| Author |
Message |
Juergen Nieveler
Guest
|
 Posted:
Wed Jan 12, 2005 1:45 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
Leythos <void@nowhere.lan> wrote:
| Quote: | Only partially correct, it's not a Firewall at all, it's a NAT device.
|
Of course, a firewall is really just a concept. A NAT router can be
part of a firewall, or it can be your whole firewall if you want it to
be.
What everybody keeps calling "firewall" is a packetfilter.
Juergen Nieveler
--
Atheism is a non-prophet organization |
|
| Back to top |
|
 |
CyberDroog
Guest
|
| Posted:
Wed Jan 12, 2005 3:31 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
On 12 Jan 2005 08:45:09 GMT, Juergen Nieveler
<juergen.nieveler.nospam@arcor.de> wrote:
| Quote: | Leythos <void@nowhere.lan> wrote:
Only partially correct, it's not a Firewall at all, it's a NAT device.
Of course, a firewall is really just a concept. A NAT router can be
part of a firewall, or it can be your whole firewall if you want it to
be.
What everybody keeps calling "firewall" is a packetfilter.
|
You'll be burned as a heretic for saying that. There's kind of a jihad
mentality about the term firewall in this group.
Most reasonable thinkers would assume that just as in the real world where
a firewall can be built to varying specifications to withstand a given
amount of heat for a given amount of time, a computer firewall - as a
concept - could have varying capabilities.
Now hold on while a few of the faithful strap bombs to themselves and
explain why that just isn't so... ;)
--
As I grow older, I pay less attention to what men say. I just watch what
they do.
- Andrew Carnegie |
|
| Back to top |
|
|
Juergen Nieveler
Guest
|
| Posted:
Wed Jan 12, 2005 4:15 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
CyberDroog <CyberDroog@ClockworkOrange.com> wrote:
| Quote: | What everybody keeps calling "firewall" is a packetfilter.
You'll be burned as a heretic for saying that. There's kind of a
jihad mentality about the term firewall in this group.
|
I know. However I also know that I've installed dozens of firewalls
over the years, and some of them consisted of significantly more than
one single box - the biggest was 6 boxes (2 packetfilters and 4 load
balancers...).
| Quote: | Now hold on while a few of the faithful strap bombs to themselves and
explain why that just isn't so... ;)
|
If only... it would be much more quiet once they've set themselves off
;-)
Juergen Nieveler
--
If there's no INTEL INSIDE... it could work! |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 4:56 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <Xns95DC606C89688juergennieveler@nieveler.org>,
juergen.nieveler.nospam@arcor.de says...
| Quote: | Leythos <void@nowhere.lan> wrote:
Only partially correct, it's not a Firewall at all, it's a NAT device.
Of course, a firewall is really just a concept. A NAT router can be
part of a firewall, or it can be your whole firewall if you want it to
be.
|
And my firewall can provide the filtered public IP on the trusted side
too, not just the NAT'd addresses. I have a choice between Drop-in and
Routed mode when I start with a new unit.
The NAT boxes that people buy from home don't allow (for the most part)
more than one public IP, and they can't disable NAT (for almost all of
them).
The key thing about the Firewall concept (and I agree that it's a
'concept') is that NAT, by itself, does not fulfill the requirements in
concept to be called a 'firewall'.
| Quote: | What everybody keeps calling "firewall" is a packetfilter.
|
The terms are interchangeable in most cases.
The thing I like about most firewall appliances is the ability to
actually inspect inside the HTTP or SMTP traffic for content, to be able
to remove undesirable content, but still let the rest of the traffic
through - like removing executable attachments from emails.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 4:59 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <dou9u0ta96meltdgj0o9inh0hlr6q04vj1@4ax.com>,
CyberDroog@ClockworkOrange.com says...
| Quote: | Most reasonable thinkers would assume that just as in the real world where
a firewall can be built to varying specifications to withstand a given
amount of heat for a given amount of time, a computer firewall - as a
concept - could have varying capabilities.
|
As long as people understand that the NAT boxes are not true firewalls,
not complete firewalls, just marketing hype, I will be happy.
I hate seeing people feeling they are protected while they surf the web
because they bought their new firewall and can now go to any hack site
and not have to worry. Or the ones that buy their new firewall and
figure it's ok to open that email with the openme.scr file since the
firewall is protecting them now - and it's just a simple NAT box.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Juergen Nieveler
Guest
|
| Posted:
Wed Jan 12, 2005 6:45 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
Leythos <void@nowhere.lan> wrote:
| Quote: | And my firewall can provide the filtered public IP on the trusted side
too, not just the NAT'd addresses. I have a choice between Drop-in and
Routed mode when I start with a new unit.
|
Let me guess... a Firebox? They're the only ones I've seen that allow
users a bridging mode (which is what "drop in" really means), normally
appliances are routers.
| Quote: | The key thing about the Firewall concept (and I agree that it's a
'concept') is that NAT, by itself, does not fulfill the requirements
in concept to be called a 'firewall'.
|
Not in the true sense, which would mean that all incoming packets would
be translated (sometimes called "Static NAT"). Of course, most of those
cheap boxes automatically do a "dynamic NAT", offering a whole network
on the internal interface. In that case, the appliance can't forward
packets if unconfigured, because it doesn't know who to route them to
:-)
Such devices CAN be circumvented by a real hacker - all he has to do is
fool the appliance into believing that it has to forward a certain
connection even though nobody on the inside requested it.
| Quote: | The thing I like about most firewall appliances is the ability to
actually inspect inside the HTTP or SMTP traffic for content, to be
able to remove undesirable content, but still let the rest of the
traffic through - like removing executable attachments from emails.
|
The thing I like most is that they usually are able to make FTP work
despite having a dynamic NAT :-)
Juergen Nieveler
--
Can you tell Fred Armani to get some cocaine. Countdown is next Sunday
week meaning Audiotel will die. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Jan 12, 2005 6:46 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <Xns95DC922818F4Djuergennieveler@nieveler.org>,
juergen.nieveler.nospam@arcor.de says...
| Quote: | Leythos <void@nowhere.lan> wrote:
And my firewall can provide the filtered public IP on the trusted side
too, not just the NAT'd addresses. I have a choice between Drop-in and
Routed mode when I start with a new unit.
Let me guess... a Firebox? They're the only ones I've seen that allow
users a bridging mode (which is what "drop in" really means), normally
appliances are routers.
|
Yep, Firebox - I can walk into an office and isolate the accounting
department from the rest of the company, or the plant floor network, and
not have to make any significant changes to the network.
I almost always run them in NAT mode, but there have been several
instances where we didn't want to change the network structure
completely.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Renegade
Guest
|
| Posted:
Wed Jan 12, 2005 10:43 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
On Wed, 12 Jan 2005 13:45:13 +0000, Juergen Nieveler wrote:
| Quote: | Such devices CAN be circumvented by a real hacker - all he has to do is
fool the appliance into believing that it has to forward a certain
connection even though nobody on the inside requested it.
|
Pardon my intrusion, but right there you may have the key to explaining
why NAT is not a true firewall. If you can clarify (think NAT for Dummies)
how that someone can trick the NAT box into forwarding, I think that you
can end a lot of the battles about NAT/Firewall with a single post.
I would try explaining it myself, but I don't profess to understand
everything about NAT, and any incorrect information would only keep the
arguments going. So I will leave it to the pro's to explain that one. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Thu Jan 13, 2005 12:39 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <jldFd.191722$8G4.3247@tornado.tampabay.rr.com>, inv@lid.net
says...
| Quote: | On Wed, 12 Jan 2005 13:45:13 +0000, Juergen Nieveler wrote:
Such devices CAN be circumvented by a real hacker - all he has to do is
fool the appliance into believing that it has to forward a certain
connection even though nobody on the inside requested it.
Pardon my intrusion, but right there you may have the key to explaining
why NAT is not a true firewall. If you can clarify (think NAT for Dummies)
how that someone can trick the NAT box into forwarding, I think that you
can end a lot of the battles about NAT/Firewall with a single post.
I would try explaining it myself, but I don't profess to understand
everything about NAT, and any incorrect information would only keep the
arguments going. So I will leave it to the pro's to explain that one.
|
Just so you know, we were not arguing or being confrontational in this
discussion - honest.
Since these NAT devices are ONE-WAY filters they do not qualify as
firewalls, exploit aside, that's enough info to stop calling them
Firewalls.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Renegade
Guest
|
| Posted:
Thu Jan 13, 2005 1:40 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
On Wed, 12 Jan 2005 19:39:03 +0000, Leythos wrote:
| Quote: |
Just so you know, we were not arguing or being confrontational in this
discussion - honest.
|
I know that you guys aren't arguing. I have learned quite a lot from
paying attention to your discussions. I meant some of the borderline flame
fests that crop up here from time to time over NAT. :)
I just thought that a good detailed explanation might curtail the ones
that are "problematic" over that. |
|
| Back to top |
|
|
CyberDroog
Guest
|
| Posted:
Thu Jan 13, 2005 5:56 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
On Wed, 12 Jan 2005 11:59:45 GMT, Leythos <void@nowhere.lan> wrote:
| Quote: | In article <dou9u0ta96meltdgj0o9inh0hlr6q04vj1@4ax.com>,
CyberDroog@ClockworkOrange.com says...
Most reasonable thinkers would assume that just as in the real world where
a firewall can be built to varying specifications to withstand a given
amount of heat for a given amount of time, a computer firewall - as a
concept - could have varying capabilities.
As long as people understand that the NAT boxes are not true firewalls,
not complete firewalls, just marketing hype, I will be happy.
I hate seeing people feeling they are protected while they surf the web
because they bought their new firewall and can now go to any hack site
and not have to worry. Or the ones that buy their new firewall and
figure it's ok to open that email with the openme.scr file since the
firewall is protecting them now - and it's just a simple NAT box.
|
Nothing will ever mitigate sheer stupidity...
--
MORAL, adj. Conforming to a local and mutable standard of right. Having
the quality of general expediency.
- Ambrose Bierce |
|
| Back to top |
|
|
Andrew Meyer
Guest
|
| Posted:
Thu Jan 13, 2005 6:26 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
I have seen an example of that myself. I am currently using a LinkSys
router that does NAT. It has what it calls Firewall Protection, not
very customizable. It consits of a SPI Firewall and has the following
(on/off) settings:
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection
Filter IDENT(Port 113)
When I had everything turned on except for the Filter Internet NAT
Redirection my McAfee software firewall registered hits on various
ports (Mostly in the 3000 range). Since I turned it on I no longer see
those hits. (There are open ports that are redirected to the PC which
is running a web server and an FTP server) |
|
| Back to top |
|
|
Justins local account
Guest
|
| Posted:
Thu Jan 13, 2005 7:54 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
Leythos <void@nowhere.lan> writes:
| Quote: | In article <jldFd.191722$8G4.3247@tornado.tampabay.rr.com>, inv@lid.net
says...
Since these NAT devices are ONE-WAY filters they do not qualify as
firewalls, exploit aside, that's enough info to stop calling them
Firewalls.
|
OTOH most firewalls set up by non security people are set up as one
way filters. Unless people are actually going to work on setting a
firewall up, NAT is as good as a firewall
--
Justin Murdock |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Fri Jan 14, 2005 2:12 am Post subject:
Re: Does anyone get hits on their firewall |
|
|
In article <ay6521bcrt.fsf@bsdclient1.pipemedia.net>, justin-
nntp@pipemedia.net says...
| Quote: | Leythos <void@nowhere.lan> writes:
In article <jldFd.191722$8G4.3247@tornado.tampabay.rr.com>, inv@lid.net
says...
Since these NAT devices are ONE-WAY filters they do not qualify as
firewalls, exploit aside, that's enough info to stop calling them
Firewalls.
OTOH most firewalls set up by non security people are set up as one
way filters. Unless people are actually going to work on setting a
firewall up, NAT is as good as a firewall
|
A firewall allowing all outbound, if you actually look at a real
firewall appliance is no where near the same as a NAT system.
--
--
spamfree999@rrohio.com
(Remove 999 to reply to me) |
|
| Back to top |
|
|
Justins local account
Guest
|
| Posted:
Fri Jan 14, 2005 2:38 pm Post subject:
Re: Does anyone get hits on their firewall |
|
|
Leythos <void@nowhere.lan> writes:
| Quote: | In article <ay6521bcrt.fsf@bsdclient1.pipemedia.net>, justin-
nntp@pipemedia.net says...
Leythos <void@nowhere.lan> writes:
In article <jldFd.191722$8G4.3247@tornado.tampabay.rr.com>, inv@lid.net
says...
Since these NAT devices are ONE-WAY filters they do not qualify as
firewalls, exploit aside, that's enough info to stop calling them
Firewalls.
OTOH most firewalls set up by non security people are set up as one
way filters. Unless people are actually going to work on setting a
firewall up, NAT is as good as a firewall
A firewall allowing all outbound, if you actually look at a real
firewall appliance is no where near the same as a NAT system.
|
isn't that what I said?
--
Justin Murdock |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in