know what port forwarding is too.
All the needed ports are forwarded to the server as mentioned earlier. But I think Dr_Romulus has something I overlooked, "stateful inspection firewalls close off ports until connection to the specific port is requested." Care to elaborate? :)
I have my router setup as a gateway, it has an option for "router". Never messed with that myself.
thnx for the patience.
 
You must log in or register to reply here.
Back
Top