Re: 56k dial up on laptop 802.11G ?

Duane Arnold <notme@xxxxxxxxx> wrote:
>floyd@xxxxxxxxxx (Floyd L. Davidson)
>> Duane Arnold <Notme@xxxxxxxxx> wrote:
>>>Floyd L. Davidson wrote:
>>>> The Linksys WRT54G series of wireless routers all have firewall
>>>> software.
>>>
>>>No NAT router is running FW software in the traditional sense. The
>>>manufactures of the product can hype it all they want as being a
>>>solution that's running FW software.
>>
>> Lots of words, but what do you mean? What, for example, is "the
>> traditional sense"? I'm really hard pressed to see how the
>> Linux firewall is not a firewall...
>
>The traditional sense being that packet filtering rules cannot be set on
>the router that can stop both inbound and outbound traffic by port,
>protocol, or IP.

I am no expert on firewalls, but as near as I can tell this
example:

http://www.linuxhelp.net/guides/iptables/

Suggests otherwise.

>I can set a rule with the Watchguard to do the following:
>
>Rule stop outbound traffic
>
>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>2) Protocol HTTP
>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>
>Or rule to stop inbound
>
>1) Remote IP 207.222.777.66 inbound
>2) Port 119
>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>
>That's an example where I can set filtering rules with the Watchguard
>that I cannot do with the 54g.
>
>The 54G cannot set those rules.

I don't see why not. As noted, I'm not much on firewalls, but
what I read in the man page for iptables seems to say that all
of the above can be done.

>I don't think the TOP Guns in that NG will consider the WRT54G to be an
>appliance that's running a FW. If you have read something that indicates
>that the 54G or any Linksys router is running FW software, then those
>posts were by posters such as yourself with the misconception that a
>Linksys router is running FW software or a NAT router for home usage is
>running FW software. So again, I ask you to drop a line in the FW NG
>about a Linksys NAT 54G or otherwise router as to it or them being an
>appliance that's running FW software by those that use the product
>solutions as part of their livelihood.

Hmmm... here is what you wrote, two years ago, in
Message-ID: <Xns93B6CCD8CC3C3notmenotmecom@xxxxxxxxxxxxxx>

"That WRT54G doesn't have a firewall. It has NAT and SPI. A
router with a true firewall start at about $500 and up.

http://www.homenethelp.com/web/explain/about-NAT.asp";

However, when we look at the URL, it contradicts what you say
about SPI (emphasis added),

"Stateful packet inspection (SPI)

*Some* *NAT* *routers* *have* *an* *advanced* *form* *of* *firewall* *built*
*in* *that* *does* *'stateful* *packet* *inspection'*. ... SPI is a
general term that can describe a router that filters more
kinds of attacks than basic NAT by closely examining
packet data structures.
http://www.homenethelp.com/web/explain/about-NAT.asp


Okay... So you at least know that the WRT54G does indeed have
both NAT and SPI. Some people at least say that SPI in itself
constitutes an "advanced" firewall. In fact though, what is
described as SPI might be different from one model/manufacturer
to another.

Here is a URL with a definition, and which *clearly* indicates
that the Linux implementation is indeed and "advanced form of
firewall".

http://dmiessler.com/study/iptables/

>>>If the WRT54G can meet all the specs below, then it's an appliance
>>>running FW software. If the WRT54G cannot meet the specs, then it's
>>>not an appliance that's running FW software.
>>
>> So tell us just what "spec" below is not fully met by the
>> standard Linux firewall in a WRT54G? And, please explain what
>> difference it makes whether it is an "appliance" or not?
[repeat of previous "spec" deleted]

>The specs being that a FW solution whether it's running on an appliance
>or a host solution running on a gateway computer using the specs above
>can set filtering rules to *stop* inbound or outbound traffic by port,
>protocol, IP or packet attribute.

Yes yes, but the question was about just what part of that spec
is not fully met by a WRT54G. Near as I can tell, it does
everything on your list.

>So tell me where in the Wrt54g manual that the NAT router can set those
>rules.

Read the man page for /iptables/, which configures the kernel
firewall functionality.

....
>> Why do you say that? I found one message where *you* provide a
>> URL, which says the WRT's firewall is "an advanced form of
>> firewall". I seem to recall where *you* had good things to say
>> about the firewall in Suse Linux.
>
>The software FW running on Suse Linux and the firmware running on the 54G
>even though they are Linux solutions are not the same thing.

They are *identical*.

>> You do realize that the WRT54G runs Linux and has the same
>> firewall built into the kernel as any other Linux, right? Do
>> you have a WRT54G, and/or know what is in it?
>
>Heck the BEFW11S4 v1 router I had was running a Linux solution.

Did it have the kernel firewall modules enabled?

>Again I ask you to drop a line and ask the question to the Top Guns in
>the FW NG about a Linksys NAT router running FW software. And is far as
>that is concerned, my Watchguard is running Linux too.

And just what comparisons can you draw from "your" Watchguard
running Linux compared to other equipment (also running Linix).
Does your particular Watchguard use iptables?

>>>The NAT routers are good enough in
>>>the protection as long as one is not doing high risk things like port
>>>forwarding.
>>
>> Please explain what you mean. And be specific about how it
>> applies to a Linux router.
>
>When I port forward 80 to an IP/machine behind the Watchguard that has a
>Web server running, I am insured that only HTTP traffic comes down that
>port or if it was 20 and 21 that only FTP traffic comes down the ports,
>dropping all other traffic that tries to come down the ports, as an
>example.

In fact I don't think that is true. But to whatever degree it
is true, the *exact* same functionality is available to the
WRT54G via iptables as is available to your Watchguard. In any
case I don't think it is examining the *data* load of a packet
and trying parse whether it is indeed valid for any given
protocol.

>> I am certainly no expert on firewalls, but I just don't see a
>> thing in that list which the WRT54G doesn't do.
>>
>
>Rule stop outbound traffic
>
>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>2) Protocol HTTP
>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>Internet IP(s)
>
>Or rule to stop inbound
>
>1) Remote IP 207.222.777.66 inbound Internet IP(s)
>2) Port 119
>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>
>Stop outbound from a LAN IP
>
>1) LAN IP 192.168.111.3
>2) Ports 1-66535 TCP, UDP or protocol number
>3) Destination LAN IP(s) *ANY*
>4) OR 192.168.111.5 through 192.168.111.10
>
>The link may help in understanding FW solutions and a packet filtering
>router is no match to FW appliance, even a low-end FW appliance.
>
>http://www.more.net/technical/netserv/tcpip/firewalls/

So you actually think that iptables cannot do the same things?

>I only bring this whole thing up because some people may have more plans
>for his or her setup like hosting a Web serve and should know the
>difference between a packet filtering NAT router they one may or may not
>be able to set rules as opposed to FW appliance and the differences. The
>link above explains it in detail.

How does tht apply to our conversation about the firewall provided
by Linux?

>Again a NAT router is a border device and is good in the protection for
>the average home user; until high risk things are done with the router
>then all bets are off.

But NAT is not the only facility provide, right?

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@xxxxxxxxxx
.

Relevant Pages

  • Re: 56k dial up on laptop 802.11G ?
    ... >>> The Linksys WRT54G series of wireless routers all have firewall ... >>No NAT router is running FW software in the traditional sense. ... > Linux firewall is not a firewall... ... Linksys router is running FW software or a NAT router for home usage is ...
    (alt.internet.wireless)
  • Re: 56k dial up on laptop 802.11G ?
    ... >>> Linux firewall is not a firewall... ... NAT router? ... traffic can be set like it can be set for packet filtering like they can be ...
    (alt.internet.wireless)
  • RE: Home Security.
    ... Subject: Home Security. ... I would suggest using linux as your router. ... Other than that, as long as you set your firewall up right, you ...
    (Security-Basics)
  • Re: Replaced NT 4 Server with Linux
    ... Maybe later when i will be more confidential with linux. ... Cisco both with the same configuration i'm doing now with your help. ... > off by a second line of defense (the Linux firewall machine you don't ... > router and keeping track of connections, running IDS's, etc - your Cisco ...
    (comp.os.linux.security)
  • Re: Linux, Windows, and cable modem
    ... > You plug system into same place you would plug router. ... I'd probably have to put it under the stairs, where there is no power, ... > linux to hub. ... > Firewall does that automagically when you setup forwarding rules. ...
    (alt.linux)