firewall on budget ?

[Ext User(Leythos)]

In article <1185185208.751091.229450@k79g2000hse.googlegroups .com>,
jameshanley39@yahoo.co.uk says...
> On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > jameshanle...@yahoo.co.uk says...
> >
> > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > anybody in the UK that has one.
> >
> > > I'm asking this as a theoretical question , in the sense that i'm not
> > > considering recommending them over NAT, so you needn't fear that!
> >
> > You don't want to look at cheap devices then, you want to use a Firewall
> > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > but it allows all ports (jacks) to have the same public IP.
> >
> > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > LAN IP.
> >
> > Why would you not want NAT?
> >
> > --
> >
> > Leythos
>
> I would use NAT. But i'm wondering, theoretically, and since you say
> it's a shame some end users don't use NAT, and ISPs should make it
> mandatory.
>
> What end users on DSL, don't use NAT . What devices are they buying,
> can you link me to any? presumably you've seen some.

Every DSL device I've seen can be setup for NAT or Routed mode - it's in
the DSL Maintenance screen on their devices. I know a bunch of people,
like SBS/Yahoo DSL that get public IP from their DSL service.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(jameshanley39@yahoo.co.uk)]

On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > anybody in the UK that has one.
>
> > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > considering recommending them over NAT, so you needn't fear that!
>
> > > You don't want to look at cheap devices then, you want to use a Firewall
> > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > but it allows all ports (jacks) to have the same public IP.
>
> > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > LAN IP.
>
> > > Why would you not want NAT?
>
> > > --
>
> > > Leythos
>
> > I would use NAT. But i'm wondering, theoretically, and since you say
> > it's a shame some end users don't use NAT, and ISPs should make it
> > mandatory.
>
> > What end users on DSL, don't use NAT . What devices are they buying,
> > can you link me to any? presumably you've seen some.
>
> Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> the DSL Maintenance screen on their devices. I know a bunch of people,
> like SBS/Yahoo DSL that get public IP from their DSL service.
>
> --
>
> Leythos

if it's set for Routed mode(by this you mean no NAT). Do you then need
a public IP for your router, and a (different) public ip for the
computer connected to it?

Do you have in mind such end users - that have 2 public ips?

BTW, you mention you know people that "get public IP from their DSL
service". Who has an ISP and doesn't get that?

[Ext User(Ari)]

On Sat, 21 Jul 2007 19:58:53 -0700, Beladi Nasralla wrote:

> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses.

Kerio 2.15 free and works great.

[Ext User(Leythos)]

In article <1185235335.550334.183430@n60g2000hse.googlegroups .com>,
jameshanley39@yahoo.co.uk says...
> On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > anybody in the UK that has one.
> >
> > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > considering recommending them over NAT, so you needn't fear that!
> >
> > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > but it allows all ports (jacks) to have the same public IP.
> >
> > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > LAN IP.
> >
> > > > Why would you not want NAT?
> >
> > > > --
> >
> > > > Leythos
> >
> > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > it's a shame some end users don't use NAT, and ISPs should make it
> > > mandatory.
> >
> > > What end users on DSL, don't use NAT . What devices are they buying,
> > > can you link me to any? presumably you've seen some.
> >
> > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > the DSL Maintenance screen on their devices. I know a bunch of people,
> > like SBS/Yahoo DSL that get public IP from their DSL service.
> >
>
> if it's set for Routed mode(by this you mean no NAT). Do you then need
> a public IP for your router, and a (different) public ip for the
> computer connected to it?
>
> Do you have in mind such end users - that have 2 public ips?

Many users want firewall functions that don't have to include NAT as one
of them - they might have public facing servers and just want to protect
them.

The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
by the ISP's device, you route traffic between them using rules.

So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.

You can do this with as many IP as you want - the condition being that
one combination of IP:PORT can only be routed to one destination.

> BTW, you mention you know people that "get public IP from their DSL
> service". Who has an ISP and doesn't get that?

Many people don't get it, many DSL providers have their routers set to
NAT by default.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(jameshanley39@yahoo.co.uk)]

On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > anybody in the UK that has one.
>
> > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > considering recommending them over NAT, so you needn't fear that!
>
> > > You don't want to look at cheap devices then, you want to use a Firewall
> > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > but it allows all ports (jacks) to have the same public IP.
>
> > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > LAN IP.
>
> > > Why would you not want NAT?
>
> > > --
>
> > > Leythos
>
> > I would use NAT. But i'm wondering, theoretically, and since you say
> > it's a shame some end users don't use NAT, and ISPs should make it
> > mandatory.
>
> > What end users on DSL, don't use NAT . What devices are they buying,
> > can you link me to any? presumably you've seen some.
>
> Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> the DSL Maintenance screen on their devices. I know a bunch of people,
> like SBS/Yahoo DSL that get public IP from their DSL service.
>
> --
>
> Leythos

if it's set for Routed mode(by this you mean no NAT). Do you then need
a public IP for your router, and a (different) public ip for the
computer connected to it?

Do you have in mind such end users - that have 2 public ips?

BTW, you mention you know people that "get public IP from their DSL
service". Who has an ISP and doesn't get that?

[Ext User(Ari)]

On Sat, 21 Jul 2007 19:58:53 -0700, Beladi Nasralla wrote:

> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses.

Kerio 2.15 free and works great.

[Ext User(Straight Talk)]

On Mon, 23 Jul 2007 08:01:32 -0400, Leythos <void@nowhere.lan> wrote:

>In article <hge8a3p509t7na6nh77n61v8g44p9kaade@4ax.com>,
>b__nice@hotmail.com says...
>> On Sun, 22 Jul 2007 16:22:32 -0400, Leythos <void@nowhere.lan> wrote:
>>
>> >In article <94e7a39tec3hfgidr7798bqut68fu5co8m@4ax.com>,
>> >b__nice@hotmail.com says...
>> >> On Sun, 22 Jul 2007 11:10:22 -0400, Leythos <void@nowhere.lan> wrote:
>> >>
>> >> >In article <enp6a31arh4m7ni0gebr0it366ott5h06h@4ax.com>,
>> >> >b__nice@hotmail.com says...
>> >> >> Any local FW is exploitable when running as local admin.
>> >> >>
>> >> >> Anyone running arbitrary code as local admin is likely to get screwed.
>> >> >> You seem to advocate keep doing so and then have a barrier to minimize
>> >> >> the damage instead of advocating doing the right thing, which would be
>> >> >> to run a LUA in which case the WF can't be exploited the way you're
>> >> >> thinking of.
>> >> >
>> >> >No, I don't advocate what you are talking about,
>> >>
>> >> Yes.
>> >>
>> >> >but I'm also not aware that many programs won't run under Windows
>> >> >unless the user is an admin,
>> >>
>> >> There are ways around that.
>> >
>> >Not in every case, at least not with users that are willing to wrangle
>> >around it on a daily basis - you know human nature, it's what gets
>> >people compromised in the first place.
>>
>> What does some users willingness to wrangle around have to do with the
>> fact that there are workarounds to the issue raised?
>
>What work around issues?

Not work around issues. Workarounds to the issue.

>>
>> >> >and I also understand that many users don't have a clue about security.
>> >>
>> >> Probably true, but that calls for education, not damage control.
>> >
>> >But, until they get educated, and we've had security threats for more
>> >than a decade and fewer and fewer people are educated, we need a measure
>> >that will protect the ignorant masses from harming the rest of us - ISP
>> >Mandated NAT implemented at the users gateway device would be a first
>> >real help.
>>
>> I fail to see how NAT would protect the rest of us?
>
>By keeping the ignorant masses machines from being compromised
>immediately, before they even start using them. It also means that we
>don't have the issues of them being FTP, SMTP, etc.. relays.... Come on,
>think - if the computer can't be reached then it's going to be harder
>for the hackers to abuse it.

Post SP2 this is becoming much less of a problem. The biggest problem
still is malware spread through websites, e-mail and file sharing.
Your suggestion won't seriously protect us from the "ignorant masses".

[Ext User(Straight Talk)]

On Sun, 22 Jul 2007 16:11:29 -0400, Leythos <void@nowhere.lan> wrote:

>Actually, the windows firewall is a bad concept from the start - people
>think they are protected, but many machines have file/printer sharing
>enabled and an exception for it, and many people run as local admin, so,
>it's easy to subvert the firewall with simple malware, even non-malware
>apps subvert it without warning.

Your idea that since the "ignorant masses" aren't immediately able to
cope with a concept doesn't mean the concept itself is bad. The WF is
a very good concept. It's the way it's used that causes the problem.

The other firewalls mentioned earlier continue to promote and support
the idea of running as admin. And *that* is a bad concept.

[Ext User(Leythos)]

In article <1185235335.550334.183430@n60g2000hse.googlegroups .com>,
jameshanley39@yahoo.co.uk says...
> On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > anybody in the UK that has one.
> >
> > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > considering recommending them over NAT, so you needn't fear that!
> >
> > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > but it allows all ports (jacks) to have the same public IP.
> >
> > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > LAN IP.
> >
> > > > Why would you not want NAT?
> >
> > > > --
> >
> > > > Leythos
> >
> > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > it's a shame some end users don't use NAT, and ISPs should make it
> > > mandatory.
> >
> > > What end users on DSL, don't use NAT . What devices are they buying,
> > > can you link me to any? presumably you've seen some.
> >
> > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > the DSL Maintenance screen on their devices. I know a bunch of people,
> > like SBS/Yahoo DSL that get public IP from their DSL service.
> >
>
> if it's set for Routed mode(by this you mean no NAT). Do you then need
> a public IP for your router, and a (different) public ip for the
> computer connected to it?
>
> Do you have in mind such end users - that have 2 public ips?

Many users want firewall functions that don't have to include NAT as one
of them - they might have public facing servers and just want to protect
them.

The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
by the ISP's device, you route traffic between them using rules.

So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.

You can do this with as many IP as you want - the condition being that
one combination of IP:PORT can only be routed to one destination.

> BTW, you mention you know people that "get public IP from their DSL
> service". Who has an ISP and doesn't get that?

Many people don't get it, many DSL providers have their routers set to
NAT by default.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(Leythos)]

In article <4p7ba3lda8gjog60cmhsthopa77or4qbq3@4ax.com>,
b__nice@hotmail.com says...
> Post SP2 this is becoming much less of a problem. The biggest problem
> still is malware spread through websites, e-mail and file sharing.
> Your suggestion won't seriously protect us from the "ignorant masses".

Actually, depending on the NAT device, you can block downloads of many
malware infectors via HTTP. Not much one can do about SMTP type
infectors unless they have their own mini-mail server or a standard
server as other firewall products can clean SMTP sessions.

So, again, the NAT device provides MORE/Better protection than Windows
Firewall in all cases.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(Leythos)]

In article <c48ba3pgssu69n8pketh9hmg0a256goub7@4ax.com>,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 16:11:29 -0400, Leythos <void@nowhere.lan> wrote:
>
> >Actually, the windows firewall is a bad concept from the start - people
> >think they are protected, but many machines have file/printer sharing
> >enabled and an exception for it, and many people run as local admin, so,
> >it's easy to subvert the firewall with simple malware, even non-malware
> >apps subvert it without warning.
>
> Your idea that since the "ignorant masses" aren't immediately able to
> cope with a concept doesn't mean the concept itself is bad. The WF is
> a very good concept. It's the way it's used that causes the problem.

And in the real world it means that it's just a bad product.

> The other firewalls mentioned earlier continue to promote and support
> the idea of running as admin. And *that* is a bad concept.

And other firewalls, while still able to compromise them, have a much
better reporting/alert system than the report-nothing WF does.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(jameshanley39@yahoo.co.uk)]

On Jul 24, 2:39 am, Leythos <v...@nowhere.lan> wrote:
> In article <1185235335.550334.183...@n60g2000hse.googlegroups .com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > anybody in the UK that has one.
>
> > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > considering recommending them over NAT, so you needn't fear that!
>
> > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > but it allows all ports (jacks) to have the same public IP.
>
> > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > LAN IP.
>
> > > > > Why would you not want NAT?
>
> > > > > --
>
> > > > > Leythos
>
> > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > mandatory.
>
> > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > can you link me to any? presumably you've seen some.
>
> > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > like SBS/Yahoo DSL that get public IP from their DSL service.
>
> > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > a public IP for your router, and a (different) public ip for the
> > computer connected to it?
>
> > Do you have in mind such end users - that have 2 public ips?
>
> Many users want firewall functions that don't have to include NAT as one
> of them - they might have public facing servers and just want to protect
> them.
>
> The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> by the ISP's device, you route traffic between them using rules.
>
> So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
>
> You can do this with as many IP as you want - the condition being that
> one combination of IP:PORT can only be routed to one destination.
>

Oddly enough, what you describe as not using NAT, looks like NAT, one
ip for the router, you could've said that there isn't an ip on the
router's ports(which would make sense also because what is going on in
that area uses ports and isn't routing!). Infact, it looks like NAT
and PAT !

Furthermore, In the system you describe, a machine on the LAN or on
the DMZ would still need a unique ip address though, distinct from
the firewall-router appliance.

If the computers (on the DMZ or LAN ) had private addresses, then it
really looks like NAT now!

If a DSL user doesn't have one of these firewall-router appliances,
then in that instance, would he need 2 different public ips, one for
his router and one for his computer ?



> > BTW, you mention you know people that "get public IP from their DSL
> > service". Who has an ISP and doesn't get that?
>
> Many people don't get it, many DSL providers have their routers set to
> NAT by default.
>

Then their DSL service does provide a public IP. Their router gets
it.

[Ext User(Straight Talk)]

On Mon, 23 Jul 2007 08:01:32 -0400, Leythos <void@nowhere.lan> wrote:

>In article <hge8a3p509t7na6nh77n61v8g44p9kaade@4ax.com>,
>b__nice@hotmail.com says...
>> On Sun, 22 Jul 2007 16:22:32 -0400, Leythos <void@nowhere.lan> wrote:
>>
>> >In article <94e7a39tec3hfgidr7798bqut68fu5co8m@4ax.com>,
>> >b__nice@hotmail.com says...
>> >> On Sun, 22 Jul 2007 11:10:22 -0400, Leythos <void@nowhere.lan> wrote:
>> >>
>> >> >In article <enp6a31arh4m7ni0gebr0it366ott5h06h@4ax.com>,
>> >> >b__nice@hotmail.com says...
>> >> >> Any local FW is exploitable when running as local admin.
>> >> >>
>> >> >> Anyone running arbitrary code as local admin is likely to get screwed.
>> >> >> You seem to advocate keep doing so and then have a barrier to minimize
>> >> >> the damage instead of advocating doing the right thing, which would be
>> >> >> to run a LUA in which case the WF can't be exploited the way you're
>> >> >> thinking of.
>> >> >
>> >> >No, I don't advocate what you are talking about,
>> >>
>> >> Yes.
>> >>
>> >> >but I'm also not aware that many programs won't run under Windows
>> >> >unless the user is an admin,
>> >>
>> >> There are ways around that.
>> >
>> >Not in every case, at least not with users that are willing to wrangle
>> >around it on a daily basis - you know human nature, it's what gets
>> >people compromised in the first place.
>>
>> What does some users willingness to wrangle around have to do with the
>> fact that there are workarounds to the issue raised?
>
>What work around issues?

Not work around issues. Workarounds to the issue.

>>
>> >> >and I also understand that many users don't have a clue about security.
>> >>
>> >> Probably true, but that calls for education, not damage control.
>> >
>> >But, until they get educated, and we've had security threats for more
>> >than a decade and fewer and fewer people are educated, we need a measure
>> >that will protect the ignorant masses from harming the rest of us - ISP
>> >Mandated NAT implemented at the users gateway device would be a first
>> >real help.
>>
>> I fail to see how NAT would protect the rest of us?
>
>By keeping the ignorant masses machines from being compromised
>immediately, before they even start using them. It also means that we
>don't have the issues of them being FTP, SMTP, etc.. relays.... Come on,
>think - if the computer can't be reached then it's going to be harder
>for the hackers to abuse it.

Post SP2 this is becoming much less of a problem. The biggest problem
still is malware spread through websites, e-mail and file sharing.
Your suggestion won't seriously protect us from the "ignorant masses".

[Ext User(Straight Talk)]

On Sun, 22 Jul 2007 16:11:29 -0400, Leythos <void@nowhere.lan> wrote:

>Actually, the windows firewall is a bad concept from the start - people
>think they are protected, but many machines have file/printer sharing
>enabled and an exception for it, and many people run as local admin, so,
>it's easy to subvert the firewall with simple malware, even non-malware
>apps subvert it without warning.

Your idea that since the "ignorant masses" aren't immediately able to
cope with a concept doesn't mean the concept itself is bad. The WF is
a very good concept. It's the way it's used that causes the problem.

The other firewalls mentioned earlier continue to promote and support
the idea of running as admin. And *that* is a bad concept.

[Ext User(Leythos)]

In article <1185277078.502314.145240@g4g2000hsf.googlegroups. com>,
jameshanley39@yahoo.co.uk says...
> On Jul 24, 2:39 am, Leythos <v...@nowhere.lan> wrote:
> > In article <1185235335.550334.183...@n60g2000hse.googlegroups .com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > > > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > > anybody in the UK that has one.
> >
> > > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > > considering recommending them over NAT, so you needn't fear that!
> >
> > > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > > but it allows all ports (jacks) to have the same public IP.
> >
> > > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > > LAN IP.
> >
> > > > > > Why would you not want NAT?
> >
> > > > > > --
> >
> > > > > > Leythos
> >
> > > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > > mandatory.
> >
> > > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > > can you link me to any? presumably you've seen some.
> >
> > > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > > like SBS/Yahoo DSL that get public IP from their DSL service.
> >
> > > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > > a public IP for your router, and a (different) public ip for the
> > > computer connected to it?
> >
> > > Do you have in mind such end users - that have 2 public ips?
> >
> > Many users want firewall functions that don't have to include NAT as one
> > of them - they might have public facing servers and just want to protect
> > them.
> >
> > The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> > by the ISP's device, you route traffic between them using rules.
> >
> > So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> > x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
> >
> > You can do this with as many IP as you want - the condition being that
> > one combination of IP:PORT can only be routed to one destination.
> >
>
> Oddly enough, what you describe as not using NAT, looks like NAT, one
> ip for the router, you could've said that there isn't an ip on the
> router's ports(which would make sense also because what is going on in
> that area uses ports and isn't routing!). Infact, it looks like NAT
> and PAT !
>
> Furthermore, In the system you describe, a machine on the LAN or on
> the DMZ would still need a unique ip address though, distinct from
> the firewall-router appliance.
>
> If the computers (on the DMZ or LAN ) had private addresses, then it
> really looks like NAT now!
>
> If a DSL user doesn't have one of these firewall-router appliances,
> then in that instance, would he need 2 different public ips, one for
> his router and one for his computer ?
>
>
>
> > > BTW, you mention you know people that "get public IP from their DSL
> > > service". Who has an ISP and doesn't get that?
> >
> > Many people don't get it, many DSL providers have their routers set to
> > NAT by default.
> >
>
> Then their DSL service does provide a public IP. Their router gets
> it.

Are you trying to be difficult or just missing the point?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(Hexalon)]

On Jul 22, 12:07 am, Computerflyer <computerfl...@gmail.com> wrote:
> On Jul 22, 1:39 pm, Leythos <v...@nowhere.lan> wrote:
>
>
>
> > In article <1185074631.141883.271...@z24g2000prh.googlegroups .com>,
> > nasra...@yahoo.com says...
>
> > > On Jul 22, 12:03 pm, Leythos <v...@nowhere.lan> wrote:
> > > > In article <1185073133.439352.249...@e9g2000prf.googlegroups. com>,
> > > > nasra...@yahoo.com says...
>
> > > > > Hi there,
>
> > > > > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > > > > presume I need to put a firewall and antivirus on it to ward off worms
> > > > > and viruses. I am more concerned about the firewall. I installed
> > > > > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > > > > bothered me by asking me to pay up, so that I uninstalled it. My
> > > > > computer is currently running on the in-built Windows firewall. Is
> > > > > this OK ?
>
> > > > > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > > > > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > > > > from my employer for little money; should I get it ? Thanks.
>
> > > > A simple NAT router will do more and better than ZAP or Windows XP
> > > > Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> > > > under $50 and provides protection from inbound attacks.
>
> > > My early experience with connecting a PC with no firwall to the
> > > Internet (via dial up) shows that it gets infected with a worm within
> > > 20 minutes. So that now I always put a firewall between my PC and the
> > > Internet. Now my PC is connected to the Internet via a NetComm NB5
> > > ADSL2+ modem router. You think this will repel the worms ?
>
> > The NAT router blocks "unsolicited" connections to the PC, it's sort of
> > a 1 way filter - it lets you out, but only lets external sites
> > talk/reach your PC if you contact them first.
>
> > Many people use NAT routers are their primary protection method with no
> > firewall at all and have no problems.
>
> > Security is more than the firewall, it's not using easy to compromise
> > apps, keeping updates installed, not doing things that put you in harms
> > way, monitoring your firewall logs (as you can easily monitor the
> > Linksys devices for in/out traffic), and many other things.
>
> > If your address is not a private address then your Modem is not doing
> > NAT, and if you have a live public IP then you're screwed without a
> > barrier device.
>
> > --
>
> > Leythos
> > - Igitur qui desiderat pacem, praeparet bellum.
> > - Calling an illegal alien an "undocumented worker" is like calling a
> > drug dealer an "unlicensed pharmacist"
> > spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
>
> > - Show quoted text -
>
> Check out ghostwall. It resembles a rule based router-firewall more
> than a bloatware internet protection package. If you are savy enough
> to set it up, it works as advertised.

NAT is a cheap way to shield you from the outside world but if you
have UPNP disabled and good security practices you shouldn't need
super fancy expensive protection. The PC-Cillin you can get from work
should be adequate protection since that will protect both directions,
where as the windows firewall is only one way. NAT is more than a one
way filter. It allows multiple computers to appear to have one public
IP instead of multiple IPs. With the proper subnet mask you can
control access.

[Ext User(Leythos)]

In article <4p7ba3lda8gjog60cmhsthopa77or4qbq3@4ax.com>,
b__nice@hotmail.com says...
> Post SP2 this is becoming much less of a problem. The biggest problem
> still is malware spread through websites, e-mail and file sharing.
> Your suggestion won't seriously protect us from the "ignorant masses".

Actually, depending on the NAT device, you can block downloads of many
malware infectors via HTTP. Not much one can do about SMTP type
infectors unless they have their own mini-mail server or a standard
server as other firewall products can clean SMTP sessions.

So, again, the NAT device provides MORE/Better protection than Windows
Firewall in all cases.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(Leythos)]

In article <c48ba3pgssu69n8pketh9hmg0a256goub7@4ax.com>,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 16:11:29 -0400, Leythos <void@nowhere.lan> wrote:
>
> >Actually, the windows firewall is a bad concept from the start - people
> >think they are protected, but many machines have file/printer sharing
> >enabled and an exception for it, and many people run as local admin, so,
> >it's easy to subvert the firewall with simple malware, even non-malware
> >apps subvert it without warning.
>
> Your idea that since the "ignorant masses" aren't immediately able to
> cope with a concept doesn't mean the concept itself is bad. The WF is
> a very good concept. It's the way it's used that causes the problem.

And in the real world it means that it's just a bad product.

> The other firewalls mentioned earlier continue to promote and support
> the idea of running as admin. And *that* is a bad concept.

And other firewalls, while still able to compromise them, have a much
better reporting/alert system than the report-nothing WF does.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

[Ext User(jameshanley39@yahoo.co.uk)]

On Jul 24, 2:39 am, Leythos <v...@nowhere.lan> wrote:
> In article <1185235335.550334.183...@n60g2000hse.googlegroups .com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > anybody in the UK that has one.
>
> > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > considering recommending them over NAT, so you needn't fear that!
>
> > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > but it allows all ports (jacks) to have the same public IP.
>
> > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > LAN IP.
>
> > > > > Why would you not want NAT?
>
> > > > > --
>
> > > > > Leythos
>
> > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > mandatory.
>
> > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > can you link me to any? presumably you've seen some.
>
> > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > like SBS/Yahoo DSL that get public IP from their DSL service.
>
> > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > a public IP for your router, and a (different) public ip for the
> > computer connected to it?
>
> > Do you have in mind such end users - that have 2 public ips?
>
> Many users want firewall functions that don't have to include NAT as one
> of them - they might have public facing servers and just want to protect
> them.
>
> The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> by the ISP's device, you route traffic between them using rules.
>
> So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
>
> You can do this with as many IP as you want - the condition being that
> one combination of IP:PORT can only be routed to one destination.
>

Oddly enough, what you describe as not using NAT, looks like NAT, one
ip for the router, you could've said that there isn't an ip on the
router's ports(which would make sense also because what is going on in
that area uses ports and isn't routing!). Infact, it looks like NAT
and PAT !

Furthermore, In the system you describe, a machine on the LAN or on
the DMZ would still need a unique ip address though, distinct from
the firewall-router appliance.

If the computers (on the DMZ or LAN ) had private addresses, then it
really looks like NAT now!

If a DSL user doesn't have one of these firewall-router appliances,
then in that instance, would he need 2 different public ips, one for
his router and one for his computer ?



> > BTW, you mention you know people that "get public IP from their DSL
> > service". Who has an ISP and doesn't get that?
>
> Many people don't get it, many DSL providers have their routers set to
> NAT by default.
>

Then their DSL service does provide a public IP. Their router gets
it.

[Ext User(jameshanley39@yahoo.co.uk)]

On Jul 24, 4:42 pm, Leythos <v...@nowhere.lan> wrote:
> In article <1185277078.502314.145...@g4g2000hsf.googlegroups. com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 24, 2:39 am, Leythos <v...@nowhere.lan> wrote:
> > > In article <1185235335.550334.183...@n60g2000hse.googlegroups .com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > On Jul 23, 1:03 pm, Leythos <v...@nowhere.lan> wrote:
> > > > > In article <1185185208.751091.229...@k79g2000hse.googlegroups .com>,
> > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > On Jul 22, 11:44 pm, Leythos <v...@nowhere.lan> wrote:
> > > > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups .com>,
> > > > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > > > anybody in the UK that has one.
>
> > > > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > > > considering recommending them over NAT, so you needn't fear that!
>
> > > > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > > > but it allows all ports (jacks) to have the same public IP.
>
> > > > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > > > LAN IP.
>
> > > > > > > Why would you not want NAT?
>
> > > > > > > --
>
> > > > > > > Leythos
>
> > > > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > > > mandatory.
>
> > > > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > > > can you link me to any? presumably you've seen some.
>
> > > > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > > > like SBS/Yahoo DSL that get public IP from their DSL service.
>
> > > > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > > > a public IP for your router, and a (different) public ip for the
> > > > computer connected to it?
>
> > > > Do you have in mind such end users - that have 2 public ips?
>
> > > Many users want firewall functions that don't have to include NAT as one
> > > of them - they might have public facing servers and just want to protect
> > > them.
>
> > > The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> > > by the ISP's device, you route traffic between them using rules.
>
> > > So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> > > x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
>
> > > You can do this with as many IP as you want - the condition being that
> > > one combination of IP:PORT can only be routed to one destination.
>
> > Oddly enough, what you describe as not using NAT, looks like NAT, one
> > ip for the router, you could've said that there isn't an ip on the
> > router's ports(which would make sense also because what is going on in
> > that area uses ports and isn't routing!). Infact, it looks like NAT
> > and PAT !
>
> > Furthermore, In the system you describe, a machine on the LAN or on
> > the DMZ would still need a unique ip address though, distinct from
> > the firewall-router appliance.
>
> > If the computers (on the DMZ or LAN ) had private addresses, then it
> > really looks like NAT now!
>
> > If a DSL user doesn't have one of these firewall-router appliances,
> > then in that instance, would he need 2 different public ips, one for
> > his router and one for his computer ?
>
> > > > BTW, you mention you know people that "get public IP from their DSL
> > > > service". Who has an ISP and doesn't get that?
>
> > > Many people don't get it, many DSL providers have their routers set to
> > > NAT by default.
>
> > Then their DSL service does provide a public IP. Their router gets
> > it.
>
> Are you trying to be difficult or just missing the point?
>

At this point, I don't understand you since have stopped addressing
the problems i've mentioned.

I really can only understand that which I recognise as technically
correct. *for example *

I have no idea what you mean when you say that with NAT, "their DSL
service doesn't provide a public ip". I know what that statement
would mean - technically, and i'd say it's wrong, the 'dsl service'
does provide a public ip, and that ip goes to the router.
I know you know that, and that you you don't mean that.
But I still don't know what you do mean. (By me pointing that out, it
didn't mean that I was telling you some basic point. But it makes it
fairly clear why I don't know what you mean)

Similarly with the other issue we discussed, where I wrote an
objection. You discussed a system which you said didn't use NAT. But
to me , a router with one ip forwarding to different physical ports
based on tcp port, looks like NAT and PAT. Almost a textbook case of
it.

I can only read what you're writing in a technical way, without
reading things in. It's not because i'm trying to be difficult. But I
haven't physically seen the different systems that you have. My
understanding is based on a technical reading of the word you write.

If you would address the objections then I might understand you. If
you quit then I won't. At least now your posts are archived, you won't
have to repeat yourself. I don't see relating to technical queries one
knows, as difficult. It's more difficult to turn this into get into a
discussion where you claim i'm trying to be difficult, and respond
that i'm not. To have such a discussion would make things more
difficult.

As you can see, judging by the amount i've had to write to give you as
complete an answer as possible. But i'd rather discuss the technical
aspects, and what you mean. Not this philosophical point that i'm sure
you too feel leads nowhere. At least technical discussion would've/
would led/lead somewhere , if you had/do persued/persue it.

As I said. There's no harm. You don't have to worry about having to
repeat yourself, as people do so often in this newsgroup. Things are
archived.

You'll notice the technical discussion was short and sweet, only a
succinct line or paragraph. No reason to leave that for a non-
technical philosophical marathon . I hope we can now leave discussion
of the response to the philosophical question you asked, and get back
to the concise technical discussion we were having.