On Wed, 26 Jul 2006 05:42:24 GMT, a?n?g?e?l@lovergirl.lrigrevol.moc.com
(The little lost angel) wrote:
>On Tue, 25 Jul 2006 15:23:18 -0400, George Macdonald
><fammacd=!SPAM^nothanks@tellurian.com> wrote:
>
>>>I've not seen a router firewall that will let me tell it to block port
>>>80, 443 for email clients and other dubious software attempting to
>>>dial home via http but still allow my browsers to go through.
>>
>>That should be a feature of the e-mail software - it *is* on Mozilla's
>>e-mail clients. Even 10 year-old Eudora had it.
>
>Yes the option exist but the email client itself might be the one
>dialing home ;)
>
>Furthermore, software firewall catches accidental clicks on emails
>links that launches the browser.
Protecting the inept from the inane?:-)
>And the email client is just one example, other apps have tendency to
>want to dial home or do funny things that a software firewall will
>tell you but a hardware one won't. e.g. the 2.0 beta version of
>Firefox will still attempt to connect to a google database despite
>being told to use only a local list for phish sites protection.
>
>>>In what sense? The only problem I face with my network and the
>>>software firewall is the simple fact it takes processing power (<10%
>>>during heavy traffic) and inexitably add some latency to packets (not
>>>a major concern unless you're gaming). Which is a small price to pay
>>>for the added security and control.
>>
>>In what sense? I just told you but you snipped it out. Firewalls do not
>Sorry I snipped it out because it did not make any sense to me.
>
>>work with advanced network interface features... the things which chipset
>>mfrs are touting as new, advanced, desirable features. They cause problems
>
>I'm not familiar with these networking hardware features so pardon me
>if this is a stupid question.
Maybe do a bit of searching & reading.
>Why and how would they cause problems with the firewall? My
>understanding is the firewall analyses the traffic on a higher layer
>than the hardware and should be acting before the data hits the
>hardware layer for outgoing and after the hardware layer for incoming.
>I don't see why they would interfere with each other.
I've already mentioned most of the "magic words": TCP/IP offload, TCP
Chimney, NetDMA... and then there's RSS (Receive Side Scaling). M$
themselves say that their Scalable Networking Pack implementation does not
work with any firewall - there's no API for TCP/IP offloading and any
firewall has to be specific to each hardware's implementation. They all do
some bypass of the TCP/IP stack. Like I said, M$ does not say what "don't
work" means but with a 3rd party firewall, the effect is anybody's guess...
hangs, bluescreens, crashes, reboots?
>>with accesing a domain; Windows Firewall has a sub-component service,
>>Windows Firewall Internet Connection Sharing, which is not even stopped
>>when Firewall is disabled, which severely degrades high speed local area
>>network performance.
>
>Well, in the first place if you're using the Windows Firewall and
>ICS.... Those two are amongst the first thing on my list of services
>to stop and disable on Windows alongside things like Task Scheduler
>and Messenger. Honestly, why would anybody trust a firewall from big
>brother itself??? :ppPp
I'm not talking about ICS - the service is called "Windows Firewall
Internet Connection Sharing" - it is specific to Windows Firewall, is not
stopped by turning the firewall off and is started whether you have ICS
enabled or not. Most people, myself included, did not know it existed -
you'd have to scroll through the Services and it's not always obvious what
each service is responsible for... e.g. if you're not using DHCP Client,
you cannot turn the service off.
As for trusting "big brother", do you not now religiously download &
install Windows Updates? We didn't used to trust that.... until Sasser and
SQL Slammer.
--
Rgds, George Macdonald
Re: Pretty Good Experience Building New PC 
Linear Mode
