| |  | | | 
07-26-2005, 11:10 AM
| | |  Re: 56k dial up on laptop 802.11G ?
Duane Arnold <Notme@notme.com> wrote:
>Floyd L. Davidson wrote:
>> The Linksys WRT54G series of wireless routers all have firewall
>> software.
>>
>
>No NAT router is running FW software in the traditional sense. The
>manufactures of the product can hype it all they want as being a solution
>that's running FW software.
Lots of words, but what do you mean? What, for example, is "the
traditional sense"? I'm really hard pressed to see how the
Linux firewall is not a firewall...
>I suggest that you drop a line at comp.security.firewalls about a WRT54G or
>any other NAT (no FW) router being used in the home to people that make a
>living at it about this.
Well, I *did* got read comp.security.firewalls and searched with
google for articles about the WRT54G. I've seen a *lot* of
recommendations that say the WRT54G is a fine firewall...
>If the WRT54G can meet all the specs below, then it's an appliance running
>FW software. If the WRT54G cannot meet the specs, then it's not an
>appliance that's running FW software.
So tell us just what "spec" below is not fully met by the
standard Linux firewall in a WRT54G? And, please explain what
difference it makes whether it is an "appliance" or not?
>I know that the low-end Watchguard
>Firebox III SOHO 6 firewall appliance that I use meets those specs. I know
>that the 54G or anyother Linksys NAT router or any NAT router for home
>usage period is not running FW software.
Why do you say that? I found one message where *you* provide a
URL, which says the WRT's firewall is "an advanced form of
firewall". I seem to recall where *you* had good things to say
about the firewall in Suse Linux.
You do realize that the WRT54G runs Linux and has the same
firewall built into the kernel as any other Linux, right? Do
you have a WRT54G, and/or know what is in it?
>The NAT routers are good enough in
>the protection as long as one is not doing high risk things like port
>forwarding.
Please explain what you mean. And be specific about how it
applies to a Linux router.
><snip>
>
>What does a firewall do?
>
>A firewall examines all traffic routed between the two networks to see if it
>meets certain criteria. If it does, it is routed between the networks,
>otherwise it is stopped. A firewall filters both inbound and outbound
>traffic. It can also manage public access to private networked resources
>such as host applications. It can be used to log all attempts to enter the
>private network and trigger alarms when hostile or unauthorized entry is
>attempted. Firewalls can filter packets based on their source and
>destination addresses and port numbers. This is known as address filtering.
>Firewalls can also filter specific types of network traffic. This is also
>known as protocol filtering because the decision to forward or reject
>traffic is dependant upon the protocol used, for example HTTP, ftp or
>telnet. Firewalls can also filter traffic by packet attribute or state.
>
><snip>
So what part of that is not being done in the WRT54G firewall?
I am certainly no expert on firewalls, but I just don't see a
thing in that list which the WRT54G doesn't do.
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com  |
07-26-2005, 02:33 PM
| | | Re: 56k dial up on laptop 802.11G ?
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87k6jdzuta.fld@barrow.com:
> Duane Arnold <Notme@notme.com> wrote:
>>Floyd L. Davidson wrote:
>>> The Linksys WRT54G series of wireless routers all have firewall
>>> software.
>>>
>>
>>No NAT router is running FW software in the traditional sense. The
>>manufactures of the product can hype it all they want as being a
>>solution that's running FW software.
>
> Lots of words, but what do you mean? What, for example, is "the
> traditional sense"? I'm really hard pressed to see how the
> Linux firewall is not a firewall...
The traditional sense being that packet filtering rules cannot be set on
the router that can stop both inbound and outbound traffic by port,
protocol, or IP.
I can set a rule with the Watchguard to do the following:
Rule stop outbound traffic
1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
2) Protocol HTTP
3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
Or rule to stop inbound
1) Remote IP 207.222.777.66 inbound
2) Port 119
3) LAN IP(s) 192,168.111.7 through 192.168.111.10
That's an example where I can set filtering rules with the Watchguard
that I cannot do with the 54g.
The 54G cannot set those rules.
>
>>I suggest that you drop a line at comp.security.firewalls about a
>>WRT54G or any other NAT (no FW) router being used in the home to
>>people that make a living at it about this.
>
> Well, I *did* got read comp.security.firewalls and searched with
> google for articles about the WRT54G. I've seen a *lot* of
> recommendations that say the WRT54G is a fine firewall...
I don't think the TOP Guns in that NG will consider the WRT54G to be an
appliance that's running a FW. If you have read something that indicates
that the 54G or any Linksys router is running FW software, then those
posts were by posters such as yourself with the misconception that a
Linksys router is running FW software or a NAT router for home usage is
running FW software. So again, I ask you to drop a line in the FW NG
about a Linksys NAT 54G or otherwise router as to it or them being an
appliance that's running FW software by those that use the product
solutions as part of their livelihood.
>
>>If the WRT54G can meet all the specs below, then it's an appliance
>>running FW software. If the WRT54G cannot meet the specs, then it's
>>not an appliance that's running FW software.
>
> So tell us just what "spec" below is not fully met by the
> standard Linux firewall in a WRT54G? And, please explain what
> difference it makes whether it is an "appliance" or not?
<snip>
A firewall examines all traffic routed between the two networks to see if
it meets certain criteria. If it does, it is routed between the networks,
otherwise it is stopped. A firewall filters both inbound and outbound
traffic. It can also manage public access to private networked resources
such as host applications. It can be used to log all attempts to enter
the private network and trigger alarms when hostile or unauthorized entry
is attempted. Firewalls can filter packets based on their source and
destination addresses and port numbers. This is known as address
filtering. Firewalls can also filter specific types of network traffic.
This is also known as protocol filtering because the decision to forward
or reject traffic is dependant upon the protocol used, for example HTTP,
ftp or telnet. Firewalls can also filter traffic by packet attribute or
state.
<snip>
The specs being that a FW solution whether it's running on an appliance
or a host solution running on a gateway computer using the specs above
can set filtering rules to *stop* inbound or outbound traffic by port,
protocol, IP or packet attribute.
So tell me where in the Wrt54g manual that the NAT router can set those
rules.
>
>>I know that the low-end Watchguard
>>Firebox III SOHO 6 firewall appliance that I use meets those specs. I
>>know that the 54G or anyother Linksys NAT router or any NAT router for
>>home usage period is not running FW software.
>
> Why do you say that? I found one message where *you* provide a
> URL, which says the WRT's firewall is "an advanced form of
> firewall". I seem to recall where *you* had good things to say
> about the firewall in Suse Linux.
The software FW running on Suse Linux and the firmware running on the 54G
even though they are Linux solutions are not the same thing.
And I don't know where you got that about me saying that a WRT has an
advanced FW. If I did say it, then it was do to my ignorance about FW(s)
which as been corrected by the TOP Guns in the FW NG. The 54g has FW like
features but is not running FW software.
I also had good things to say about Vicomsoft's Windows Server based
network FW solution too.
>
> You do realize that the WRT54G runs Linux and has the same
> firewall built into the kernel as any other Linux, right? Do
> you have a WRT54G, and/or know what is in it?
Heck the BEFW11S4 v1 router I had was running a Linux solution.
Again I ask you to drop a line and ask the question to the Top Guns in
the FW NG about a Linksys NAT router running FW software. And is far as
that is concerned, my Watchguard is running Linux too.
>
>>The NAT routers are good enough in
>>the protection as long as one is not doing high risk things like port
>>forwarding.
>
> Please explain what you mean. And be specific about how it
> applies to a Linux router.
When I port forward 80 to an IP/machine behind the Watchguard that has a
Web server running, I am insured that only HTTP traffic comes down that
port or if it was 20 and 21 that only FTP traffic comes down the ports,
dropping all other traffic that tries to come down the ports, as an
example.
>
>><snip>
>>
>>What does a firewall do?
>>
>>A firewall examines all traffic routed between the two networks to see
>>if it meets certain criteria. If it does, it is routed between the
>>networks, otherwise it is stopped. A firewall filters both inbound and
>>outbound traffic. It can also manage public access to private
>>networked resources such as host applications. It can be used to log
>>all attempts to enter the private network and trigger alarms when
>>hostile or unauthorized entry is attempted. Firewalls can filter
>>packets based on their source and destination addresses and port
>>numbers. This is known as address filtering. Firewalls can also filter
>>specific types of network traffic. This is also known as protocol
>>filtering because the decision to forward or reject traffic is
>>dependant upon the protocol used, for example HTTP, ftp or telnet.
>>Firewalls can also filter traffic by packet attribute or state.
>>
>><snip>
>
> So what part of that is not being done in the WRT54G firewall?
>
> I am certainly no expert on firewalls, but I just don't see a
> thing in that list which the WRT54G doesn't do.
>
Rule stop outbound traffic
1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
2) Protocol HTTP
3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
Internet IP(s)
Or rule to stop inbound
1) Remote IP 207.222.777.66 inbound Internet IP(s)
2) Port 119
3) LAN IP(s) 192,168.111.7 through 192.168.111.10
Stop outbound from a LAN IP
1) LAN IP 192.168.111.3
2) Ports 1-66535 TCP, UDP or protocol number
3) Destination LAN IP(s) *ANY*
4) OR 192.168.111.5 through 192.168.111.10
The link may help in understanding FW solutions and a packet filtering
router is no match to FW appliance, even a low-end FW appliance. http://www.more.net/technical/netserv/tcpip/firewalls/
I only bring this whole thing up because some people may have more plans
for his or her setup like hosting a Web serve and should know the
difference between a packet filtering NAT router they one may or may not
be able to set rules as opposed to FW appliance and the differences. The
link above explains it in detail.
Again a NAT router is a border device and is good in the protection for
the average home user; until high risk things are done with the router
then all bets are off.
Duane :) |
07-27-2005, 12:52 AM
| | | Re: 56k dial up on laptop 802.11G ?
Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson)
>> Duane Arnold <Notme@notme.com> wrote:
>>>Floyd L. Davidson wrote:
>>>> The Linksys WRT54G series of wireless routers all have firewall
>>>> software.
>>>
>>>No NAT router is running FW software in the traditional sense. The
>>>manufactures of the product can hype it all they want as being a
>>>solution that's running FW software.
>>
>> Lots of words, but what do you mean? What, for example, is "the
>> traditional sense"? I'm really hard pressed to see how the
>> Linux firewall is not a firewall...
>
>The traditional sense being that packet filtering rules cannot be set on
>the router that can stop both inbound and outbound traffic by port,
>protocol, or IP.
I am no expert on firewalls, but as near as I can tell this
example: http://www.linuxhelp.net/guides/iptables/
Suggests otherwise.
>I can set a rule with the Watchguard to do the following:
>
>Rule stop outbound traffic
>
>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>2) Protocol HTTP
>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>
>Or rule to stop inbound
>
>1) Remote IP 207.222.777.66 inbound
>2) Port 119
>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>
>That's an example where I can set filtering rules with the Watchguard
>that I cannot do with the 54g.
>
>The 54G cannot set those rules.
I don't see why not. As noted, I'm not much on firewalls, but
what I read in the man page for iptables seems to say that all
of the above can be done.
>I don't think the TOP Guns in that NG will consider the WRT54G to be an
>appliance that's running a FW. If you have read something that indicates
>that the 54G or any Linksys router is running FW software, then those
>posts were by posters such as yourself with the misconception that a
>Linksys router is running FW software or a NAT router for home usage is
>running FW software. So again, I ask you to drop a line in the FW NG
>about a Linksys NAT 54G or otherwise router as to it or them being an
>appliance that's running FW software by those that use the product
>solutions as part of their livelihood.
Hmmm... here is what you wrote, two years ago, in
Message-ID: <Xns93B6CCD8CC3C3notmenotmecom@204.127.204.17>
"That WRT54G doesn't have a firewall. It has NAT and SPI. A
router with a true firewall start at about $500 and up.
http://www.homenethelp.com/web/explain/about-NAT.asp"
However, when we look at the URL, it contradicts what you say
about SPI (emphasis added),
"Stateful packet inspection (SPI)
*Some* *NAT* *routers* *have* *an* *advanced* *form* *of* *firewall* *built*
*in* *that* *does* *'stateful* *packet* *inspection'*. ... SPI is a
general term that can describe a router that filters more
kinds of attacks than basic NAT by closely examining
packet data structures. http://www.homenethelp.com/web/explain/about-NAT.asp
Okay... So you at least know that the WRT54G does indeed have
both NAT and SPI. Some people at least say that SPI in itself
constitutes an "advanced" firewall. In fact though, what is
described as SPI might be different from one model/manufacturer
to another.
Here is a URL with a definition, and which *clearly* indicates
that the Linux implementation is indeed and "advanced form of
firewall". http://dmiessler.com/study/iptables/
>>>If the WRT54G can meet all the specs below, then it's an appliance
>>>running FW software. If the WRT54G cannot meet the specs, then it's
>>>not an appliance that's running FW software.
>>
>> So tell us just what "spec" below is not fully met by the
>> standard Linux firewall in a WRT54G? And, please explain what
>> difference it makes whether it is an "appliance" or not?
[repeat of previous "spec" deleted]
>The specs being that a FW solution whether it's running on an appliance
>or a host solution running on a gateway computer using the specs above
>can set filtering rules to *stop* inbound or outbound traffic by port,
>protocol, IP or packet attribute.
Yes yes, but the question was about just what part of that spec
is not fully met by a WRT54G. Near as I can tell, it does
everything on your list.
>So tell me where in the Wrt54g manual that the NAT router can set those
>rules.
Read the man page for /iptables/, which configures the kernel
firewall functionality.
....
>> Why do you say that? I found one message where *you* provide a
>> URL, which says the WRT's firewall is "an advanced form of
>> firewall". I seem to recall where *you* had good things to say
>> about the firewall in Suse Linux.
>
>The software FW running on Suse Linux and the firmware running on the 54G
>even though they are Linux solutions are not the same thing.
They are *identical*.
>> You do realize that the WRT54G runs Linux and has the same
>> firewall built into the kernel as any other Linux, right? Do
>> you have a WRT54G, and/or know what is in it?
>
>Heck the BEFW11S4 v1 router I had was running a Linux solution.
Did it have the kernel firewall modules enabled?
>Again I ask you to drop a line and ask the question to the Top Guns in
>the FW NG about a Linksys NAT router running FW software. And is far as
>that is concerned, my Watchguard is running Linux too.
And just what comparisons can you draw from "your" Watchguard
running Linux compared to other equipment (also running Linix).
Does your particular Watchguard use iptables?
>>>The NAT routers are good enough in
>>>the protection as long as one is not doing high risk things like port
>>>forwarding.
>>
>> Please explain what you mean. And be specific about how it
>> applies to a Linux router.
>
>When I port forward 80 to an IP/machine behind the Watchguard that has a
>Web server running, I am insured that only HTTP traffic comes down that
>port or if it was 20 and 21 that only FTP traffic comes down the ports,
>dropping all other traffic that tries to come down the ports, as an
>example.
In fact I don't think that is true. But to whatever degree it
is true, the *exact* same functionality is available to the
WRT54G via iptables as is available to your Watchguard. In any
case I don't think it is examining the *data* load of a packet
and trying parse whether it is indeed valid for any given
protocol.
>> I am certainly no expert on firewalls, but I just don't see a
>> thing in that list which the WRT54G doesn't do.
>>
>
>Rule stop outbound traffic
>
>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>2) Protocol HTTP
>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>Internet IP(s)
>
>Or rule to stop inbound
>
>1) Remote IP 207.222.777.66 inbound Internet IP(s)
>2) Port 119
>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>
>Stop outbound from a LAN IP
>
>1) LAN IP 192.168.111.3
>2) Ports 1-66535 TCP, UDP or protocol number
>3) Destination LAN IP(s) *ANY*
>4) OR 192.168.111.5 through 192.168.111.10
>
>The link may help in understanding FW solutions and a packet filtering
>router is no match to FW appliance, even a low-end FW appliance.
>
>http://www.more.net/technical/netserv/tcpip/firewalls/
So you actually think that iptables cannot do the same things?
>I only bring this whole thing up because some people may have more plans
>for his or her setup like hosting a Web serve and should know the
>difference between a packet filtering NAT router they one may or may not
>be able to set rules as opposed to FW appliance and the differences. The
>link above explains it in detail.
How does tht apply to our conversation about the firewall provided
by Linux?
>Again a NAT router is a border device and is good in the protection for
>the average home user; until high risk things are done with the router
>then all bets are off.
But NAT is not the only facility provide, right?
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com |
07-27-2005, 04:08 AM
| | | Re: 56k dial up on laptop 802.11G ?
Floyd L. Davidson wrote:
> Duane Arnold <notme@notme.com> wrote:
>>floyd@apaflo.com (Floyd L. Davidson)
>>> Duane Arnold <Notme@notme.com> wrote:
>>>>Floyd L. Davidson wrote:
>>>>> The Linksys WRT54G series of wireless routers all have firewall
>>>>> software.
>>>>
>>>>No NAT router is running FW software in the traditional sense. The
>>>>manufactures of the product can hype it all they want as being a
>>>>solution that's running FW software.
>>>
>>> Lots of words, but what do you mean? What, for example, is "the
>>> traditional sense"? I'm really hard pressed to see how the
>>> Linux firewall is not a firewall...
>>
>>The traditional sense being that packet filtering rules cannot be set on
>>the router that can stop both inbound and outbound traffic by port,
>>protocol, or IP.
>
> I am no expert on firewalls, but as near as I can tell this
> example:
>
> http://www.linuxhelp.net/guides/iptables/
>
> Suggests otherwise.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>I can set a rule with the Watchguard to do the following:
>>
>>Rule stop outbound traffic
>>
>>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>>2) Protocol HTTP
>>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>>
>>Or rule to stop inbound
>>
>>1) Remote IP 207.222.777.66 inbound
>>2) Port 119
>>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>>
>>That's an example where I can set filtering rules with the Watchguard
>>that I cannot do with the 54g.
>>
>>The 54G cannot set those rules.
>
> I don't see why not. As noted, I'm not much on firewalls, but
> what I read in the man page for iptables seems to say that all
> of the above can be done.
>
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>>I don't think the TOP Guns in that NG will consider the WRT54G to be an
>>appliance that's running a FW. If you have read something that indicates
>>that the 54G or any Linksys router is running FW software, then those
>>posts were by posters such as yourself with the misconception that a
>>Linksys router is running FW software or a NAT router for home usage is
>>running FW software. So again, I ask you to drop a line in the FW NG
>>about a Linksys NAT 54G or otherwise router as to it or them being an
>>appliance that's running FW software by those that use the product
>>solutions as part of their livelihood.
>
> Hmmm... here is what you wrote, two years ago, in
> Message-ID: <Xns93B6CCD8CC3C3notmenotmecom@204.127.204.17>
That's frekin two years ago and is based on my knowledge then at the time.
>
> "That WRT54G doesn't have a firewall. It has NAT and SPI. A
> router with a true firewall start at about $500 and up.
>
> http://www.homenethelp.com/web/explain/about-NAT.asp"
>
> However, when we look at the URL, it contradicts what you say
> about SPI (emphasis added),
>
> "Stateful packet inspection (SPI)
>
> *Some* *NAT* *routers* *have* *an* *advanced* *form* *of* *firewall*
> *built*
> *in* *that* *does* *'stateful* *packet* *inspection'*. ... SPI is
> a general term that can describe a router that filters more
> kinds of attacks than basic NAT by closely examining
> packet data structures.
> http://www.homenethelp.com/web/explain/about-NAT.asp
Yeah, yeah true an the operative word there is *form* of a FW built in and
SPI alone doesn't make it an appliance running FW software in the
traditional sense. And you'll notice even then I was not calling the 54G a
something that was running *true* FW software.
>
>
> Okay... So you at least know that the WRT54G does indeed have
> both NAT and SPI. Some people at least say that SPI in itself
> constitutes an "advanced" firewall. In fact though, what is
> described as SPI might be different from one model/manufacturer
> to another.
Yeah I know that.
So somehow you're going to tell me that NAT and SPI is a total FW solution
right and NAT is FW software.
>
> Here is a URL with a definition, and which *clearly* indicates
> that the Linux implementation is indeed and "advanced form of
> firewall".
>
> http://dmiessler.com/study/iptables/
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>>>If the WRT54G can meet all the specs below, then it's an appliance
>>>>running FW software. If the WRT54G cannot meet the specs, then it's
>>>>not an appliance that's running FW software.
>>>
>>> So tell us just what "spec" below is not fully met by the
>>> standard Linux firewall in a WRT54G? And, please explain what
>>> difference it makes whether it is an "appliance" or not?
> [repeat of previous "spec" deleted]
>
>>The specs being that a FW solution whether it's running on an appliance
>>or a host solution running on a gateway computer using the specs above
>>can set filtering rules to *stop* inbound or outbound traffic by port,
>>protocol, IP or packet attribute.
>
> Yes yes, but the question was about just what part of that spec
> is not fully met by a WRT54G. Near as I can tell, it does
> everything on your list.
I read the user manual for the Linksys WRT54G about its FW cababilities the
one out of the box. And I see nowhere that rules for inbound and outbound
traffic can be set like it can be set for packet filtering like they can be
for the WG. I see no ability to set a FW service for the Linksys like it
can be set for the WG.
>
>>So tell me where in the Wrt54g manual that the NAT router can set those
>>rules.
>
> Read the man page for /iptables/, which configures the kernel
> firewall functionality.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
> ...
>>> Why do you say that? I found one message where *you* provide a
>>> URL, which says the WRT's firewall is "an advanced form of
>>> firewall". I seem to recall where *you* had good things to say
>>> about the firewall in Suse Linux.
>>
>>The software FW running on Suse Linux and the firmware running on the 54G
>>even though they are Linux solutions are not the same thing.
>
> They are *identical*.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>> You do realize that the WRT54G runs Linux and has the same
>>> firewall built into the kernel as any other Linux, right? Do
>>> you have a WRT54G, and/or know what is in it?
>>
>>Heck the BEFW11S4 v1 router I had was running a Linux solution.
>
> Did it have the kernel firewall modules enabled?
The 11S4 V1 router cameout the door with SPI and that was removed from the
firmware long ago because Linksys couldn't get it to work properly and it
was removed for all version of the 11S4 router the lastime I looked. SPI
was the only FW like feature the 11S4 routers had that I knew about the
last time I looked.
>
>>Again I ask you to drop a line and ask the question to the Top Guns in
>>the FW NG about a Linksys NAT router running FW software. And is far as
>>that is concerned, my Watchguard is running Linux too.
>
> And just what comparisons can you draw from "your" Watchguard
> running Linux compared to other equipment (also running Linix).
> Does your particular Watchguard use iptables?
What are you talking about here? How in the HELL did this conversation turn
from a WRT54G NAT router and its firmware out of the box to a WRT54G is now
running iptables? And I what does iptables have to do with the WG that I am
using. I could care less about the WG using iptables. I could care less
about it using Linux as far as that is concerned. As long is the WG is
doing what I am asking it to do with the ability to set the rules I need
and it's other abilities, I could care less about it. It could be the
Mickey Mouse kernel I could care less about it. :)
>
>>>>The NAT routers are good enough in
>>>>the protection as long as one is not doing high risk things like port
>>>>forwarding.
>>>
>>> Please explain what you mean. And be specific about how it
>>> applies to a Linux router.
>>
>>When I port forward 80 to an IP/machine behind the Watchguard that has a
>>Web server running, I am insured that only HTTP traffic comes down that
>>port or if it was 20 and 21 that only FTP traffic comes down the ports,
>>dropping all other traffic that tries to come down the ports, as an
>>example.
>
> In fact I don't think that is true. But to whatever degree it
> is true, the *exact* same functionality is available to the
> WRT54G via iptables as is available to your Watchguard. In any
> case I don't think it is examining the *data* load of a packet
> and trying parse whether it is indeed valid for any given
> protocol.
Well you're wrong about it and I am going to go with what I have been told
by others who are *FW experts*, which you have indicated that you're not
one and they do make a living at and I suspect know more than you or I
about it.
>
>>> I am certainly no expert on firewalls, but I just don't see a
>>> thing in that list which the WRT54G doesn't do.
>>>
>>
>>Rule stop outbound traffic
>>
>>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>>2) Protocol HTTP
>>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>>Internet IP(s)
>>
>>Or rule to stop inbound
>>
>>1) Remote IP 207.222.777.66 inbound Internet IP(s)
>>2) Port 119
>>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>>
>>Stop outbound from a LAN IP
>>
>>1) LAN IP 192.168.111.3
>>2) Ports 1-66535 TCP, UDP or protocol number
>>3) Destination LAN IP(s) *ANY*
>>4) OR 192.168.111.5 through 192.168.111.10
>>
>>The link may help in understanding FW solutions and a packet filtering
>>router is no match to FW appliance, even a low-end FW appliance.
>>
>>http://www.more.net/technical/netserv/tcpip/firewalls/
>
> So you actually think that iptables cannot do the same things?
What are you talking about here? I looked at the user manual for the WRT54G
as it comes right out of the box. You show me where it's doing the above.
OH, could it be that you're talking about firmware that is not the out of
the box firmware?
>
>>I only bring this whole thing up because some people may have more plans
>>for his or her setup like hosting a Web serve and should know the
>>difference between a packet filtering NAT router they one may or may not
>>be able to set rules as opposed to FW appliance and the differences. The
>>link above explains it in detail.
>
> How does tht apply to our conversation about the firewall provided
> by Linux?
>
How did the conversation period come away from the firmware that comes with
the WRT545G NAT router out of the box? OH, could it be that you're talking
about firmware that is not the out of the box firmware?
>>Again a NAT router is a border device and is good in the protection for
>>the average home user; until high risk things are done with the router
>>then all bets are off.
>
> But NAT is not the only facility provide, right?
Yeah my WG uses NAT too. So what?
It's just like anyting else, software can be implemented in a device to
enhance its abilities. The firmware that comes with the Linksys Wrt54g out
of the box doesn't meet the specs for something that's running FW software,
which is what I am talking about. I do know that the 54g has some 3rd party
firmware solutions that can be implemented that's apparently using iptables
and I am happy for you.
And I doubt that the 3rd party firmware that's running on the 54g using
iptables can match the abilities of my low-end WG firewall appliance or a
high-end one that cost thousands of dollars.
And most devices such as routers and FW appliances run Linux.
<snip>
Definitions of IPtables on the Web:
The Linux *packet filtering* tool that is used by SmoothWall to provide
firewalling capabilities. Top www.smoothwall.net/support/glossary.html
In computer networking, netfilter, along with its companion iptables, are
collectively a software extension to the Linux operating system that
implements a stateful firewall framework. It also enables other networking
features such as network address translation (NAT). Although netfilter is
an extension to Linux, it is included in all major Linux distributions that
use the 2.4 or 2.6 kernel. Netfilter does not work with Linux kernels older
than version 2.4.
en.wikipedia.org/wiki/Iptables
Or you can go read the information in the link I provided, which is snipped
below and packet filters has strength and weakness. I am able to make the
adjustments and understand the differences between a packet filtering NAT
router and a FW appliance.
<snip>
Packet Filtering Router
A packet filtering router is a router configured to screen packets between
two networks. It routes traffic between the two networks and uses packet
filtering rules to permit or deny traffic. Implementing security with a
router is usually not that easy. Most routers were designed to route
traffic, not to provide firewall functionality, so the command interface
used for configuring rules and filters is neither simple nor intuitive.
Dual-homed Gateway
A dual-homed gateway typically sits behind the gateway (usually a router) to
the untrusted network and most often is a host system with two network
interfaces. Traffic forwarding on this system is disabled, thereby forcing
all traffic between the two networks to pass through some kind of
application gateway or proxy. Only gateways or proxies for the services
that are considered essential are installed on the system. This particular
architecture will usually require user authentication before access to the
gateway/proxy is allowed. Each proxy is independent of all other proxies on
the host system.
Firewall Appliance
A firewall appliance typically sits behind the gateway (usually a router) to
the untrusted network. This architecture resembles the *packet filtering*
router and *dual-homed Gateway* architectures in that all traffic must pass
through the appliance. In most instances these appliances come
pre-configured on their own box. They may also have other services built
in, such as Web servers and e-mail servers. Because they usually don't need
the extensive configuration that other firewalls often require, they are
touted as being much simpler and faster to use. Some manufacturers market
them as "plug-and-play" firewall solutions.
<snip> |
07-27-2005, 09:19 AM
| | | Re: 56k dial up on laptop 802.11G ?
Duane Arnold <Notme@notme.com> wrote:
>Floyd L. Davidson wrote:
>> http://www.linuxhelp.net/guides/iptables/
>>
>> Suggests otherwise.
>
>What does IPtables have to do with the out of the box firmware of a WRT54G
>NAT router? OH, could it be that you're talking about firmware that is not
>the out of the box firmware?
You didn't know that the WRT54G comes with iptables??? Out of
the box! Every time...
>What does IPtables have to do with the out of the box firmware of a WRT54G
>NAT router? OH, could it be that you're talking about firmware that is not
>the out of the box firmware?
I am talking out of the box...
>traditional sense. And you'll notice even then I was not calling the 54G a
>something that was running *true* FW software.
You were entirely wrong then, and don't seem to know much about
Linux or the WRT54G as a firewall now either.
>So somehow you're going to tell me that NAT and SPI is a total FW solution
>right and NAT is FW software.
Have I said the definition of a firewall you posted was not
good??? No... but you have yet to point out any way in which
the WRT54G does *not* fit that definition precisely.
>> http://dmiessler.com/study/iptables/
>
>What does IPtables have to do with the out of the box firmware of a WRT54G
>NAT router? OH, could it be that you're talking about firmware that is not
>the out of the box firmware?
The Linksys firmware uses iptables. Out of the box...
>I read the user manual for the Linksys WRT54G about its FW cababilities the
I haven't claimed that the Linksys documentation was good.
>> Read the man page for /iptables/, which configures the kernel
>> firewall functionality.
>
>What does IPtables have to do with the out of the box firmware of a WRT54G
>NAT router? OH, could it be that you're talking about firmware that is not
>the out of the box firmware?
Could it be that I actually know what the Linksys firmware does?
Hmmm...
>>>The software FW running on Suse Linux and the firmware running on the 54G
>>>even though they are Linux solutions are not the same thing.
>>
>> They are *identical*.
>
>What does IPtables have to do with the out of the box firmware of a WRT54G
>NAT router? OH, could it be that you're talking about firmware that is not
>the out of the box firmware?
Hmmm... cluelessness?
>> And just what comparisons can you draw from "your" Watchguard
>> running Linux compared to other equipment (also running Linix).
>> Does your particular Watchguard use iptables?
>
>What are you talking about here? How in the HELL did this conversation turn
>from a WRT54G NAT router and its firmware out of the box to a WRT54G is now
>running iptables? And I what does iptables have to do with the WG that I am
>using. I could care less about the WG using iptables. I could care less
>about it using Linux as far as that is concerned. As long is the WG is
>doing what I am asking it to do with the ability to set the rules I need
>and it's other abilities, I could care less about it. It could be the
>Mickey Mouse kernel I could care less about it. :)
These various parts of this conversation are what *you* brought
up, not me. The odd thing is that you don't seem to actually
know anything about the relationship between them.
>>>When I port forward 80 to an IP/machine behind the Watchguard that has a
>>>Web server running, I am insured that only HTTP traffic comes down that
>>>port or if it was 20 and 21 that only FTP traffic comes down the ports,
>>>dropping all other traffic that tries to come down the ports, as an
>>>example.
>>
>> In fact I don't think that is true. But to whatever degree it
>> is true, the *exact* same functionality is available to the
>> WRT54G via iptables as is available to your Watchguard. In any
>> case I don't think it is examining the *data* load of a packet
>> and trying parse whether it is indeed valid for any given
>> protocol.
>
>Well you're wrong about it and I am going to go with what I have been told
>by others who are *FW experts*, which you have indicated that you're not
>one and they do make a living at and I suspect know more than you or I
>about it.
Ask them then. (I'm not guessing, BTW.)
>> So you actually think that iptables cannot do the same things?
>
>What are you talking about here? I looked at the user manual for the WRT54G
>as it comes right out of the box. You show me where it's doing the above.
>OH, could it be that you're talking about firmware that is not the out of
>the box firmware?
The firmware out of the box has that capability; however, I
don't have any problem at all with using third party firmware
which provides a better interface to the already existing
firewall capability.
>> How does tht apply to our conversation about the firewall provided
>> by Linux?
>>
>How did the conversation period come away from the firmware that comes with
>the WRT545G NAT router out of the box? OH, could it be that you're talking
>about firmware that is not the out of the box firmware?
Could it be that you injected it, under the false assumption
that it was going to make your point?
>>>Again a NAT router is a border device and is good in the protection for
>>>the average home user; until high risk things are done with the router
>>>then all bets are off.
>>
>> But NAT is not the only facility provide, right?
>
>Yeah my WG uses NAT too. So what?
>
>It's just like anyting else, software can be implemented in a device to
>enhance its abilities. The firmware that comes with the Linksys Wrt54g out
>of the box doesn't meet the specs for something that's running FW software,
Except that it does.
>which is what I am talking about. I do know that the 54g has some 3rd party
>firmware solutions that can be implemented that's apparently using iptables
>and I am happy for you.
I see no problem with recommending that people purchase a WRT54G
with the intent to upgrade to a third party firmware release.
It is *not* some giant technical chasm that only some can leap.
>And I doubt that the 3rd party firmware that's running on the 54g using
>iptables can match the abilities of my low-end WG firewall appliance or a
>high-end one that cost thousands of dollars.
Actually, in some cases it may be significantly better, the same, or
perhaps only equal.
>And most devices such as routers and FW appliances run Linux.
And what you haven't yet understood is that they *all* use the
same firewall modules.
>Definitions of IPtables on the Web:
>
>The Linux *packet filtering* tool that is used by SmoothWall to provide
>firewalling capabilities. Top
>www.smoothwall.net/support/glossary.html
>
>In computer networking, netfilter, along with its companion iptables, are
>collectively a software extension to the Linux operating system that
>implements a stateful firewall framework. It also enables other networking
>features such as network address translation (NAT). Although netfilter is
>an extension to Linux, it is included in all major Linux distributions that
>use the 2.4 or 2.6 kernel. Netfilter does not work with Linux kernels older
>than version 2.4.
>en.wikipedia.org/wiki/Iptables
>
>Or you can go read the information in the link I provided, which is snipped
>below and packet filters has strength and weakness. I am able to make the
>adjustments and understand the differences between a packet filtering NAT
>router and a FW appliance.
So?
Your generic descriptions are useful for a generic
understanding, which you do appear to have.
Specific equipment, however, requires specific knowledge.
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com |
07-27-2005, 12:11 PM
| | | Re: 56k dial up on laptop 802.11G ?
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87r7dkwqqw.fld@barrow.com:
> Duane Arnold <Notme@notme.com> wrote:
>>Floyd L. Davidson wrote:
>>> http://www.linuxhelp.net/guides/iptables/
>>>
>>> Suggests otherwise.
>>
>>What does IPtables have to do with the out of the box firmware of a
>>WRT54G NAT router? OH, could it be that you're talking about firmware
>>that is not the out of the box firmware?
>
> You didn't know that the WRT54G comes with iptables??? Out of
> the box! Every time...
I see no evidence of that based on the user manual I went on line at www.limksys.com that indicates that iptables is being used.
>
>>What does IPtables have to do with the out of the box firmware of a
>>WRT54G NAT router? OH, could it be that you're talking about firmware
>>that is not the out of the box firmware?
>
> I am talking out of the box...
I don't use the product and reading the information about the 54G, it
didn't appear that it was doing anything more that the other Linksys
routers out of the box.
>
>>traditional sense. And you'll notice even then I was not calling the
>>54G a something that was running *true* FW software.
> You were entirely wrong then, and don't seem to know much about
> Linux or the WRT54G as a firewall now either.
I never said that I did know a whole lot about a 54G NAT router or
IPtables since I don't have the need to use either one of them.
I use a Watchguard and I used a 11S4 and some other Linksys routers that
other people have had me take a look at and none of them where then are
now FW appliances.
And again, you should drop a line at comp.secuity.friewall about a
Linksys 54G NAT router, which now is using a packet filter in the
firmware.
And I briefly looked at the FW on Linux and saw what I wanted and
disabled it since the machine is setting behind the WG.
>
>>So somehow you're going to tell me that NAT and SPI is a total FW
>>solution right and NAT is FW software.
>
> Have I said the definition of a firewall you posted was not
> good??? No... but you have yet to point out any way in which
> the WRT54G does *not* fit that definition precisely.
Hey, just like you I am no expert at it either. There have been posts
made about D-link(s) and Netgear routers *high-end* models with most of
the bells on them that fall into the category of a network FW that the
54G seems to fall into based on the link I posted.
>
>>> http://dmiessler.com/study/iptables/
>>
>>What does IPtables have to do with the out of the box firmware of a
>>WRT54G NAT router? OH, could it be that you're talking about firmware
>>that is not the out of the box firmware?
>
> The Linksys firmware uses iptables. Out of the box...
>
>>I read the user manual for the Linksys WRT54G about its FW
>>cababilities the
>
> I haven't claimed that the Linksys documentation was good.
>
>>> Read the man page for /iptables/, which configures the kernel
>>> firewall functionality.
>>
>>What does IPtables have to do with the out of the box firmware of a
>>WRT54G NAT router? OH, could it be that you're talking about firmware
>>that is not the out of the box firmware?
>
> Could it be that I actually know what the Linksys firmware does?
> Hmmm...
For the 54G I guess you do. ;-)
>
>>>>The software FW running on Suse Linux and the firmware running on
>>>>the 54G even though they are Linux solutions are not the same thing.
>>>
>>> They are *identical*.
>>
>>What does IPtables have to do with the out of the box firmware of a
>>WRT54G NAT router? OH, could it be that you're talking about firmware
>>that is not the out of the box firmware?
>
> Hmmm... cluelessness?
I have used other Linksys routers so the 54G has a little more going for
it now. Hey what can I say about it?
>
>>> And just what comparisons can you draw from "your" Watchguard
>>> running Linux compared to other equipment (also running Linix).
>>> Does your particular Watchguard use iptables?
>>
>>What are you talking about here? How in the HELL did this conversation
>>turn from a WRT54G NAT router and its firmware out of the box to a
>>WRT54G is now running iptables? And I what does iptables have to do
>>with the WG that I am using. I could care less about the WG using
>>iptables. I could care less about it using Linux as far as that is
>>concerned. As long is the WG is doing what I am asking it to do with
>>the ability to set the rules I need and it's other abilities, I could
>>care less about it. It could be the Mickey Mouse kernel I could care
>>less about it. :)
>
> These various parts of this conversation are what *you* brought
> up, not me. The odd thing is that you don't seem to actually
> know anything about the relationship between them.
Is that right?
I am not using the 54g nor did I read any of your links so it took me a
minute to figure out what the Hell you were talking about.
>
>>>>When I port forward 80 to an IP/machine behind the Watchguard that
>>>>has a Web server running, I am insured that only HTTP traffic comes
>>>>down that port or if it was 20 and 21 that only FTP traffic comes
>>>>down the ports, dropping all other traffic that tries to come down
>>>>the ports, as an example.
>>>
>>> In fact I don't think that is true. But to whatever degree it
>>> is true, the *exact* same functionality is available to the
>>> WRT54G via iptables as is available to your Watchguard. In any
>>> case I don't think it is examining the *data* load of a packet
>>> and trying parse whether it is indeed valid for any given
>>> protocol.
>>
>>Well you're wrong about it and I am going to go with what I have been
>>told by others who are *FW experts*, which you have indicated that
>>you're not one and they do make a living at and I suspect know more
>>than you or I about it.
>
> Ask them then. (I'm not guessing, BTW.)
And nether am I which I'll assume is based on your knowledge of IPtables.
However, since I am here using the WG product and used the FW services
provided on the product, I think I know a little something.
>
>>> So you actually think that iptables cannot do the same things?
>>
>>What are you talking about here? I looked at the user manual for the
>>WRT54G as it comes right out of the box. You show me where it's doing
>>the above. OH, could it be that you're talking about firmware that is
>>not the out of the box firmware?
>
> The firmware out of the box has that capability; however, I
> don't have any problem at all with using third party firmware
> which provides a better interface to the already existing
> firewall capability.
Well I have not paid to much attention to the 54G, since I don't have one
sitting in front of me.
>
>>> How does tht apply to our conversation about the firewall provided
>>> by Linux?
>>>
>>How did the conversation period come away from the firmware that comes
>>with the WRT545G NAT router out of the box? OH, could it be that
>>you're talking about firmware that is not the out of the box firmware?
>
> Could it be that you injected it, under the false assumption
> that it was going to make your point?
To be honest, I was not paying that mach attention to any of your
conversation. And for me to make a point was not the case.
>
>>>>Again a NAT router is a border device and is good in the protection
>>>>for the average home user; until high risk things are done with the
>>>>router then all bets are off.
>>>
>>> But NAT is not the only facility provide, right?
>>
>>Yeah my WG uses NAT too. So what?
>>
>>It's just like anyting else, software can be implemented in a device
>>to enhance its abilities. The firmware that comes with the Linksys
>>Wrt54g out of the box doesn't meet the specs for something that's
>>running FW software,
>
> Except that it does.
I looked at the user manual at the site so I may have I missed it and I
did come through the FW pages too. It didn't appear to be able to set the
rules to the degree that I can with the WG. But it does have some rules
that can be set.
>
>>which is what I am talking about. I do know that the 54g has some 3rd
>>party firmware solutions that can be implemented that's apparently
>>using iptables and I am happy for you.
>
> I see no problem with recommending that people purchase a WRT54G
> with the intent to upgrade to a third party firmware release.
> It is *not* some giant technical chasm that only some can leap.
So where did I say not to use a 54G?
However, I'll never use a wireless NAT router in the trusted zone again
nor would I ever use a wireless WG Firebox SOHO 6 appliance either.
>
>>And I doubt that the 3rd party firmware that's running on the 54g
>>using iptables can match the abilities of my low-end WG firewall
>>appliance or a high-end one that cost thousands of dollars.
>
> Actually, in some cases it may be significantly better, the same, or
> perhaps only equal.
I doubt it.
>
>>And most devices such as routers and FW appliances run Linux.
>
> And what you haven't yet understood is that they *all* use the
> same firewall modules.
So what that they are all running Linux and all NAT routers are not
running FW software.
>
>>Definitions of IPtables on the Web:
>>
>>The Linux *packet filtering* tool that is used by SmoothWall to
>>provide firewalling capabilities. Top
>>www.smoothwall.net/support/glossary.html
>>
>>In computer networking, netfilter, along with its companion iptables,
>>are collectively a software extension to the Linux operating system
>>that implements a stateful firewall framework. It also enables other
>>networking features such as network address translation (NAT).
>>Although netfilter is an extension to Linux, it is included in all
>>major Linux distributions that use the 2.4 or 2.6 kernel. Netfilter
>>does not work with Linux kernels older than version 2.4.
>>en.wikipedia.org/wiki/Iptables
>>
>>Or you can go read the information in the link I provided, which is
>>snipped below and packet filters has strength and weakness. I am able
>>to make the adjustments and understand the differences between a
>>packet filtering NAT router and a FW appliance.
>
> So?
>
> Your generic descriptions are useful for a generic
> understanding, which you do appear to have.
>
> Specific equipment, however, requires specific knowledge.
>
No doubt, on the other hand that 54g may be better than I thought it was
but it cannot match the WG FW appliance.
And some NAT routers have more bells a whistle than others and they
cannot out class a FW appliance. The can come close.
Hey I am no expert in FW(s) and I continue to learn. IPtables is just a
packet filter running with Linux. MS has one too called IPsec and I have
used it to supplement the Linksys (no FW) NAT router I use to use and I
know it well. :) http://www.petri.co.il/block_ping_tr...with_ipsec.htm http://www.analogx.com/contents/articles/ipsec.htm http://support.microsoft.com/?id=813878
I got to go; I have some tests I have to take for ASP.Net and SQL Server
2000 in the hopes of getting a contract.
BTW, I am through with the conversation about the 54G NAT router and
IPtables. :)
Duane :) |
07-27-2005, 04:37 PM
| | | Re: 56k dial up on laptop 802.11G ?
Can I muddy the waters with my opinions?
Ever wonder why the terms "firewall" and "router" are different and
haven't been combined into one? You don't hear about anyone selling a
"firewall router" or some similar conglomeration. That's because the
common definitions have changed somewhat since Cisco first invented
routers and are difficult to isolate.
These days, a firewall is anything that keeps the barbarians out of a
protected LAN. It can be NAT, PAT, SPI, dual bastion host, manual
inspection, or a dog sniffing packets, and still be considered a
functional firewall. How this is accomplished varies by technique,
complexity, topology.
A router is just something that glues two networks together. That was
the original purpose of routers and remains the same today. It's
assumed to operate at the IP level and make some decisions relating to
connecting two (or more) IP networks together. It does this by
inspecting the IP headers and sometimes the packet contents, and
making decisions based upon their contents.
The problem is that both firewalls and routers inspect packets and
make decisions, often in exactly the same way. Yet, their purposes
are different. Many of the examples previously offered of what
allegedly constitutes a firewall are actually definitions of what
constitutes a firewall, are actually examples of router functions.
For example, static routes to a remote office are a router function,
not a firewall function.
Unfortunately, the large amount of overlap between firewalls and
routers are where methinks the problem is hiding. Filtering by
service type can be considered both a router and firewall function.
Filtering by WAN side IP address is a firewall function. Controlling
outgoing traffic from the LAN is pure router. I once saw a list of
these features and their classification in a Cisco CCNE book somewhere
on my shelf, but I sold those and can't check.
So, how can one tell if it's a firewall, router, or both? Easy, by
the function it's performing. Duz the feature in question control
access from the WAN to the LAN? If so, it's a firewall feature. Duz
the feature in question control the way two networks are connected?
If so, then it's a router feature.
In my never humble opinion, any NAT router should be considered a
firewall because NAT controls access to the LAN from the WAN. How
well it does this, and to what level of control is another question
which methinks is at the heart of the current discussion. The WRT54G
comes stock with IP Tables which is the basis of most Linux firewall
implementations. (Well, I use IP Chains in FreeSCO). Dumping:
iptables -L
from my WRT54G will results in about 60 lines of definitions, which
methinks qualify by their complexity to be a suitable router. In
addition, most of these rules deal with internal/external traffic
control, which methinks qualifies as firewall functions. One of the
things I like about the WRT54G is that the router definitions give me
more firewall control than most cheapo routers. For example, I just
noticed that I have some filters in place to block IP's of spammers
that try dictionary attacks on my mail server, which is a firewall
feature.
Please feel free to continue the discussion. I find it interesting.
However, I would like to suggest that you both consider the
definitions of firewall and router in terms of what they do, rather
than in terms of how they function.
--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558 |
07-27-2005, 08:17 PM
| | | Re: 56k dial up on laptop 802.11G ?
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in
news:2qbfe1d0rkdiv9ca958dh12mhu1ojgn62s@4ax.com:
> Can I muddy the waters with my opinions?
Why not?
>
> Ever wonder why the terms "firewall" and "router" are different and
> haven't been combined into one? You don't hear about anyone selling a
> "firewall router" or some similar conglomeration. That's because the
> common definitions have changed somewhat since Cisco first invented
> routers and are difficult to isolate.
>
> These days, a firewall is anything that keeps the barbarians out of a
> protected LAN. It can be NAT, PAT, SPI, dual bastion host, manual
> inspection, or a dog sniffing packets, and still be considered a
> functional firewall. How this is accomplished varies by technique,
> complexity, topology.
This is the definition as to what I condider a FW. I don't like to type
so I find what I need to find and I cut and paste.
<snip>
A firewall protects networked computers from intentional hostile
intrusion that could compromise confidentiality or result in data
corruption or denial of service. It may be a hardware device or a
software program running on a secure host computer. In either case, it
must have at least two network interfaces, one for the network it is
intended to protect, and one for the network it is exposed to. A firewall
sits at the junction point or gateway between the two networks, usually a
private network and a public network such as the Internet. The earliest
firewalls were simply routers. The term firewall comes from the fact that
by segmenting a network into different physical subnetworks, they limited
the damage that could spread from one subnet to another just like
firedoors or firewalls.
<snip>
>
> A router is just something that glues two networks together. That was
> the original purpose of routers and remains the same today. It's
> assumed to operate at the IP level and make some decisions relating to
> connecting two (or more) IP networks together. It does this by
> inspecting the IP headers and sometimes the packet contents, and
> making decisions based upon their contents.
>
> The problem is that both firewalls and routers inspect packets and
> make decisions, often in exactly the same way. Yet, their purposes
> are different. Many of the examples previously offered of what
> allegedly constitutes a firewall are actually definitions of what
> constitutes a firewall, are actually examples of router functions.
> For example, static routes to a remote office are a router function,
> not a firewall function.
Both solutions can use a packet filter so in someway they do set similar
types of rules and make similar types of decisions based on the rules
implemented.
>
> Unfortunately, the large amount of overlap between firewalls and
> routers are where methinks the problem is hiding. Filtering by
> service type can be considered both a router and firewall function.
> Filtering by WAN side IP address is a firewall function. Controlling
> outgoing traffic from the LAN is pure router. I once saw a list of
> these features and their classification in a Cisco CCNE book somewhere
> on my shelf, but I sold those and can't check.
>
> So, how can one tell if it's a firewall, router, or both? Easy, by
> the function it's performing. Duz the feature in question control
> access from the WAN to the LAN? If so, it's a firewall feature. Duz
> the feature in question control the way two networks are connected?
> If so, then it's a router feature.
>
> In my never humble opinion, any NAT router should be considered a
> firewall because NAT controls access to the LAN from the WAN. How
> well it does this, and to what level of control is another question
> which methinks is at the heart of the current discussion.
And I agree to disagree here about NAT. NAT is not FW software.
<snip>
By comparing the way NAT functions between two networks, and the way
packet screening methods function between two networks, you can see that
NAT does not adhere to the firewall definition. NAT does not control
access between the networks. Some may argue that NAT does control access
because you cannot "see" the internal network. NAT does this not by using
rules or filters, however, but through concealment. It hides the network
from outside users.
<snip>
> The WRT54G
> comes stock with IP Tables which is the basis of most Linux firewall
> implementations. (Well, I use IP Chains in FreeSCO). Dumping:
> iptables -L
> from my WRT54G will results in about 60 lines of definitions, which
> methinks qualify by their complexity to be a suitable router. In
> addition, most of these rules deal with internal/external traffic
> control, which methinks qualifies as firewall functions. One of the
> things I like about the WRT54G is that the router definitions give me
> more firewall control than most cheapo routers. For example, I just
> noticed that I have some filters in place to block IP's of spammers
> that try dictionary attacks on my mail server, which is a firewall
> feature.
This is where I think a packet filtering solution or packet filtering NAT
router falls short. And again I don't like to type.
<snip>
Packet filtering firewalls allow a direct connection to be made between
the two endpoints. Although this type of packet screening is configured
to allow or deny traffic between two networks, the client/server model is
never broken.
Packet filtering firewalls are fast and typically have no impact on
network performance, but it's usually an all-or-nothing approach. If
ports are open, they are open to all traffic passing through that port,
which in effect leaves a security hole in your network.
Defining rules and filters on a packet filtering firewall can be a
complex task. The network administrator must have a good understanding of
services and protocols to be able to translate the organization's
security requirements and needs into an accurate list of allow and deny
rules or filters. In some cases, the task of configuring rules or filters
may become so complicated that implementation is impossible. Lengthy
access rules or filters can have a negative impact on network performance
and be prone to error. As the number of rules or filters increases, so
does the amount of time it takes the firewall to make comparison
decisions and the chance that an inaccurate rule or filter will be added.
The accuracy of rules or filters on packet filtering firewalls can be
very difficult to test. Even if the rules and filters seem simple and
straightforward, verifying the correctness of a rule through testing can
be a time-consuming process. Sometimes testing results can be misleading
and inaccurate.
Packet filtering firewalls are prone to certain types of attacks. Since
packet inspection goes no deeper than the packet header information, this
method of packet screening is easier to circumvent and cannot protect
against attacks directed at the application level. There are three common
exploits to which packet filtering firewalls are susceptible. These are
IP spoofing, buffer overruns, and ICMP tunneling. IP spoofing is sending
your data and faking a source address that the firewall will trust.
Buffer overruns typically occur when data sizes inside a buffer exceed
what was allotted. ICMP tunneling allows a hacker to insert data into a
legitimate ICMP packet.
Packet filtering firewalls do not perform user authentication. Again,
this method of packet screening looks at information contained in the
packet header and bases decisions on that information alone.
<snip>
>
> Please feel free to continue the discussion. I find it interesting.
> However, I would like to suggest that you both consider the
> definitions of firewall and router in terms of what they do, rather
> than in terms of how they function.
>
>
>
And I consider the FW appliance to out class the packet filtering NAT
router with SPI, because the FW appliance's architecture resembles the
packet filtering router and dual-homed Gateway architectures and is able
to look at a deeper level along with other things like actually breaking
the client/server model between two end points, providing services etc.
However, I got nothing against NAT routers. They are a good first line of
defense, until you start doing high risk things like port forwarding.
There is something to be said about book and practical knowledge I use
them both and I have been doing so since 1971 when I first entered the
computer industry.
BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)
Duane :)
|
07-28-2005, 12:53 AM
| | | Re: 56k dial up on laptop 802.11G ?
On Wed, 27 Jul 2005 20:17:11 GMT, Duane Arnold <notme@notme.com>
wrote:
>And I agree to disagree here about NAT. NAT is not FW software.
Well, that depends on whether you subscribe to my definition of a
firewall. The way I understand the moving target definition, a
firewall is literally anything that defends your network against
external attack. It could be a guard dog that's trained to sniff
hostile packets and bark when they appear. Whatever works.
>By comparing the way NAT functions between two networks, and the way
>packet screening methods function between two networks, you can see that
>NAT does not adhere to the firewall definition.
Agreed, by your definition that's correct. However, I don't subscribe
to your definition of a firewall, which describes how a firewall
operates, without recognizing what a firewall does. It's a rather
fine distinction and subject to considerable creativity in
interpretation. However, I don't see any reason you couldn't be more
specific in the type of firewall by adding the appropriate qualifier.
NAT firewall
SPI firewall
packet filter firewall
bastion host firewall
dual bastion host with DMZ firewall
proxy server firewall
barking guard dog sniffer firewall
Depending upon whom you ask, all or some of these are considered
"true" firewalls.
>NAT does not control
>access between the networks. Some may argue that NAT does control access
>because you cannot "see" the internal network. NAT does this not by using
>rules or filters, however, but through concealment. It hides the network
>from outside users.
That's what I was going to say. If you can't "see", "access", or
"hack" my LAN, it must have some kind of firewall protecting it. How
it does the job is irrelevant. It's still a firewall.
Actually, there's another problem. If an NAT firewall is not a real
firewall, what is it? To the best of my knowledge, there's no trade
name or function definition for NAT other than "NAT firewall". Did I
miss (or forget) one?
Incidentally, please cite the source if you're going to quote, borrow,
plagiarize, or paraphrase. I've seen far too many partial quotes
taken out of context.
>Packet filtering firewalls allow a direct connection to be made between
>the two endpoints.
Absolute baloney. There's nothing in a firewall that connects
anything. It's the router function that provides the end to end
connection. The firewall doesn't connect anything. There are purists
that will proclaim that NAT is an abomination because it breaks the
end to end connection definition required for "real" TCP/IP
networking. I don't subscribe to this exception, but you won't have
much trouble finding people that agree.
>Although this type of packet screening is configured
>to allow or deny traffic between two networks, the client/server model is
>never broken.
Right. Now, how does this differ *in* *FUNCTION* with an NAT
firewall? As far as I can determine, they serve exactly the same
purpose. Again, it really depends on whether you subscribe to my
functional definition. Apparently you do not.
>And I consider the FW appliance to out class the packet filtering NAT
>router with SPI, because the FW appliance's architecture resembles the
>packet filtering router and dual-homed Gateway architectures and is able
>to look at a deeper level along with other things like actually breaking
>the client/server model between two end points, providing services etc.
I'll happily discuss the relative merits of various firewall
architectures if you want. However, that's not the current issue.
It's whether an NAT firewall is considered a "real" firewall and
whether the WRT54G is a "real" firewall. Floyd and I say they are and
you say they're not.
>However, I got nothing against NAT routers. They are a good first line of
>defense, until you start doing high risk things like port forwarding.
There's other ways of breaking NAT firewalls. Spoofing source
addresses that appear to be coming from inside the firewall are a good
start. Automatic port forwarding, as in Universal Plug-n-Play is
another fundamental security problem. Yeah, they're not the greatest
but it doesn't take much to make them secure enough for home use.
>There is something to be said about book and practical knowledge I use
>them both and I have been doing so since 1971 when I first entered the
>computer industry.
Well, I did battle with my first computah in about 1965 with the IBM
1620. I then graduated to the 7090 and 1140. When IBM wouldn't hire
me as a customer engineer, I switched to radio and didn't get back
into computahs until about 1976 with various timeshare services. The
first PC was an Apple ][, Apple III, TRS-80 (various models), Vic-20,
assorted S100 kludges, and finally, in 1981, I bought the first IBM PC
to be sold out the door at the Santa Clara Computerland. In 1983, I
celebrated getting fired from a job by declaring myself a consultant
simultaneously in RF and computers, which I've been doing through
today. There were a bunch of diversions in there, but they have
little to do with RF or computers.
>BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)
What makes you think I'm a Linux fanatic? My forte is SCO Unix
OpenServer 5, ODT 3.2v4.2, and Xenix. I are not a programmist. I'm
doing Linux because it's a good fit for most of my customers, because
I'm greedy and can get it free, and because SCO did some really
politically incorrect things. If you dive into comp.unix.sco.misc,
you'll find quite a bit of my postings. I didn't even bother with
alternative firmware for the WRT54G until Floyd convinced me it was
worth my time trying and learning.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com AE6KS |
07-28-2005, 01:30 AM
| | | Re: 56k dial up on laptop 802.11G ?
"Jeff Liebermann" <jeffl@comix.santa-cruz.ca.us> wrote in message
news:no8ge19j4m06uor610u67me8ejj40dmbdt@4ax.com...
> On Wed, 27 Jul 2005 20:17:11 GMT, Duane Arnold <notme@notme.com>
> wrote:
>
>>And I agree to disagree here about NAT. NAT is not FW software.
>
> Well, that depends on whether you subscribe to my definition of a
> firewall. The way I understand the moving target definition, a
> firewall is literally anything that defends your network against
> external attack. It could be a guard dog that's trained to sniff
> hostile packets and bark when they appear. Whatever works.
>
>>By comparing the way NAT functions between two networks, and the way
>>packet screening methods function between two networks, you can see that
>>NAT does not adhere to the firewall definition.
>
> Agreed, by your definition that's correct. However, I don't subscribe
> to your definition of a firewall, which describes how a firewall
> operates, without recognizing what a firewall does. It's a rather
> fine distinction and subject to considerable creativity in
> interpretation. However, I don't see any reason you couldn't be more
> specific in the type of firewall by adding the appropriate qualifier.
> NAT firewall
> SPI firewall
> packet filter firewall
> bastion host firewall
> dual bastion host with DMZ firewall
> proxy server firewall
> barking guard dog sniffer firewall
> Depending upon whom you ask, all or some of these are considered
> "true" firewalls.
>
>>NAT does not control
>>access between the networks. Some may argue that NAT does control access
>>because you cannot "see" the internal network. NAT does this not by using
>>rules or filters, however, but through concealment. It hides the network
>>from outside users.
>
> That's what I was going to say. If you can't "see", "access", or
> "hack" my LAN, it must have some kind of firewall protecting it. How
> it does the job is irrelevant. It's still a firewall.
>
> Actually, there's another problem. If an NAT firewall is not a real
> firewall, what is it? To the best of my knowledge, there's no trade
> name or function definition for NAT other than "NAT firewall". Did I
> miss (or forget) one?
>
> Incidentally, please cite the source if you're going to quote, borrow,
> plagiarize, or paraphrase. I've seen far too many partial quotes
> taken out of context.
>
>>Packet filtering firewalls allow a direct connection to be made between
>>the two endpoints.
>
> Absolute baloney. There's nothing in a firewall that connects
> anything. It's the router function that provides the end to end
> connection. The firewall doesn't connect anything. There are purists
> that will proclaim that NAT is an abomination because it breaks the
> end to end connection definition required for "real" TCP/IP
> networking. I don't subscribe to this exception, but you won't have
> much trouble finding people that agree. http://www.more.net/technical/netserv/tcpip/firewalls/
There you go about where I got it from and are you a FW .
>
>>Although this type of packet screening is configured
>>to allow or deny traffic between two networks, the client/server model is
>>never broken.
>
> Right. Now, how does this differ *in* *FUNCTION* with an NAT
> firewall? As far as I can determine, they serve exactly the same
> purpose. Again, it really depends on whether you subscribe to my
> functional definition. Apparently you do not.
>
>>And I consider the FW appliance to out class the packet filtering NAT
>>router with SPI, because the FW appliance's architecture resembles the
>>packet filtering router and dual-homed Gateway architectures and is able
>>to look at a deeper level along with other things like actually breaking
>>the client/server model between two end points, providing services etc.
>
> I'll happily discuss the relative merits of various firewall
> architectures if you want. However, that's not the current issue.
> It's whether an NAT firewall is considered a "real" firewall and
> whether the WRT54G is a "real" firewall. Floyd and I say they are and
> you say they're not.
>
>>However, I got nothing against NAT routers. They are a good first line of
>>defense, until you start doing high risk things like port forwarding.
>
> There's other ways of breaking NAT firewalls. Spoofing source
> addresses that appear to be coming from inside the firewall are a good
> start. Automatic port forwarding, as in Universal Plug-n-Play is
> another fundamental security problem. Yeah, they're not the greatest
> but it doesn't take much to make them secure enough for home use.
>
>>There is something to be said about book and practical knowledge I use
>>them both and I have been doing so since 1971 when I first entered the
>>computer industry.
>
> Well, I did battle with my first computah in about 1965 with the IBM
> 1620. I then graduated to the 7090 and 1140. When IBM wouldn't hire
> me as a customer engineer, I switched to radio and didn't get back
> into computahs until about 1976 with various timeshare services. The
> first PC was an Apple ][, Apple III, TRS-80 (various models), Vic-20,
> assorted S100 kludges, and finally, in 1981, I bought the first IBM PC
> to be sold out the door at the Santa Clara Computerland. In 1983, I
> celebrated getting fired from a job by declaring myself a consultant
> simultaneously in RF and computers, which I've been doing through
> today. There were a bunch of diversions in there, but they have
> little to do with RF or computers.
>
>>BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)
>
> What makes you think I'm a Linux fanatic? My forte is S | |
