Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson) wrote:
>> Duane Arnold <Notme@notme.com> wrote:
>>>
>>>If the 54g can stop outbound by using iptables a packet filter and is
>>>using SPI, then it's a moot point. And it comes close to a FW
>>>appliance and meets the FW definition but is not a FW appliance.
If we can get Duane Arnold to stop making assumptions about what a
firewall is or is not, and then stop making assumptions about what
iptables is or is not, we could make progress. It seems petty slow
going though...
>> So why is it not a "FW appliance"? It fits all the
>> requirements...
>
>> Except of course that it runs Linux and has software and
>> functionality that Duane Arnold doesn't understand... :-)
Lets start off by noting *again* that iptables fits *all* of the
requirements you outlined in the past. Your false
generalizations taken from other sources that were *not*
discussing iptables have no significance and are confusing you.
Lets look at your definitions:
>That's because the router with it's packet filter works at level 3 and
>level 4 of the OSI model. And if the router is using SPI, then SPI examines
>the packets between the network layer of the OSI model to the Application
>Layer of the OSI model to validate that the connection is valid and that
>protocols are behaving as expected,
Note that this and the beginning sentence in your description of
a "FW appliance" are virtually the same.
>it doesn't operate at the Application
>Gateway level of the OSI model. It doesn't break the client/server model;
>it doesn't have un-trusted and trusted zones.
The above is the part that is different.
>Where as the FW appliance works at level 3 and 4 of the OSI model, examines
>the packets between the network layer of the OSI model to the Application
>Layer of the OSI model to validate that the connection is valid and that
>protocols are behaving as expected,
That is the part which is virtually identical in the description
of a router using packet filtering.
>operates at the Application Gateway
>level of the OSI model, breaks the client/server model, and has un-trusted
>and trusted zones.
And here is the different part.
So lets skip the similar parts, and examine what these differences are!
A router with filtering:
"doesn't operate at the Application Gateway level of the
OSI model. It doesn't break the client/server model; it
doesn't have un-trusted and trusted zones."
A "FW appliance":
"operates at the Application Gateway level of the OSI model,
breaks the client/server model, and has un-trusted and trusted
zones."
First, there is no "Application Gateway level" in the OSI model.
You are confused. An "application gateway" is a type of
firewall, which consist of a proxy server that does indeed break
the "client/server model" in that it breaks connections into two
segments, placing itself in the middle, and allows only traffic
which matches the rules it applies.
Second, in the identical parts of your descriptions you say that
they *both* (which is correct) operate up through the
Application Layer. They you deny that for one and not for the
other. In fact Stateful Packet Inspection (SPI) does work all
the way up through the Application Layer.
Linux systems, of which the WRT54G is an example, implement
multilayer firewalls. Your insistence that if it provides
routing then it doesn't do "true" firewall functions, is *still*
*wrong*.
The WRT54G, for example, provides for proxies, port forwarding,
and a DMZ, all with dynamic packet filtering rules. It has all
of the functionality you require for a "FW appliance".
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
[Another cogent discussin of the issues]
>Summary: In my opinion, ANYTHING that protects access to an inside
>LAN from an outside WAN is a firewall. I don't care how said
>protection is accomplished.
I'm with Jeff, a NAT firewall protects LAN computers from direct
attack from the Internet, and counts as a firewall. Sure, there are
better, more configurable, more complicated firewalls, but NAT is a
perfectly fine response to most folk's need for a firewall.
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87slxyqp6b.fld@barrow.com:
> Duane Arnold <notme@notme.com> wrote:
>>floyd@apaflo.com (Floyd L. Davidson) wrote:
>>> Duane Arnold <Notme@notme.com> wrote:
>>>>
>>>>If the 54g can stop outbound by using iptables a packet filter and
>>>>is using SPI, then it's a moot point. And it comes close to a FW
>>>>appliance and meets the FW definition but is not a FW appliance.
>
> If we can get Duane Arnold to stop making assumptions about what a
> firewall is or is not, and then stop making assumptions about what
> iptables is or is not, we could make progress. It seems petty slow
> going though...
>
>>> So why is it not a "FW appliance"? It fits all the
>>> requirements...
>>
>>> Except of course that it runs Linux and has software and
>>> functionality that Duane Arnold doesn't understand... :-)
>
> Lets start off by noting *again* that iptables fits *all* of the
> requirements you outlined in the past. Your false
> generalizations taken from other sources that were *not*
> discussing iptables have no significance and are confusing you.
>
> Lets look at your definitions:
>
>>That's because the router with it's packet filter works at level 3 and
>>level 4 of the OSI model. And if the router is using SPI, then SPI
>>examines the packets between the network layer of the OSI model to the
>>Application Layer of the OSI model to validate that the connection is
>>valid and that protocols are behaving as expected,
>
> Note that this and the beginning sentence in your description of
> a "FW appliance" are virtually the same.
>
>>it doesn't operate at the Application
>>Gateway level of the OSI model. It doesn't break the client/server
>>model; it doesn't have un-trusted and trusted zones.
>
> The above is the part that is different.
>
>>Where as the FW appliance works at level 3 and 4 of the OSI model,
>>examines the packets between the network layer of the OSI model to the
>>Application Layer of the OSI model to validate that the connection is
>>valid and that protocols are behaving as expected,
>
> That is the part which is virtually identical in the description
> of a router using packet filtering.
>
>>operates at the Application Gateway
>>level of the OSI model, breaks the client/server model, and has
>>un-trusted and trusted zones.
>
> And here is the different part.
>
> So lets skip the similar parts, and examine what these differences
> are!
>
> A router with filtering:
>
> "doesn't operate at the Application Gateway level of the
> OSI model. It doesn't break the client/server model; it
> doesn't have un-trusted and trusted zones."
>
> A "FW appliance":
>
> "operates at the Application Gateway level of the OSI model,
> breaks the client/server model, and has un-trusted and trusted
> zones."
>
> First, there is no "Application Gateway level" in the OSI model.
> You are confused. An "application gateway" is a type of
> firewall, which consist of a proxy server that does indeed break
> the "client/server model" in that it breaks connections into two
> segments, placing itself in the middle, and allows only traffic
> which matches the rules it applies.
So I gather that you looked that up somewhere.
The FW appliance has it. So my wording of it is wrong of what the OSI title
is and that is off. The FW appliance uses an Application gateway/proxy FW
and operates at the Application Level of the OSI model.
>
> Second, in the identical parts of your descriptions you say that
> they *both* (which is correct) operate up through the
> Application Layer. They you deny that for one and not for the
> other.
> In fact Stateful Packet Inspection (SPI) does work all
> the way up through the Application Layer.
SPI provides Application level protocol awareness. SPI doesn't break the
client/server model like the Application/proxy gateway FW. And nether does
the packet filtering FW, from what I understand.
>
> Linux systems, of which the WRT54G is an example, implement
> multilayer firewalls. Your insistence that if it provides
> routing then it doesn't do "true" firewall functions, is *still*
> *wrong*.
At this point I am not saying that the 54g doesn't fit the definition of a
network FW. My view of the 54G router was based on the other Linksys
products that cannot do what the 54G is apparently doing from the ones I
have seen to date. If I am going to choose between the two, I am going with
a FW appliance every time and not a router, which I consider the 54g to be
a packet filtering FW router. If I go with something like a 54g, then it's
going to sit outside the trusted zone of a FW appliance and VPN into the FW
appliance, simply because it wireless.
>
> The WRT54G, for example, provides for proxies, port forwarding,
> and a DMZ, all with dynamic packet filtering rules. It has all
> of the functionality you require for a "FW appliance".
Show me some documentation verifying that 54g router has been classified to
be a FW appliance and not a packet filtering NAT FW router.
Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson) wrote:
>> So lets skip the similar parts, and examine what these differences
>> are!
>>
>> A router with filtering:
>>
>> "doesn't operate at the Application Gateway level of the
>> OSI model. It doesn't break the client/server model; it
>> doesn't have un-trusted and trusted zones."
>>
>> A "FW appliance":
>>
>> "operates at the Application Gateway level of the OSI model,
>> breaks the client/server model, and has un-trusted and trusted
>> zones."
>>
>> First, there is no "Application Gateway level" in the OSI model.
>> You are confused. An "application gateway" is a type of
>> firewall, which consist of a proxy server that does indeed break
>> the "client/server model" in that it breaks connections into two
>> segments, placing itself in the middle, and allows only traffic
>> which matches the rules it applies.
>
>So I gather that you looked that up somewhere.
Apparently *you* just now looked it up...
On the other hand I've been dealing with the difference, which you
don't even seem to be aware of, between the OSI Layered Model and
the reality of TCP/IP since the OSI Layered Model first appeared.
>The FW appliance has it. So my wording of it is wrong of what the OSI title
>is and that is off. The FW appliance uses an Application gateway/proxy FW
>and operates at the Application Level of the OSI model.
That is correct. Note that the Linux kernel provides the same
functionality. The difference is merely whether it is done in
user space or kernel space. That would indeed be of
significance *if* this was a firewall on the same platform that
is actually running the application (e.g., a ftp server or httpd
server); but we are talking about a separate unit that has only
Ethernet connectivity to the hardware which runs the servers.
Hence it makes no difference whether it is done in user space or
in kernel space; other than which name is then attached to it.
>> Second, in the identical parts of your descriptions you say that
>> they *both* (which is correct) operate up through the
>> Application Layer. They you deny that for one and not for the
>> other.
>
>> In fact Stateful Packet Inspection (SPI) does work all
>> the way up through the Application Layer.
>
>SPI provides Application level protocol awareness. SPI doesn't break the
>client/server model like the Application/proxy gateway FW. And nether does
>the packet filtering FW, from what I understand.
SPI doesn't, but of course if it is combined with a proxy
server, the functionality is exactly the same.
The fact that it provides NAT firewall functionality does not
prevent it from also providing SPI firewall functionality (which
you originally claimed and have now finally admitted does
happen).
The fact that it provides SPI firewall functionality does not
prevent it from also providing the same functionality as an
Application Gateway firewall too (proxies and applications
specific rules).
And in fact there are several genuine "Application Gateway
Firewall" products that do run under Linux. You might consider
why it is that none of them have been ported to the WRT54G!
(The answer is because it would add nothing to the existing
functionality.)
>> Linux systems, of which the WRT54G is an example, implement
>> multilayer firewalls. Your insistence that if it provides
^^^^^^^^^^^^^^^^^^^^^
>> routing then it doesn't do "true" firewall functions, is *still*
>> *wrong*.
>
>At this point I am not saying that the 54g doesn't fit the definition of a
>network FW.
You are still making false statements though.
At this point you have finally admitted that it is a "network"
firewall... But you were just claiming that it did not provide
the same services as a "Firewall Appliance", which you then
defined with a description which fit the WRT54G quite well.
>My view of the 54G router was based on the other Linksys
Which is to say you haven't got any idea what the WRT54G does
or does not do.
>products that cannot do what the 54G is apparently doing from the ones I
>have seen to date.
And despite the differences being pointed out many times, you
still insist on make false comparisons, using generic
definitions that don't necessarily apply to any given specific
piece of equipment, much less to the one we are discussing.
>If I am going to choose between the two, I am going with
>a FW appliance every time and not a router,
Of course if you need a router behind that FW appliance, that
just rings the bell labeled "stupid".
And it doesn't get any better if you don't need a "router" but
end up paying twice the price for something that isn't any
better.
>which I consider the 54g to be
>a packet filtering FW router.
Who cares what you "consider" it to be? You don't know what it
is and have admitted it.
>If I go with something like a 54g, then it's
>going to sit outside the trusted zone of a FW appliance and VPN into the FW
>appliance, simply because it wireless.
Of course many of us are using them with the wireless turned
off. Moreover, with something like DD-WRT firmware it is easy
to reconfigure the vlan/bridge and isolate the wireless through
the firewall.
What you are still missing is that it is *far* more versatile
than you have imagined.
>> The WRT54G, for example, provides for proxies, port forwarding,
>> and a DMZ, all with dynamic packet filtering rules. It has all
>> of the functionality you require for a "FW appliance".
>
>Show me some documentation verifying that 54g router has been classified to
>be a FW appliance and not a packet filtering NAT FW router.
I could care less whether anyone has or not "classified" it as
this or that. The point is that we *know* that it has the
functionality that *you* used to define "a FW appliance".
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
William P. N. Smith wrote:
>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>[Another cogent discussin of the issues]
>>Summary: In my opinion, ANYTHING that protects access to an inside
>>LAN from an outside WAN is a firewall. I don't care how said
>>protection is accomplished.
>
>I'm with Jeff, a NAT firewall protects LAN computers from direct
>attack from the Internet, and counts as a firewall. Sure, there are
>better, more configurable, more complicated firewalls, but NAT is a
>perfectly fine response to most folk's need for a firewall.
That is all true.
Here is what Duane originally said:
>No Linksys router has a FW. The NAT router has SPI maybe and
>some other FW like features. And it can be used as part of a
>total FW solution as a border device. But it's not an
>appliance that is running FW software, even if it is running
>SPI.
My response was:
The Linksys WRT54G series of wireless routers all have
firewall software.
He still wants to argue it... even though I've demonstrated
that every bit of functionality that he claims is required for
his "FW appliance" is in fact available from a WRT54G.
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87ek9hjeum.fld@barrow.com:
>
>
> Here is what Duane originally said:
>
> >No Linksys router has a FW. The NAT router has SPI maybe and
> >some other FW like features. And it can be used as part of a
> >total FW solution as a border device. But it's not an
> >appliance that is running FW software, even if it is running
> >SPI.
>
> My response was:
>
> The Linksys WRT54G series of wireless routers all have
> firewall software.
>
> He still wants to argue it... even though I've demonstrated
> that every bit of functionality that he claims is required for
> his "FW appliance" is in fact available from a WRT54G.
>
The only thing you have proven to me is that 54G is a packet filtering FW
NAT router and nothing else, which I didn't consider it was before. That's
all you have done here and nothing else. You're not going to convince me
otherwise that it is out classing a FW appliance.
You can talk about the 54g until the *cows* come home, it's not going to
happen.
Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson) wrote:
>> Here is what Duane originally said:
>>
>> >No Linksys router has a FW. The NAT router has SPI maybe and
>> >some other FW like features. And it can be used as part of a
>> >total FW solution as a border device. But it's not an
>> >appliance that is running FW software, even if it is running
>> >SPI.
>>
>> My response was:
>>
>> The Linksys WRT54G series of wireless routers all have
>> firewall software.
>>
>> He still wants to argue it... even though I've demonstrated
>> that every bit of functionality that he claims is required for
>> his "FW appliance" is in fact available from a WRT54G.
>>
>
>The only thing you have proven to me is that 54G is a packet filtering FW
>NAT router and nothing else, which I didn't consider it was before. That's
>all you have done here and nothing else. You're not going to convince me
>otherwise that it is out classing a FW appliance.
>
>You can talk about the 54g until the *cows* come home, it's not going to
>happen.
That is probably all true. But the point is that your false
statements have been countered with facts.
I can't educate you about either what a FW appliance is or how
that compares to any of the common Linux based router/firewalls.
But we *can* leave an archived thread that will prevent others
from trusting anything you say about it.
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87ack6scby.fld@barrow.com:
> "Duane Arnold" <Notme@Notme.com> wrote:
>>"Floyd L. Davidson" <floyd@apaflo.com> wrote in message
>>news:874qaeu0sc.fld@barrow.com...
>>> Duane Arnold <notme@notme.com> wrote:
>>>>
>>>>BTW, Linux is not the greatest thing since *Air, Water and Fire*. ;-)
>>>
>>> It certainly looks as if much of what you post is colored with the
>>> fear that Linux might be just exactly that.
>>>
>>> You might be right too.
>>
>>Linux is just another O/S, it's just another program written by fallible
>>Human Beings,
>
> It is just another, *better*, OS. That's all. I'd recommend
> highly that you start learning unix systems, whether it is Linux
> or one of the BSD's or Solaris or whatever. It might help you
> avoid some of these off the wall statements about firewalls that
> you've been making!
>
>> just another fly in the ointment and you're a little man. ;-)
>
> You seem to have nothing left but ad hominem...
>
> Who does that make "little"?
>
Linux has not put one dime in my pockets and most likely it never will.
Linux is just another O/S out of several I have used over the years. You
think Linux is all that, then think it. ;-)
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:87ll3oj22q.fld@barrow.com:
> Duane Arnold <notme@notme.com> wrote:
>>floyd@apaflo.com (Floyd L. Davidson) wrote:
>>> Here is what Duane originally said:
>>>
>>> >No Linksys router has a FW. The NAT router has SPI maybe and
>>> >some other FW like features. And it can be used as part of a
>>> >total FW solution as a border device. But it's not an
>>> >appliance that is running FW software, even if it is running
>>> >SPI.
>>>
>>> My response was:
>>>
>>> The Linksys WRT54G series of wireless routers all have
>>> firewall software.
>>>
>>> He still wants to argue it... even though I've demonstrated
>>> that every bit of functionality that he claims is required for
>>> his "FW appliance" is in fact available from a WRT54G.
>>>
>>
>>The only thing you have proven to me is that 54G is a packet filtering
>>FW NAT router and nothing else, which I didn't consider it was before.
>>That's all you have done here and nothing else. You're not going to
>>convince me otherwise that it is out classing a FW appliance.
>>
>>You can talk about the 54g until the *cows* come home, it's not going
>>to happen.
>
> That is probably all true. But the point is that your false
> statements have been countered with facts.
>
> I can't educate you about either what a FW appliance is or how
> that compares to any of the common Linux based router/firewalls.
> But we *can* leave an archived thread that will prevent others
> from trusting anything you say about it.
>
I am beginning to think that you're some kind of a nut. You can take the
fucking 54g, Linux, the kernel, Iptables, NAT, SPI, proxies and whatever
else you deem necessary and stick it all right up your ass. ;-)
"Floyd L. Davidson" <floyd@apaflo.com> wrote in message
news:87irytjf94.fld@barrow.com...
> Duane Arnold <notme@notme.com> wrote:
>>floyd@apaflo.com (Floyd L. Davidson) wrote:
>>> So lets skip the similar parts, and examine what these differences
>>> are!
>>>
>>> A router with filtering:
>>>
>>> "doesn't operate at the Application Gateway level of the
>>> OSI model. It doesn't break the client/server model; it
>>> doesn't have un-trusted and trusted zones."
>>>
>>> A "FW appliance":
>>>
>>> "operates at the Application Gateway level of the OSI model,
>>> breaks the client/server model, and has un-trusted and trusted
>>> zones."
>>>
>>> First, there is no "Application Gateway level" in the OSI model.
>>> You are confused. An "application gateway" is a type of
>>> firewall, which consist of a proxy server that does indeed break
>>> the "client/server model" in that it breaks connections into two
>>> segments, placing itself in the middle, and allows only traffic
>>> which matches the rules it applies.
>>
>>So I gather that you looked that up somewhere.
>
> Apparently *you* just now looked it up...
Yeah the same place you did.
>
> On the other hand I've been dealing with the difference, which you
> don't even seem to be aware of, between the OSI Layered Model and
> the reality of TCP/IP since the OSI Layered Model first appeared.
>
>>The FW appliance has it. So my wording of it is wrong of what the OSI
>>title
>>is and that is off. The FW appliance uses an Application gateway/proxy FW
>>and operates at the Application Level of the OSI model.
And apprently that's all you have been doing over the years too. Maybe, you
should work on something else for a change of pace that gets boring doesn't
it.
>
> That is correct. Note that the Linux kernel provides the same
> functionality. The difference is merely whether it is done in
> user space or kernel space. That would indeed be of
> significance *if* this was a firewall on the same platform that
> is actually running the application (e.g., a ftp server or httpd
> server); but we are talking about a separate unit that has only
> Ethernet connectivity to the hardware which runs the servers.
> Hence it makes no difference whether it is done in user space or
> in kernel space; other than which name is then attached to it.
>
>>> Second, in the identical parts of your descriptions you say that
>>> they *both* (which is correct) operate up through the
>>> Application Layer. They you deny that for one and not for the
>>> other.
>>
>>> In fact Stateful Packet Inspection (SPI) does work all
>>> the way up through the Application Layer.
>>
>>SPI provides Application level protocol awareness. SPI doesn't break the
>>client/server model like the Application/proxy gateway FW. And nether does
>>the packet filtering FW, from what I understand.
>
> SPI doesn't, but of course if it is combined with a proxy
> server, the functionality is exactly the same.
The operative word is proxy server.
>
> The fact that it provides NAT firewall functionality does not
> prevent it from also providing SPI firewall functionality (which
> you originally claimed and have now finally admitted does
> happen).
>
> The fact that it provides SPI firewall functionality does not
> prevent it from also providing the same functionality as an
> Application Gateway firewall too (proxies and applications
> specific rules).
Oh, so now SPI is an Appliaction Gateway FW -- OK.
>
> And in fact there are several genuine "Application Gateway
> Firewall" products that do run under Linux. You might consider
> why it is that none of them have been ported to the WRT54G!
> (The answer is because it would add nothing to the existing
> functionality.)
>
>>> Linux systems, of which the WRT54G is an example, implement
>>> multilayer firewalls. Your insistence that if it provides
> ^^^^^^^^^^^^^^^^^^^^^
>
>>> routing then it doesn't do "true" firewall functions, is *still*
>>> *wrong*.
>>
>>At this point I am not saying that the 54g doesn't fit the definition of a
>>network FW.
>
> You are still making false statements though.
And you seem to be right there with me.
>
> At this point you have finally admitted that it is a "network"
> firewall... But you were just claiming that it did not provide
> the same services as a "Firewall Appliance", which you then
> defined with a description which fit the WRT54G quite well.
>
>>My view of the 54G router was based on the other Linksys
>
> Which is to say you haven't got any idea what the WRT54G does
> or does not do.
It's a packet filtering FW router that's become a FW appliance according to
you that's running wonderful Linux. I think you explained it nicely.
>
>>products that cannot do what the 54G is apparently doing from the ones I
>>have seen to date.
>
> And despite the differences being pointed out many times, you
> still insist on make false comparisons, using generic
> definitions that don't necessarily apply to any given specific
> piece of equipment, much less to the one we are discussing.
Ok Mr. Firewall man you're the man.
>
>>If I am going to choose between the two, I am going with
>>a FW appliance every time and not a router,
>
> Of course if you need a router behind that FW appliance, that
> just rings the bell labeled "stupid".
The router would be in front of the FW appliance and if it was behind the FW
it would just be a switch for my needs.
>
> And it doesn't get any better if you don't need a "router" but
> end up paying twice the price for something that isn't any
> better.
>
>>which I consider the 54g to be
>>a packet filtering FW router.
>
> Who cares what you "consider" it to be? You don't know what it
> is and have admitted it.
I thought it was a *router*.
>
>>If I go with something like a 54g, then it's
>>going to sit outside the trusted zone of a FW appliance and VPN into the
>>FW
>>appliance, simply because it wireless.
>
> Of course many of us are using them with the wireless turned
> off. Moreover, with something like DD-WRT firmware it is easy
> to reconfigure the vlan/bridge and isolate the wireless through
> the firewall.
Big deal
>
> What you are still missing is that it is *far* more versatile
> than you have imagined.
Should I tell you how versatile it can be for you and where you can put it?
>>> The WRT54G, for example, provides for proxies, port forwarding,
>>> and a DMZ, all with dynamic packet filtering rules. It has all
>>> of the functionality you require for a "FW appliance".
>>
>>Show me some documentation verifying that 54g router has been classified
>>to
>>be a FW appliance and not a packet filtering NAT FW router.
>
> I could care less whether anyone has or not "classified" it as
> this or that. The point is that we *know* that it has the
> functionality that *you* used to define "a FW appliance".
I call it a packet filtering FW router but you can twisted it anyway you
want.
Duane Arnold <notme@notme.com> wrote:
>floyd@apaflo.com (Floyd L. Davidson) wrote in
>news:87ll3oj22q.fld@barrow.com:
>> But we *can* leave an archived thread that will prevent others
>> from trusting anything you say about it.
>
>I am beginning to think that you're some kind of a nut. You can take the
>fucking 54g, Linux, the kernel, Iptables, NAT, SPI, proxies and whatever
>else you deem necessary and stick it all right up your ass. ;-)
:-)
--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
"Floyd L. Davidson" <floyd@apaflo.com> wrote in message
news:87fytwiqq8.fld@barrow.com...
> Duane Arnold <notme@notme.com> wrote:
>>floyd@apaflo.com (Floyd L. Davidson) wrote in
>>news:87ll3oj22q.fld@barrow.com:
>>> But we *can* leave an archived thread that will prevent others
>>> from trusting anything you say about it.
>>
>>I am beginning to think that you're some kind of a nut. You can take the
>>fucking 54g, Linux, the kernel, Iptables, NAT, SPI, proxies and whatever
>>else you deem necessary and stick it all right up your ass. ;-)
>
> :-)
>
And don't think that I didn't mean every word and don't forget the antennas.
"Duane Arnold" <Notme@Notme.com> wrote:
>"Floyd L. Davidson" <floyd@apaflo.com> wrote:
>> I could care less whether anyone has or not "classified" it as
>> this or that. The point is that we *know* that it has the
>> functionality that *you* used to define "a FW appliance".
>
>I call it a packet filtering FW router but you can twisted it anyway you
>want.
Since you keep saying that and you have also several times
referenced an unspecified Watchguard "FW Appliance", please tell
us just how they differ!
Below is a side by side comparison of specifications. However,
I would welcome your corrections to the Watchguard specs, as
this reflects the best that I can find on the Internet, which is
from a review on TomsNetworking site that was last updated in
November 2003. The specs for the WRT54G are taken several
places, including the admin web access for a WRT54G V2.0 running
Sveasoft Alchemy 1.0 Firmware.
It doesn't appear the Watchguard holds much of a candle to the
Linksys... primarily because the Watchguard is limited in so
many ways: 10 DHCP "users", no triggered port mapping or
loopback, and limited content blocking. There are several other
deficiencies that I suspect have probably been upgraded or at
least improved on in the time since this data was accurate:
802.11g, UPnP, HTTPS for remote access, dynamic routing, more
flexible DHCP, frame filtering at the Ethernet level as well as
packet filtering at the IP level, port triggered mapping and
loopback, improved content filtering, QoS, lower level access
such as Telnet or SSH, WPA and 802.1x, and VLAN/Bridge
configuration.
Otherwise, it would also appear the price is ten times too
high.
Regardless, the idea that one is more or less of a "FW Appliance"
is *clearly* ridiculous.
Firewall: NAT+SPI NAT+SPI
DMZ: yes yes
multi NAT: no no
Port filtering: yes yes
notes:
10 time schedules for Deny/allow predefined
6 IPs, 2 IP ranges, and services for all LAN clients.
8 MAC addresses, plus 5 Can define custom services
non-scheduled port ranges with port/protocol and from/to
that apply to all LAN ports IP addresses.
Single port
forwarding: yes yes
Port range
forwarding: yes yes
Triggered port
mapping: yes no
notes:
10 port ranges with
tcp, udp, or both
protocol selection
Loopback: yes ??
Content controls: yes can block HTTP access to a
Block services: yes list of IP addresses
Block ports: range
Block URLS: 4
Block keyword: 6
Block protocols: icmp, udp, tcp
tcp&udp, L7
Block services: Aim, Applejuice,
Bearshare, Biff,
BitTorrent, Citrix,
Counterstrike, Cvs,
eDonkey, DHCP,
DirectConnect
Qos: yes ??
Port: WAN or LAN can
limit bandwidth
uplink and downlink
separately.
services: priority for same
list as blocked
services.
netmask: yes
MAC address: yes
LAN ports: priority and max rate
Syslog: yes yes
SNMP: yes no
Telnet: yes ??
SSH: yes ??
AP watchdog: yes ??
DNS masq: yes ??
WEP 128 bit: yes yes
WPA: yes no
802.1x auth: yes no
I dropped the question about the 54g in comp.security.firewalls and got my
answer from a Top Gun in that NG who installs and supports Linksys routers
and Watchguard FW appliances. It is as I knew it was. You can take all of
this and stick you know where -- Floyd Firewall. <g>
Duane Arnold <Notme@notme.com> wrote:
>I dropped the question about the 54g in comp.security.firewalls and got my
>answer from a Top Gun in that NG who installs and supports Linksys routers
>and Watchguard FW appliances. It is as I knew it was. You can take all of
>this and stick you know where -- Floyd Firewall. <g>
Why are you trying to distort what he said to mean something he
*didn't* say? He did not mention *any* specific device.
He said that if it can't sort out non-HTTP traffic to port 80 it
isn't sufficient for him. *Neither* the Watchguard Firefox 6tc
FW appliance or the WRT54G do what he wants.
Of course, what he wants does *not* define what a firewall is,
except to him, but that's okay too. Regardless of that, your
"Top Gun" is clearly not... *nobody* else defines what is or is
not a firewall or even a "FW appliance" that way.
The idea that one is more or less of a "FW Appliance" is
*clearly* ridiculous, and here again are the specifications to
prove it. Plus, since originally posting I have found a "User
Guide" from Watchguard the confirms most of the deficiencies
noted previously. It doesn't give exact specifications, so I'm
not positive about all of the ones I expected to have been
upgraded, but it appears that *none* of them have changed since
it was originally introduced. It still looks like just a very
overpriced piece of equipment.
Firewall: NAT+SPI NAT+SPI
DMZ: yes yes
multi NAT: no no
Port filtering: yes yes
notes:
10 time schedules for Deny/allow predefined
6 IPs, 2 IP ranges, and services for all LAN clients.
8 MAC addresses, plus 5 Can define custom services
non-scheduled port ranges with port/protocol and from/to
that apply to all LAN ports IP addresses.
Single port
forwarding: yes yes
Port range
forwarding: yes yes
Triggered port
mapping: yes no
notes:
10 port ranges with
tcp, udp, or both
protocol selection
Loopback: yes ??
Content controls: yes can block HTTP access to a
Block services: yes list of IP addresses
Block ports: range
Block URLS: 4
Block keyword: 6
Block protocols: icmp, udp, tcp
tcp&udp, L7
Block services: Aim, Applejuice,
Bearshare, Biff,
BitTorrent, Citrix,
Counterstrike, Cvs,
eDonkey, DHCP,
DirectConnect
Qos: yes ??
Port: WAN or LAN can
limit bandwidth
uplink and downlink
separately.
services: priority for same
list as blocked
services.
netmask: yes
MAC address: yes
LAN ports: priority and max rate
Syslog: yes yes
SNMP: yes no
Telnet: yes ??
SSH: yes ??
AP watchdog: yes ??
DNS masq: yes ??
WEP 128 bit: yes yes
WPA: yes no
802.1x auth: yes no
In article <9CPGe.200933$_o.56452@attbi_s71>, Notme@notme.com says...
> I dropped the question about the 54g in comp.security.firewalls and got my
> answer from a Top Gun in that NG who installs and supports Linksys routers
> and Watchguard FW appliances. It is as I knew it was. You can take all of
> this and stick you know where -- Floyd Firewall. <g>
The answer you got was:-
"When it can tell the difference between HTTP and anything else on port
80, and that's not going to happen anytime soon, it will be a firewall."
Since that requires application layer inspection, even Cisco themselves
accepted that prior to IOS 12.3(14T) they weren't too good at that.
So what you're saying (or your alleged Top Gun whose credentials are
unverified - not that I care one little bit) is that a firewall that was
once a firewall (e.g. Cisco PIX) isn't a firewall anymore when the
parameters for defining what a firewall actually is, change.
This was one of the key marketing points that Microsoft used against
Cisco incidentally, that Cisco didn't do application layer inspection
whereas Microsoft's Internet Acceleration Server firewall product did.
David Taylor <djtaylor@bigfoot.com> wrote:
>>WEP 128 bit: yes yes
>>WPA: yes no
>>802.1x auth: yes no
>
>WEP only for a "security appliance"?
>
>If that bit is still the case, that alone is enough reason to not use
>the Watchguard box.
I just downloaded the "WatchGuard Firebox SOHO 6 Wireless
User Guide" for firmware version 6.3. It says nothing about
WPA, 802.1x, or 802.11g.
It also says nothing at all about filtering packet content on
port 80, which some people seem to think is important. :-)
It does have a fairly versatile database program to block
selected URLs accessing port 80, presumably based on content
known to exist at specific sites.
Two other problems that I would find "enough reason" are that it
has no shell access for command line advanced configuration
beyond what is available via the web server; and it does not
allow reconfiguring the VLAN and Ethernet Bridge.
It does apparently do dynamic routing though, which I listed as
"no" in the specs.
Can you imagine paying $500 for that!??
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
The 54G cannot tell when HTTP traffic is not coming down the port and block
it when the port has been forwarded to a Web server. The FW such as
Watchguard can tell that difference and block the traffic. That;'s way I
got the WG. Whatever else you're trying to tell me about a 54G FW router
and a Watchguard FW appliance is flatout moot to me.
Post away man until the *cows* jump over the FW or in other words you be
happy with what you're using and I'll do the same. The thread is dead to me
now and I don't want hear from you on this subject anymore.
> got the WG. Whatever else you're trying to tell me about a 54G FW router
> and a Watchguard FW appliance is flatout moot to me.
Duane, you or your matey over on the firewalls group are missing the
point. Would you have bought a Cisco PIX prior to IOS 12.3(14T)?
The time when a firewall magically stopped being a firewall it seems.
> Post away man until the *cows* jump over the FW or in other words you be
> happy with what you're using and I'll do the same. The thread is dead to me
Nobody is saying that anyone isn't happy.
> now and I don't want hear from you on this subject anymore.
Wearing "la la headphones" isn't really the mature way to accept defeat.
I guess that Floyd won then and is right after all? :)
floyd@apaflo.com (Floyd L. Davidson) wrote in
news:877jf8glhf.fld@barrow.com:
> David Taylor <djtaylor@bigfoot.com> wrote:
>>>WEP 128 bit: yes yes
>>>WPA: yes no
>>>802.1x auth: yes no
>>
>>WEP only for a "security appliance"?
>>
>>If that bit is still the case, that alone is enough reason to not use
>>the Watchguard box.
>
> I just downloaded the "WatchGuard Firebox SOHO 6 Wireless
> User Guide" for firmware version 6.3. It says nothing about
> WPA, 802.1x, or 802.11g.
>
> It also says nothing at all about filtering packet content on
> port 80, which some people seem to think is important. :-)
> It does have a fairly versatile database program to block
> selected URLs accessing port 80, presumably based on content
> known to exist at specific sites.
>
> Two other problems that I would find "enough reason" are that it
> has no shell access for command line advanced configuration
> beyond what is available via the web server; and it does not
> allow reconfiguring the VLAN and Ethernet Bridge.
>
> It does apparently do dynamic routing though, which I listed as
> "no" in the specs.
>
> Can you imagine paying $500 for that!??
>
I don't give a rat's ass what you downloaded.
It does it by default you *clown* that's what a FW appliance does that's
different from a packet filtering FW router. And again, the TOP GUN in
that other NG confirmed that to me long ago.
I only paid $275 for it new at the time and you can get them
used/reconditioned for under $100 with warrantee and the whole 9 yards.
And if you want more users and more power out of the box, you start
buying that add on(s). The SOHO 6 has been discontinued here recently and
has been replaced by the X series.
You need to take the 54G and stick it. I like the Linksys products and if
I need a wireless solution I'll most like use a 54g, since you have been
so kind as to explain its abilities in detail I might add. <g>
But for you in general, you can stick the 54G.
I was joking about you being a little nutty. But now I have to change my
mind. There is something
Duane Arnold <Notme@notme.com> wrote:
>The 54G cannot tell when HTTP traffic is not coming down the port and block
>it when the port has been forwarded to a Web server. The FW such as
>Watchguard can tell that difference and block the traffic. That;'s way I
>got the WG. Whatever else you're trying to tell me about a 54G FW router
>and a Watchguard FW appliance is flatout moot to me.
Perhaps Watchguard sells a FW appliance which does do that,
and I'm happy for you if Microsoft marketing hype is
important to you. However, you said the WRT54G wasn't a "FW
appliance"... yet the Watchguard 6tc does *less* that the
WRT54G, and they market it as a "FW appliance".
Now, if you are saying you have a top of the line Watchguard FW
Appliance that does verify HTTP traffic, that's great if it is
worth the cost. But the User Guide and everything else I've
been able to learn about the Watchguard 6tc FW Appliance says
that it *won't* do that.
I take that to mean verification of HTTP traffic is *not* what
defines either a FW or specifically a "FW Appliance" in the
minds of Watchguard, not to mention Cisco and apparently just
about everyone except you and Bill Gates' Marketing Department.
>Post away man until the *cows* jump over the FW or in other words you be
>happy with what you're using and I'll do the same. The thread is dead to me
>now and I don't want hear from you on this subject anymore.
Can't blame you for wanting to get out!
--
Floyd L. Davidson <http://www.apaflo.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@apaflo.com
It's not about defeat anything? I made a mistake in not calling the 54G a FW
appliance and I'll admit to it. I am just a man like evryone else. FF has
gone off the deep-end and you're right there with him.
Re: 56k dial up on laptop 802.11G ? 