Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold <Notme@xxxxxxxxx>
- Date: Wed, 27 Jul 2005 04:08:33 GMT
Floyd L. Davidson wrote:
> Duane Arnold <notme@xxxxxxxxx> wrote:
>>floyd@xxxxxxxxxx (Floyd L. Davidson)
>>> Duane Arnold <Notme@xxxxxxxxx> wrote:
>>>>Floyd L. Davidson wrote:
>>>>> The Linksys WRT54G series of wireless routers all have firewall
>>>>> software.
>>>>
>>>>No NAT router is running FW software in the traditional sense. The
>>>>manufactures of the product can hype it all they want as being a
>>>>solution that's running FW software.
>>>
>>> Lots of words, but what do you mean? What, for example, is "the
>>> traditional sense"? I'm really hard pressed to see how the
>>> Linux firewall is not a firewall...
>>
>>The traditional sense being that packet filtering rules cannot be set on
>>the router that can stop both inbound and outbound traffic by port,
>>protocol, or IP.
>
> I am no expert on firewalls, but as near as I can tell this
> example:
>
> http://www.linuxhelp.net/guides/iptables/
>
> Suggests otherwise.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>I can set a rule with the Watchguard to do the following:
>>
>>Rule stop outbound traffic
>>
>>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>>2) Protocol HTTP
>>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>>
>>Or rule to stop inbound
>>
>>1) Remote IP 207.222.777.66 inbound
>>2) Port 119
>>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>>
>>That's an example where I can set filtering rules with the Watchguard
>>that I cannot do with the 54g.
>>
>>The 54G cannot set those rules.
>
> I don't see why not. As noted, I'm not much on firewalls, but
> what I read in the man page for iptables seems to say that all
> of the above can be done.
>
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>>I don't think the TOP Guns in that NG will consider the WRT54G to be an
>>appliance that's running a FW. If you have read something that indicates
>>that the 54G or any Linksys router is running FW software, then those
>>posts were by posters such as yourself with the misconception that a
>>Linksys router is running FW software or a NAT router for home usage is
>>running FW software. So again, I ask you to drop a line in the FW NG
>>about a Linksys NAT 54G or otherwise router as to it or them being an
>>appliance that's running FW software by those that use the product
>>solutions as part of their livelihood.
>
> Hmmm... here is what you wrote, two years ago, in
> Message-ID: <Xns93B6CCD8CC3C3notmenotmecom@xxxxxxxxxxxxxx>
That's frekin two years ago and is based on my knowledge then at the time.
>
> "That WRT54G doesn't have a firewall. It has NAT and SPI. A
> router with a true firewall start at about $500 and up.
>
> http://www.homenethelp.com/web/explain/about-NAT.asp";
>
> However, when we look at the URL, it contradicts what you say
> about SPI (emphasis added),
>
> "Stateful packet inspection (SPI)
>
> *Some* *NAT* *routers* *have* *an* *advanced* *form* *of* *firewall*
> *built*
> *in* *that* *does* *'stateful* *packet* *inspection'*. ... SPI is
> a general term that can describe a router that filters more
> kinds of attacks than basic NAT by closely examining
> packet data structures.
> http://www.homenethelp.com/web/explain/about-NAT.asp
Yeah, yeah true an the operative word there is *form* of a FW built in and
SPI alone doesn't make it an appliance running FW software in the
traditional sense. And you'll notice even then I was not calling the 54G a
something that was running *true* FW software.
>
>
> Okay... So you at least know that the WRT54G does indeed have
> both NAT and SPI. Some people at least say that SPI in itself
> constitutes an "advanced" firewall. In fact though, what is
> described as SPI might be different from one model/manufacturer
> to another.
Yeah I know that.
So somehow you're going to tell me that NAT and SPI is a total FW solution
right and NAT is FW software.
>
> Here is a URL with a definition, and which *clearly* indicates
> that the Linux implementation is indeed and "advanced form of
> firewall".
>
> http://dmiessler.com/study/iptables/
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>>>If the WRT54G can meet all the specs below, then it's an appliance
>>>>running FW software. If the WRT54G cannot meet the specs, then it's
>>>>not an appliance that's running FW software.
>>>
>>> So tell us just what "spec" below is not fully met by the
>>> standard Linux firewall in a WRT54G? And, please explain what
>>> difference it makes whether it is an "appliance" or not?
> [repeat of previous "spec" deleted]
>
>>The specs being that a FW solution whether it's running on an appliance
>>or a host solution running on a gateway computer using the specs above
>>can set filtering rules to *stop* inbound or outbound traffic by port,
>>protocol, IP or packet attribute.
>
> Yes yes, but the question was about just what part of that spec
> is not fully met by a WRT54G. Near as I can tell, it does
> everything on your list.
I read the user manual for the Linksys WRT54G about its FW cababilities the
one out of the box. And I see nowhere that rules for inbound and outbound
traffic can be set like it can be set for packet filtering like they can be
for the WG. I see no ability to set a FW service for the Linksys like it
can be set for the WG.
>
>>So tell me where in the Wrt54g manual that the NAT router can set those
>>rules.
>
> Read the man page for /iptables/, which configures the kernel
> firewall functionality.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
> ...
>>> Why do you say that? I found one message where *you* provide a
>>> URL, which says the WRT's firewall is "an advanced form of
>>> firewall". I seem to recall where *you* had good things to say
>>> about the firewall in Suse Linux.
>>
>>The software FW running on Suse Linux and the firmware running on the 54G
>>even though they are Linux solutions are not the same thing.
>
> They are *identical*.
What does IPtables have to do with the out of the box firmware of a WRT54G
NAT router? OH, could it be that you're talking about firmware that is not
the out of the box firmware?
>
>>> You do realize that the WRT54G runs Linux and has the same
>>> firewall built into the kernel as any other Linux, right? Do
>>> you have a WRT54G, and/or know what is in it?
>>
>>Heck the BEFW11S4 v1 router I had was running a Linux solution.
>
> Did it have the kernel firewall modules enabled?
The 11S4 V1 router cameout the door with SPI and that was removed from the
firmware long ago because Linksys couldn't get it to work properly and it
was removed for all version of the 11S4 router the lastime I looked. SPI
was the only FW like feature the 11S4 routers had that I knew about the
last time I looked.
>
>>Again I ask you to drop a line and ask the question to the Top Guns in
>>the FW NG about a Linksys NAT router running FW software. And is far as
>>that is concerned, my Watchguard is running Linux too.
>
> And just what comparisons can you draw from "your" Watchguard
> running Linux compared to other equipment (also running Linix).
> Does your particular Watchguard use iptables?
What are you talking about here? How in the HELL did this conversation turn
from a WRT54G NAT router and its firmware out of the box to a WRT54G is now
running iptables? And I what does iptables have to do with the WG that I am
using. I could care less about the WG using iptables. I could care less
about it using Linux as far as that is concerned. As long is the WG is
doing what I am asking it to do with the ability to set the rules I need
and it's other abilities, I could care less about it. It could be the
Mickey Mouse kernel I could care less about it. :)
>
>>>>The NAT routers are good enough in
>>>>the protection as long as one is not doing high risk things like port
>>>>forwarding.
>>>
>>> Please explain what you mean. And be specific about how it
>>> applies to a Linux router.
>>
>>When I port forward 80 to an IP/machine behind the Watchguard that has a
>>Web server running, I am insured that only HTTP traffic comes down that
>>port or if it was 20 and 21 that only FTP traffic comes down the ports,
>>dropping all other traffic that tries to come down the ports, as an
>>example.
>
> In fact I don't think that is true. But to whatever degree it
> is true, the *exact* same functionality is available to the
> WRT54G via iptables as is available to your Watchguard. In any
> case I don't think it is examining the *data* load of a packet
> and trying parse whether it is indeed valid for any given
> protocol.
Well you're wrong about it and I am going to go with what I have been told
by others who are *FW experts*, which you have indicated that you're not
one and they do make a living at and I suspect know more than you or I
about it.
>
>>> I am certainly no expert on firewalls, but I just don't see a
>>> thing in that list which the WRT54G doesn't do.
>>>
>>
>>Rule stop outbound traffic
>>
>>1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound
>>2) Protocol HTTP
>>3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60
>>Internet IP(s)
>>
>>Or rule to stop inbound
>>
>>1) Remote IP 207.222.777.66 inbound Internet IP(s)
>>2) Port 119
>>3) LAN IP(s) 192,168.111.7 through 192.168.111.10
>>
>>Stop outbound from a LAN IP
>>
>>1) LAN IP 192.168.111.3
>>2) Ports 1-66535 TCP, UDP or protocol number
>>3) Destination LAN IP(s) *ANY*
>>4) OR 192.168.111.5 through 192.168.111.10
>>
>>The link may help in understanding FW solutions and a packet filtering
>>router is no match to FW appliance, even a low-end FW appliance.
>>
>>http://www.more.net/technical/netserv/tcpip/firewalls/
>
> So you actually think that iptables cannot do the same things?
What are you talking about here? I looked at the user manual for the WRT54G
as it comes right out of the box. You show me where it's doing the above.
OH, could it be that you're talking about firmware that is not the out of
the box firmware?
>
>>I only bring this whole thing up because some people may have more plans
>>for his or her setup like hosting a Web serve and should know the
>>difference between a packet filtering NAT router they one may or may not
>>be able to set rules as opposed to FW appliance and the differences. The
>>link above explains it in detail.
>
> How does tht apply to our conversation about the firewall provided
> by Linux?
>
How did the conversation period come away from the firmware that comes with
the WRT545G NAT router out of the box? OH, could it be that you're talking
about firmware that is not the out of the box firmware?
>>Again a NAT router is a border device and is good in the protection for
>>the average home user; until high risk things are done with the router
>>then all bets are off.
>
> But NAT is not the only facility provide, right?
Yeah my WG uses NAT too. So what?
It's just like anyting else, software can be implemented in a device to
enhance its abilities. The firmware that comes with the Linksys Wrt54g out
of the box doesn't meet the specs for something that's running FW software,
which is what I am talking about. I do know that the 54g has some 3rd party
firmware solutions that can be implemented that's apparently using iptables
and I am happy for you.
And I doubt that the 3rd party firmware that's running on the 54g using
iptables can match the abilities of my low-end WG firewall appliance or a
high-end one that cost thousands of dollars.
And most devices such as routers and FW appliances run Linux.
<snip>
Definitions of IPtables on the Web:
The Linux *packet filtering* tool that is used by SmoothWall to provide
firewalling capabilities. Top
www.smoothwall.net/support/glossary.html
In computer networking, netfilter, along with its companion iptables, are
collectively a software extension to the Linux operating system that
implements a stateful firewall framework. It also enables other networking
features such as network address translation (NAT). Although netfilter is
an extension to Linux, it is included in all major Linux distributions that
use the 2.4 or 2.6 kernel. Netfilter does not work with Linux kernels older
than version 2.4.
en.wikipedia.org/wiki/Iptables
Or you can go read the information in the link I provided, which is snipped
below and packet filters has strength and weakness. I am able to make the
adjustments and understand the differences between a packet filtering NAT
router and a FW appliance.
<snip>
Packet Filtering Router
A packet filtering router is a router configured to screen packets between
two networks. It routes traffic between the two networks and uses packet
filtering rules to permit or deny traffic. Implementing security with a
router is usually not that easy. Most routers were designed to route
traffic, not to provide firewall functionality, so the command interface
used for configuring rules and filters is neither simple nor intuitive.
Dual-homed Gateway
A dual-homed gateway typically sits behind the gateway (usually a router) to
the untrusted network and most often is a host system with two network
interfaces. Traffic forwarding on this system is disabled, thereby forcing
all traffic between the two networks to pass through some kind of
application gateway or proxy. Only gateways or proxies for the services
that are considered essential are installed on the system. This particular
architecture will usually require user authentication before access to the
gateway/proxy is allowed. Each proxy is independent of all other proxies on
the host system.
Firewall Appliance
A firewall appliance typically sits behind the gateway (usually a router) to
the untrusted network. This architecture resembles the *packet filtering*
router and *dual-homed Gateway* architectures in that all traffic must pass
through the appliance. In most instances these appliances come
pre-configured on their own box. They may also have other services built
in, such as Web servers and e-mail servers. Because they usually don't need
the extensive configuration that other firewalls often require, they are
touted as being much simpler and faster to use. Some manufacturers market
them as "plug-and-play" firewall solutions.
<snip>
.
- Follow-Ups:
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- References:
- 56k dial up on laptop 802.11G ?
- From: bumtracks
- Re: 56k dial up on laptop 802.11G ?
- From: David Taylor
- Re: 56k dial up on laptop 802.11G ?
- From: David Taylor
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- Re: 56k dial up on laptop 802.11G ?
- From: Duane Arnold
- Re: 56k dial up on laptop 802.11G ?
- From: Floyd L. Davidson
- 56k dial up on laptop 802.11G ?
- Prev by Date: Re: Suggestions, Please.
- Next by Date: Re: Access to "hacker's" computer legal?
- Previous by thread: Re: 56k dial up on laptop 802.11G ?
- Next by thread: Re: 56k dial up on laptop 802.11G ?
- Index(es):
Relevant Pages
|
