Thread: 56k dial up on laptop 802.11G ?
View Single Post
  #61 (permalink)  
Old 07-29-2005, 04:14 AM
Floyd L. Davidson
Guest
  
Posts: n/a
Default Re: 56k dial up on laptop 802.11G ?
Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson) wrote:
>> Duane Arnold <Notme@notme.com> wrote:
>>>
>>>If the 54g can stop outbound by using iptables a packet filter and is
>>>using SPI, then it's a moot point. And it comes close to a FW
>>>appliance and meets the FW definition but is not a FW appliance.

If we can get Duane Arnold to stop making assumptions about what a
firewall is or is not, and then stop making assumptions about what
iptables is or is not, we could make progress. It seems petty slow
going though...

>> So why is it not a "FW appliance"? It fits all the
>> requirements...
>
>> Except of course that it runs Linux and has software and
>> functionality that Duane Arnold doesn't understand... :-)

Lets start off by noting *again* that iptables fits *all* of the
requirements you outlined in the past. Your false
generalizations taken from other sources that were *not*
discussing iptables have no significance and are confusing you.

Lets look at your definitions:

>That's because the router with it's packet filter works at level 3 and
>level 4 of the OSI model. And if the router is using SPI, then SPI examines
>the packets between the network layer of the OSI model to the Application
>Layer of the OSI model to validate that the connection is valid and that
>protocols are behaving as expected,

Note that this and the beginning sentence in your description of
a "FW appliance" are virtually the same.

>it doesn't operate at the Application
>Gateway level of the OSI model. It doesn't break the client/server model;
>it doesn't have un-trusted and trusted zones.

The above is the part that is different.

>Where as the FW appliance works at level 3 and 4 of the OSI model, examines
>the packets between the network layer of the OSI model to the Application
>Layer of the OSI model to validate that the connection is valid and that
>protocols are behaving as expected,

That is the part which is virtually identical in the description
of a router using packet filtering.

>operates at the Application Gateway
>level of the OSI model, breaks the client/server model, and has un-trusted
>and trusted zones.

And here is the different part.

So lets skip the similar parts, and examine what these differences are!

A router with filtering:

"doesn't operate at the Application Gateway level of the
OSI model. It doesn't break the client/server model; it
doesn't have un-trusted and trusted zones."

A "FW appliance":

"operates at the Application Gateway level of the OSI model,
breaks the client/server model, and has un-trusted and trusted
zones."

First, there is no "Application Gateway level" in the OSI model.
You are confused. An "application gateway" is a type of
firewall, which consist of a proxy server that does indeed break
the "client/server model" in that it breaks connections into two
segments, placing itself in the middle, and allows only traffic
which matches the rules it applies.

Second, in the identical parts of your descriptions you say that
they *both* (which is correct) operate up through the
Application Layer. They you deny that for one and not for the
other. In fact Stateful Packet Inspection (SPI) does work all
the way up through the Application Layer.

Linux systems, of which the WRT54G is an example, implement
multilayer firewalls. Your insistence that if it provides
routing then it doesn't do "true" firewall functions, is *still*
*wrong*.

The WRT54G, for example, provides for proxies, port forwarding,
and a DMZ, all with dynamic packet filtering rules. It has all
of the functionality you require for a "FW appliance".

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com

Reply With Quote