Don C Weber wrote:
>I have looked for information about this but I guess I am asking (Googling)
>the wrong questions. I ran a Nmap syn scan of a computer protected by a
>Kerio firewall and monitored the protected interface with Ethereal. I was
>rewarded with a list of 3326 syn and 12 arp packets coming in but no
>responses going out. This part I understand. But when I disabled the
>Kerio firewall, enabled the firewall that comes with my Cisco VPN client,
>and reran the scan all Ethereal captured were the 12 arp packets. The scan
>results on the Nmap side were identical and all ports scanned were reported
>as filtered.
>
>
This doesn't mean that the TCP stack will see the syn traffic or not.
Just because Ethereal see's it might not be the same, but you might ask
the WinPcap people about their experiences.
>My question is this: is the system protected better by the Cisco firewall?
>Could another application intercept and exploit network traffic before the
>Kerio firewall?
>
>I want to avoid talking about how an application would need administrative
>rights to capture the traffic before Kerio. This I understand. I am more
>interested in the flow logic and why I had different results from what
>should be similar software.
>
>
Hmmm, you'll should known that a firewall and a VPN client are *very*
different pieces of software!
A firewall is meant to protect a general network access, while a VPN
client is meant to close down all traffic but to get only the traffic to
and from the VPN server.
So the Cisco and the Kerio firewall could do a lot of different things...
What you'll see with Ethereal is probably not what the TCP network stack
will see, so your assumptions might just be misleading.
However, as I don't know exactly the inner workings of the Windows
TCP/IP stack, you might be right and I'm wrong ...
Regards, ULFL
P.S: Someone with better Win32 TCP/IP stack knowledge than me might be
able to give better advice here ...