Hi, I recently got burned by my router's Active FTP NAT Helper: - I visit a page with a hostile java applet - the applet calls home with what seems to be a legitimate FTP session - the remote server responds with "sure, I'll send that data on port 5900" (which just happens to be the standard VNC port) - the router opens port 5900 for that remote host to this local host, and that remote host now has access to a local port that it should not. This mechanism can be tested easily with the following site: http://bedatec.dyndns.org/ftpnat/test.html I would like to turn off this "NAT Helper" behaviour, but I cannot figure out where this is configured. I have tried running "iptables --list" in telnet, but the helpers don't seem to show up there (neither the 3 that Tomato already has disable support for ion the UI, nor the FTP Helper that I am looking for). Does anyone know enough about iptables / conntrack / netfilter / linux / NAT Helpers to give me any information here? I emailed the author before trying the iptables thing, but I don't expect he will have the time to look at my email in a good while, so any help would be appreciated! Thanks, Tao --- PS for the record here's the email to him, more detailed explanation of the problem than the above post: Last week (before I started using Tomato, but the same applies) someone accessed a VNC server running on my machine. They actually got in because my VNC server was a flawed / vulnerable version where the password can be bypassed, but that is not what I am concerned about; they should never have reached my VNC Port at all! In the meantime I've placed a few posts on newsgroups and learned a lot about NAT, and the conclusion I've reached is that the MOST LIKELY may that they reached my internal 5900 port (through the router's firewall) is by using the FTP NAT Helper trick - from an applet running in a browser in a page that I must have viewed, they must have "Phoned Home" an Active FTP session request, and their server responded with "OK, I'm going to start sending the data on port 5900 - open up please!". Trying to be helpful, the router I was using then happily obliged, giving the attackers free access to my VNC server. I have tested for this with several firmwares on the , and so far they all exhibit the same behaviour (stock firmware, HyperWRT Thibor, and also Tomato 1.10). I thought that one of Tomato's "Disable NAT Helper" options must be for this issue, but that doesn't appear to be the case because I've disabled all three and the Active FTP Helper trick is still working. The page I have been using for testing is the following: http://bedatec.dyndns.org/ftpnat/test.html So far the only thing that I have found that stopped access under certain circumstances is Thibor's "Filter Port Scanning" option - that seemed to kick in to prevent the trick working on the Nth port. However now that I've tasted the tomato I don't want to go back! The QoS stuff is great, the port forwarding allows you to forward to a different port (a feature that is sorely lacking in the stock and hyperWRT variants), etc. Tomato is great, but I would love to see this security hole filled - not necessarily by default, but at least optionally! (is there maybe some command I could run in a script to fix this in conntrack / netfilter?) Something else that seems strange to me is that even with full logging of incoming and outgoing connections, the incoming request on the Active FTP return port (in this case 5900) is never recorded... Is there any way to fix this?