Re: 56k dial up on laptop 802.11G ?

---

• From: Duane Arnold <Notme@xxxxxxxxx>
• Date: Fri, 29 Jul 2005 01:54:27 GMT

---

Jeff Liebermann wrote:

> On Thu, 28 Jul 2005 13:12:31 GMT, Duane Arnold <Notme@xxxxxxxxx>
> wrote:
>
>>> So, are you now a believer that I can control outgoing traffic without
>>> installing ZoneAlarm on every client or do I have to give you a login
>>> on my WRT54 so you can see for yourself?
>
>>Iptables is a packet filter that can stop inbound and outbound. With the
>>54G NAT router using SPI and IPtables, It is a hardware device that fits
>>the definition of a network firewall. I think that I mentioned that to the
>>other poster.
>
> I'm not sure how SPI got into the discussion. We were discussing
> whether an "NAT firewall" is considered a "real" firewall. I contend
> that NAT is a real firewall because it functions to protect the LAN
> side from attack from the WAN. Again, I don't care how this function
> is performed, including a dog sniffing packets and barking when it
> finds an attack. I contend that anything that protects the LAN is a
> firewall. I respect your right to disagree.

The simplest form of a FW is a router that separates two networks. The
network it's protecting from usually the Internet and the network it's
protecting the LAN.
>
> However, now you've expanded the discussion to SPI which is a complex
> service sitting on top of a packet filter. The packet filter simply
> looks at the header and makes decisions based on a comparatively
> simple rule set. SPI allows the rule set to be expanded to the
> contents, traffic patterns, other ports, and general pattern matching.
> This is useful for detecting attacks like port scans, corrupted
> packets, SYN floods, etc.

I know all about SPI.

>
> I think part of the problem is that many cheapo routers demand that
> NAT be used. They literally cannot route or do anything useful
> without NAT being enabled. In the default configuration, the WRT54
> uses NAT which cannot be turned off. I think I can hack the IPtables
> and IPmasq settings to turn off NAT, but it appears difficult (but not
> impossible).
>
> http://www.webopedia.com/TERM/S/stateful_inspection.html

You do what you want. I myself would just leave it alone. :)
>
>>If iptables was not in the mix, then no I would not consider the 54g using
>>NAT and SPI to be a device that's a network FW.
>
> I read this to say that the WRT54G is a "real" firewall.

It has the means to stop outbound traffic and fits the definition of a
network FW. How many times do I have to say it?

>
>>As far as NAT is concerned, it's mapping technology or a translator that
>>maps an IP from one network the outside network to another IP inside
>>another network. And it allows the sharing of single public IP by multiple
>>IP(s)/machines on a LAN.
>
> So far, we agree.
>
>>It doesn't control traffic flow by using
>>filtering rules to control the traffic, therefore, it doesn't fit the
>>definition of a FW software.
>
> It most certainly does. NAT is a feature that translated WAN IP
> addresses to LAN IP Port Numbers. Officially, Cisco calls this PAT or
> Port Address Translation but everyone else calls it NAT. The
> "traffic" rule is something like "reject anything from outside that
> doesn't have a corresponding session originating from inside". That
> certainly controls traffic in my opinion. It's admitedly a rather
> coarse rule.

That's your interpertation of it. My view is different and I'll leave it at
that.

>
> Summary: In my opinion, ANYTHING that protects access to an inside
> LAN from an outside WAN is a firewall. I don't care how said
> protection is accomplished.

I am a programmer and they programs so I care about, what program is doing
what -- the roles, why and how it's being accomplished.

That's the nature of a programmer looking at programs and I have been doing
that since 1980. They are just programs and nothing else.

Duane :)



.

---

• References:
  • Re: 56k dial up on laptop 802.11G ?
    • From: Jeff Liebermann

• Prev by Date: Re: Windows Zero Config? Why is it there!?
• Next by Date: ISP
• Previous by thread: Re: 56k dial up on laptop 802.11G ?
• Next by thread: Re: 56k dial up on laptop 802.11G ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Firewall Questions ... No firewall. ... > sketch their idea of what they saw as a new network plan. ... > They want this firewall to be in NAT mode where everything in the LAN ... (comp.security.firewalls) Re: Intruders....? ... > If you can't control the building in this way, then quite frankly, you ... > get on the network physically, they still can't access the Internet. ... > this won't protect your LAN itself. ... Apparently the idea was to incorporate this technology in 2003 R2 but the ... (microsoft.public.windows.server.networking) Re: 3 Nics - Dual (Tripe) Homed Host ... >>LAN with access to the Internet. ... >it would have on the NAT from the 192.168.1.0/24 network. ... two machines on the 10.0.0.0 network that needed to access machines on the ... (freebsd-questions) Re: 56k dial up on laptop 802.11G ? ... are you now a believer that I can control outgoing traffic ... >>using NAT and SPI to be a device that's a network FW. ... (alt.internet.wireless) Re: 56k dial up on laptop 802.11G ? ... are you now a believer that I can control outgoing traffic without ... that NAT is a real firewall because it functions to protect the LAN ... (alt.internet.wireless)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)