Linksys WRT54G and Firewall software

Hello.

I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do I
need to run firewall software also? I had been using EZ Armor FW and Virus,
but the desktop slowed to a crawl. After removing the firewall software
(accidently), it runs normally again. This PC isn't exactly a powerhouse,
but it's OK for my needs.

How bad is it (and how dumb am I) if I don't re-install the software FW? Do
I really need it, seeing as how both PCs are running behind the router?

Thanks, from an obvious amateur.

Re: Linksys WRT54G and Firewall software

R.User wrote:
> Hello.
>
> I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do I
> need to run firewall software also? I had been using EZ Armor FW and Virus,
> but the desktop slowed to a crawl. After removing the firewall software
> (accidently), it runs normally again. This PC isn't exactly a powerhouse,
> but it's OK for my needs.
>
> How bad is it (and how dumb am I) if I don't re-install the software FW? Do
> I really need it, seeing as how both PCs are running behind the router?
>
> Thanks, from an obvious amateur.
>
>

If you're not concerned about someone hacking the LAN on the wireless
side of the router and hacking a computer on the LAN wired or wireless,
then you don't need a personal FW.

Re: Linksys WRT54G and Firewall software

Post removed (X-No-Archive: yes)

Re: Linksys WRT54G and Firewall software

HAAAaaa!!

Ok, Ok... Now that I'm a certified nitwit, and having received the "1D10T"
error message, I'm going to reinstall both.

Thanks.


"Sebastian Gottschalk" wrote in message
news:56o6meF28cbb7U2@mid.dfncis.de...
> R.User wrote:
>> I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do
>> I
>> need to run firewall software also?
>
> No. Why do you think so?
>
>> I had been using EZ Armor FW and Virus,
>> but the desktop slowed to a crawl. After removing the firewall software
>> (accidently), it runs normally again. This PC isn't exactly a powerhouse,
>> but it's OK for my needs.
>>
>> How bad is it (and how dumb am I) if I don't re-install the software FW?
>
> Not at all.
>
>> Do I really need it, seeing as how both PCs are running behind the
>> router?
>
> Even if there wasn't any router, there would be no need for it. Where
> exactly should such a need come from?

Re: Linksys WRT54G and Firewall software

R.User wrote:
> HAAAaaa!!
>
> Ok, Ok... Now that I'm a certified nitwit, and having received the "1D10T"
> error message, I'm going to reinstall both.
>
> Thanks.
>
>
> "Sebastian Gottschalk" wrote in message
> news:56o6meF28cbb7U2@mid.dfncis.de...
>
>>R.User wrote:
>>
>>>I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do
>>>I
>>>need to run firewall software also?
>>
>>No. Why do you think so?
>>
>>
>>>I had been using EZ Armor FW and Virus,
>>>but the desktop slowed to a crawl. After removing the firewall software
>>>(accidently), it runs normally again. This PC isn't exactly a powerhouse,
>>>but it's OK for my needs.
>>>
>>>How bad is it (and how dumb am I) if I don't re-install the software FW?
>>
>>Not at all.
>>
>>
>>>Do I really need it, seeing as how both PCs are running behind the
>>>router?
>>
>>Even if there wasn't any router, there would be no need for it. Where
>>exactly should such a need come from?
>
>
>

You can forget about what SG the lip dribbling specialist is talking
about. His lips cut deep with nothing supporting his lip drivel, pay him
no mind.

He is no help to anyone as usual.

It's a sad situation for him and the NG as he sits there personally
slobbering waiting for someone to post about a personal FW.

Re: Linksys WRT54G and Firewall software

On Sun, 25 Mar 2007 16:15:40 -0400, R.User wrote:

> Hello.
>
> I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do I
> need to run firewall software also? I had been using EZ Armor FW and Virus,
> but the desktop slowed to a crawl. After removing the firewall software
> (accidently), it runs normally again. This PC isn't exactly a powerhouse,
> but it's OK for my needs.
>
> How bad is it (and how dumb am I) if I don't re-install the software FW? Do
> I really need it, seeing as how both PCs are running behind the router?
>
> Thanks, from an obvious amateur.

1) You don't need a personal firewall when you are behind a NAT device
that provides a private network without anything port forwarded.

2) Your wireless needs to be secured, if not already, to keep outsiders
off your Laptop and desktop - if you have exposed your wireless without
locking it down you have also exposed your laptop and your PC.

3) The windows non-firewall included in XP SP2 will be more than enough,
but, if you take your laptop to other networks (school, work, friends) it
won't be enough in most cases.

4) If you use your laptop on OTHER networks you really need to learn how
to check the Windows TCP/IP Settings, disable File/Printer sharing when
you are not home, and how to adjust/check the Windows XP SP2 non-firewall
settings for "Exceptions".

5) More important than a firewall, when behind a NAT router, is the
Antivirus software and your security methods - like not running as an
Administrator (best to run as a limited user), installing Fire Fox, not
using Outlook Express or Outlook if you use POP3 for email....

As you can see from the reply you got from SG, it's worthless, doesn't
explain anything, and has no content worth reading.

Let us know if you can do the above 5 items.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> 1) You don't need a personal firewall when you are behind a NAT device
> that provides a private network without anything port forwarded.
>
> 3) The windows non-firewall included in XP SP2 will be more than enough,
> but, if you take your laptop to other networks (school, work, friends) it
> won't be enough in most cases.

That is not conclusive: The NAT does block (most) incoming connections.
The XP SP2 firewall does block all (most) incoming connections when
configured with no exceptions.

Where is the difference which explains why something else then the XP
SP2 FW is needed elsewhere?
>
> 4) If you use your laptop on OTHER networks you really need to learn how
> to check the Windows TCP/IP Settings, disable File/Printer sharing when
> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
> settings for "Exceptions".

Again contradictory to 3): if you think you need something else than the
XP SP2 firewall in other networks and you are running a other brand
"non-firewall" software then the recommendation should be to check that
the XP SP2 firewall is turned off and the 3rd party "non-firewall" is
on. Two or more firewalls running on a computer result on average in
less security then a single one as it is unpredicted what actually is
blocked and what not and by which firewall which will jeopardize the
consistency of and state table in any firewall (as they are generally
stateful).

> 5) More important than a firewall, when behind a NAT router, is the
> Antivirus software and your security methods - like not running as an
> Administrator (best to run as a limited user), installing Fire Fox, not
> using Outlook Express or Outlook if you use POP3 for email....

Most important to keep your system up-to-date and reduce the number of
software on your computer. The less software you are running the less is
vulnerable. The less software the less you have to check for updates
manually if it does not come with automatic updates. Subscribe to some
good security notification lists like the one from Microsoft or US-Cert.
Then you get timely notification of updates and you can update very quickly.

If you do all this you are very likely that your AntiVirus will never
ever report anything relevant and thus will prove itself superfluous.

Gerald

Re: Linksys WRT54G and Firewall software

By the way:

Leythos wrote:
> As you can see from the reply you got from SG, it's worthless, doesn't
> explain anything, and has no content worth reading.

Where exactly do you explain anything?

Leythos wrote:
> 1) You don't need a personal firewall when you are behind a NAT device
> that provides a private network without anything port forwarded.

Not here. So why?

> 3) The windows non-firewall included in XP SP2 will be more than enough,
> but, if you take your laptop to other networks (school, work, friends) it
> won't be enough in most cases.

Not here. So why?

> 4) If you use your laptop on OTHER networks you really need to learn how
> to check the Windows TCP/IP Settings, disable File/Printer sharing when
> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
> settings for "Exceptions".

Not here. So why?

> 5) More important than a firewall, when behind a NAT router, is the
> Antivirus software and your security methods - like not running as an
> Administrator (best to run as a limited user), installing Fire Fox, not
> using Outlook Express or Outlook if you use POP3 for email....

Not here. So why?

Thus following your own conclusion, your post "has no content worth
reading."

Gerald

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 09:43:57 +0900, Gerald Vogt wrote:

> Leythos wrote:
>> 1) You don't need a personal firewall when you are behind a NAT device
>> that provides a private network without anything port forwarded.
>>
>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>> but, if you take your laptop to other networks (school, work, friends) it
>> won't be enough in most cases.
>
> That is not conclusive: The NAT does block (most) incoming connections.
> The XP SP2 firewall does block all (most) incoming connections when
> configured with no exceptions.

It blocks intrusions, but what holes does it have that have not yet been
exposed? What about the next one that's found and exposes the system?

> Where is the difference which explains why something else then the XP
> SP2 FW is needed elsewhere?

The NAT router is the better first line of defense when it can be used,
but, as the OP mentions wireless, well, you can't NAT a wireless
connection - what I mean is that the wireless connection is from the
router to the laptop, there is no intermediate NAT between the wireless
and the laptop - so, anything that makes it to the wireless also makes it
to the laptop unless it's got some form of localized firewall.

>> 4) If you use your laptop on OTHER networks you really need to learn how
>> to check the Windows TCP/IP Settings, disable File/Printer sharing when
>> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
>> settings for "Exceptions".
>
> Again contradictory to 3): if you think you need something else than the
> XP SP2 firewall in other networks and you are running a other brand
> "non-firewall" software then the recommendation should be to check that
> the XP SP2 firewall is turned off and the 3rd party "non-firewall" is
> on. Two or more firewalls running on a computer result on average in
> less security then a single one as it is unpredicted what actually is
> blocked and what not and by which firewall which will jeopardize the
> consistency of and state table in any firewall (as they are generally
> stateful).

I never mentioned another firewall application, not a single one, not even
suggesting it. Stop playing the old/tired mantra.

>> 5) More important than a firewall, when behind a NAT router, is the
>> Antivirus software and your security methods - like not running as an
>> Administrator (best to run as a limited user), installing Fire Fox, not
>> using Outlook Express or Outlook if you use POP3 for email....
>
> Most important to keep your system up-to-date and reduce the number of
> software on your computer. The less software you are running the less is
> vulnerable. The less software the less you have to check for updates
> manually if it does not come with automatic updates. Subscribe to some
> good security notification lists like the one from Microsoft or US-Cert.
> Then you get timely notification of updates and you can update very quickly.
>
> If you do all this you are very likely that your AntiVirus will never
> ever report anything relevant and thus will prove itself superfluous.

So you mean that if you access email, through POP3, that you don't need
antivirus? So, you mean that if you download via FTP or other, since the
net has more than just MS and Cert, that you don't really need AV?

Come one, AV is mandatory, even as a limited user, for anyone running an
OS that can be exploited by malware.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Hello R.,

As an addition to the other replies you have received, I would like to
point out that a software firewall can allow or disallow access based on
the owner process. This allows you to deny outgoing access for certain
applications while allowing it for others.

Regards,

--
Thor Kottelin
CISM, CISSP
telefax +358 102 961 064
thor@anta.net, PGP 0x327B7345
http://www.anta.net/

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 10:01:40 +0900, Gerald Vogt wrote:

> By the way:
>
> Leythos wrote:
>> As you can see from the reply you got from SG, it's worthless, doesn't
>> explain anything, and has no content worth reading.
>
> Where exactly do you explain anything?
>
> Leythos wrote:
>> 1) You don't need a personal firewall when you are behind a NAT device
>> that provides a private network without anything port forwarded.
>
> Not here. So why?
>
>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>> but, if you take your laptop to other networks (school, work, friends) it
>> won't be enough in most cases.
>
> Not here. So why?
>
>> 4) If you use your laptop on OTHER networks you really need to learn how
>> to check the Windows TCP/IP Settings, disable File/Printer sharing when
>> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
>> settings for "Exceptions".
>
> Not here. So why?
>
>> 5) More important than a firewall, when behind a NAT router, is the
>> Antivirus software and your security methods - like not running as an
>> Administrator (best to run as a limited user), installing Fire Fox, not
>> using Outlook Express or Outlook if you use POP3 for email....
>
> Not here. So why?
>
> Thus following your own conclusion, your post "has no content worth
> reading."

If you can't read the suggestions that explain, then you can't understand
english and just troll like SG does.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Leythos wrote:
>
>> 1) You don't need a personal firewall when you are behind a NAT device
>> that provides a private network without anything port forwarded.
>>
>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>> but, if you take your laptop to other networks (school, work, friends) it
>> won't be enough in most cases.
>
>
> That is not conclusive: The NAT does block (most) incoming connections.
> The XP SP2 firewall does block all (most) incoming connections when
> configured with no exceptions.


I am trying to figure out what you are talking about. The above
statement makes no sense. The XP packet filter blocks all (most)
incoming connections. And the NAT router blocks (most) incoming connections.

What does that have to do with the #3 statement when all that's being
stated is that the XP FW may not be good enough when the OP's machine is
not connected to the OP's network.
>
> Where is the difference which explains why something else then the XP
> SP2 FW is needed elsewhere?

If the OP wanted to set a rule to stop outbound packets from leaving the
machine, which the XP packet filter cannot do is one difference.
>
>>
>> 4) If you use your laptop on OTHER networks you really need to learn how
>> to check the Windows TCP/IP Settings, disable File/Printer sharing when
>> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
>> settings for "Exceptions".
>
>
> Again contradictory to 3): if you think you need something else than the
> XP SP2 firewall in other networks and you are running a other brand
> "non-firewall" software then the recommendation should be to check that
> the XP SP2 firewall is turned off and the 3rd party "non-firewall" is
> on.

Anyone with any expertise would know not to be double firewalled so as
to not block packets that would normally reach the machine, if not for
the double FW situation.

> Two or more firewalls running on a computer result on average in
> less security then a single one as it is unpredicted what actually is
> blocked and what not and by which firewall which will jeopardize the
> consistency of and state table in any firewall (as they are generally
> stateful).

The poster never said that. Where are you coming up with this conclusion
that it was even said by the poster?

You're reading into it what you want to read into it.
>
>> 5) More important than a firewall, when behind a NAT router, is the
>> Antivirus software and your security methods - like not running as an
>> Administrator (best to run as a limited user), installing Fire Fox, not
>> using Outlook Express or Outlook if you use POP3 for email....
>
>
> Most important to keep your system up-to-date and reduce the number of
> software on your computer. The less software you are running the less is
> vulnerable.

This makes no sense. The point of the computer is to run software.
That's why computers were invented, other than that, just connect a
computerized toaster oven to the Internet.


> The less software the less you have to check for updates
> manually if it does not come with automatic updates.

That's life in the big city.

> Subscribe to some
> good security notification lists like the one from Microsoft or US-Cert.
> Then you get timely notification of updates and you can update very
> quickly.

That's about the only thing you have said that makes some kind of sense
>
> If you do all this you are very likely that your AntiVirus will never
> ever report anything relevant and thus will prove itself superfluous.

No one is going to do it. So why even bring it up.

If this is the advice you're giving your users, then they should kick
you to the curb.

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:


>
> Thus following your own conclusion, your post "has no content worth
> reading."

And neither are your two posts here worth reading either.

Re: Linksys WRT54G and Firewall software

Leythos wrote:
>>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>>> but, if you take your laptop to other networks (school, work, friends) it
>>> won't be enough in most cases.
>> That is not conclusive: The NAT does block (most) incoming connections.
>> The XP SP2 firewall does block all (most) incoming connections when
>> configured with no exceptions.
>
> It blocks intrusions, but what holes does it have that have not yet been
> exposed? What about the next one that's found and exposes the system?

Vulnerablities which have not yet been exposed are always a problem. But
you have the same problem with a NAT router, too. For the XP SP2
firewall is has been very much tested. NAT routers don't undergo that
throrough tests simply because they are not used so much out there.

Plus: it is in the nature of NAT that there is a lot of guessing
involved which ports to open and which not. The router must let response
packets in and must figure out where to send it. Thus, if you use a
packet sniffer or use some logging functions on the computer you'll see
that some unsolicited packets occassionally get through.

>> Where is the difference which explains why something else then the XP
>> SP2 FW is needed elsewhere?
>
> The NAT router is the better first line of defense when it can be used,

The XP SP2 FW with no exceptions on a computer directly connected to the
internet is protecting the computer better than a NAT router. NAT does
not provide the protection like a properly setup packet filter.

> but, as the OP mentions wireless, well, you can't NAT a wireless
> connection - what I mean is that the wireless connection is from the
> router to the laptop, there is no intermediate NAT between the wireless
> and the laptop - so, anything that makes it to the wireless also makes it
> to the laptop unless it's got some form of localized firewall.

That does not explain why the computer would need another (different)
firewall from the XP SP2 FW when it is connected to other networks.

>>> 4) If you use your laptop on OTHER networks you really need to learn how
>>> to check the Windows TCP/IP Settings, disable File/Printer sharing when
>>> you are not home, and how to adjust/check the Windows XP SP2 non-firewall
>>> settings for "Exceptions".
>> Again contradictory to 3): if you think you need something else than the
>> XP SP2 firewall in other networks and you are running a other brand
>> "non-firewall" software then the recommendation should be to check that
>> the XP SP2 firewall is turned off and the 3rd party "non-firewall" is
>> on. Two or more firewalls running on a computer result on average in
>> less security then a single one as it is unpredicted what actually is
>> blocked and what not and by which firewall which will jeopardize the
>> consistency of and state table in any firewall (as they are generally
>> stateful).
>
> I never mentioned another firewall application, not a single one, not even
> suggesting it. Stop playing the old/tired mantra.

Well you wrote: "The windows non-firewall included in XP SP2 will be
more than enough, but, if you take your laptop to other networks school,
work, friends) it won't be enough in most cases.". If it is not a 3rd
party firmware then what else do you need? You don't explain it. I have
guess you have thought of a 3rd party firmware. If it is not, then you
really have to explain what would fill the "not enough" if the computer
is in other networks.

>>> 5) More important than a firewall, when behind a NAT router, is the
>>> Antivirus software and your security methods - like not running as an
>>> Administrator (best to run as a limited user), installing Fire Fox, not
>>> using Outlook Express or Outlook if you use POP3 for email....
>> Most important to keep your system up-to-date and reduce the number of
>> software on your computer. The less software you are running the less is
>> vulnerable. The less software the less you have to check for updates
>> manually if it does not come with automatic updates. Subscribe to some
>> good security notification lists like the one from Microsoft or US-Cert.
>> Then you get timely notification of updates and you can update very quickly.
>>
>> If you do all this you are very likely that your AntiVirus will never
>> ever report anything relevant and thus will prove itself superfluous.
>
> So you mean that if you access email, through POP3, that you don't need
> antivirus? So, you mean that if you download via FTP or other, since the
> net has more than just MS and Cert, that you don't really need AV?

I access my e-mails through pop3 and imap. I don't need antivirus. Why
should I need antivirus? For what? The antivirus usually does not show
any useful messages. All the antivirus potentially did was damaging my
mail folders when the mail program downloaded an old blaster from my
pop3 box and annoyed me with some 20 virus access warnings (which I had
to allow each time) until I was able to delete the virus e-mail from my
Inbox and emptied the trash. The computer was at no time at any danger
still the antivirus will give you a hard time to do what you are
supposed to do with an virus e-mail: DELETE.

And what should I donwload via FTP for which I need an antivirus? Can
you be more specific?

> Come one, AV is mandatory, even as a limited user, for anyone running an
> OS that can be exploited by malware.

No. I don't have AV nor FW. I run as limited user. I don't know why it
should be mandatory. As there is no 100% security anything can
potentially be exploited by malware. But the best protection against
malware is still me. As I am better than some AV which well slows down
my computer it is a easy choice for me.

Gerald

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> If you can't read the suggestions that explain, then you can't understand
> english and just troll like SG does.

Well, it could well be that my English is not that good. But a
"suggestion" is no "explanation" in my dictionary. An explanation
explains why the suggestion is important. You don't explain why those
suggestions are important. SG did the same. He wrote what is true but
did not explain why.

Gerald

Re: Linksys WRT54G and Firewall software

Thor Kottelin wrote:
> As an addition to the other replies you have received, I would like to
> point out that a software firewall can allow or disallow access based on
> the owner process. This allows you to deny outgoing access for certain
> applications while allowing it for others.

This "feature" is often used to block access to update servers.

This "feature" is often used to block access for software which people
installed themselves and which they don't bother to configure properly
to prevent those outgoing access.

This "feature" is easily circumvented by good malware.

And if this "feature" actually points to malware this is often used as
indication to look for some malware removal tool instead of doing what
would be appropriate: reformat. If primitive malware which is detected
by the PFW is already running on the computer (although there is the PFW
and probably an AV) it is very likely that worse malware like a root-kit
is already there, well hidden somewhere...

Gerald

Re: Linksys WRT54G and Firewall software

Thanks for the great responses, explanations, advice and comic relief. I was
impelled by the banter to reinstall both firewall and anti-virus. And
resolved to order a faster machine very soon.

Regards.


"R.User" wrote in message
news:4606d865$0$1379$4c368faf@roadrunner.com...
> Hello.
>
> I'm using a Linksys WRT54G with one wired PC and one wireless laptop. Do I
> need to run firewall software also? I had been using EZ Armor FW and
> Virus, but the desktop slowed to a crawl. After removing the firewall
> software (accidently), it runs normally again. This PC isn't exactly a
> powerhouse, but it's OK for my needs.
>
> How bad is it (and how dumb am I) if I don't re-install the software FW?
> Do I really need it, seeing as how both PCs are running behind the router?
>
> Thanks, from an obvious amateur.
>
>

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 10:43:20 +0900, Gerald Vogt wrote:
>
> The XP SP2 FW with no exceptions on a computer directly connected to the
> internet is protecting the computer better than a NAT router. NAT does
> not provide the protection like a properly setup packet filter.

You don't know what you are talking about. A typical SOHO NAT router, like
the Linksys BEFSR41, provides more protection for a single PC than Windows
XP firewall does.

For most users that have more than one computer, rather than using fixed
or dynamic public IP's for each computer/node, even a typical SOHO NAT
router provides more protection than Windows XP SP2 firewall.

Only a fool would believe that the Windows firewall provides more/better
protection for a single PC than a typeical NAT router.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

On Sun, 25 Mar 2007 21:53:11 -0400, R.User wrote:

> Thanks for the great responses, explanations, advice and comic relief. I was
> impelled by the banter to reinstall both firewall and anti-virus. And
> resolved to order a faster machine very soon.

You don't need a new firewall, as long as you learn to control the Windows
XP Sp2 firewall and to monitor it, oh, and most importantly, to run as a
limited user.

Don't forget to secure your wireless connection.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Maximum Dog9 wrote:
> Gerald Vogt wrote:
>> Leythos wrote:
>>
>>> 1) You don't need a personal firewall when you are behind a NAT device
>>> that provides a private network without anything port forwarded.
>>>
>>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>>> but, if you take your laptop to other networks (school, work,
>>> friends) it
>>> won't be enough in most cases.
>>
>> That is not conclusive: The NAT does block (most) incoming
>> connections. The XP SP2 firewall does block all (most) incoming
>> connections when configured with no exceptions.
>
> I am trying to figure out what you are talking about. The above
> statement makes no sense. The XP packet filter blocks all (most)
> incoming connections. And the NAT router blocks (most) incoming
> connections.
>
> What does that have to do with the #3 statement when all that's being
> stated is that the XP FW may not be good enough when the OP's machine is
> not connected to the OP's network.

The NAT router and the XP SP FW basically do the same. Still the XP SP
FW is not enough at some places while the NAT router is enough always?

The question is: if there is some reason why the XP SP2 FW is not enough
in another network although NAT router and XP SP2 FW are basically doing
the same, why does that reason not apply to the NAT router as well? But
as it is not explained why the XP SP2 FW is not enough in another
network I can only ask that unspecific question...


>> Where is the difference which explains why something else then the XP
>> SP2 FW is needed elsewhere?
>
> If the OP wanted to set a rule to stop outbound packets from leaving the
> machine, which the XP packet filter cannot do is one difference.

O.K. But that was not mentioned before. Plus the WRT54G with standard
firmware does not do reliable outbound filtering.

>> Two or more firewalls running on a computer result on average in less
>> security then a single one as it is unpredicted what actually is
>> blocked and what not and by which firewall which will jeopardize the
>> consistency of and state table in any firewall (as they are generally
>> stateful).
>
> The poster never said that. Where are you coming up with this conclusion
> that it was even said by the poster?
>
> You're reading into it what you want to read into it.

As I wrote elsewhere I thought he was thinking of another firewall. But
if he is not thinking of another firewall than it remains open what
would be necessary to fill this "not enough" when the computer is
connected to another network. Behind the NAT router the XP SP2 FW is
enough. In another network it is not. So what is the suggestion here?
Not to connect to another network? Is that the only point here?

>>> 5) More important than a firewall, when behind a NAT router, is the
>>> Antivirus software and your security methods - like not running as an
>>> Administrator (best to run as a limited user), installing Fire Fox, not
>>> using Outlook Express or Outlook if you use POP3 for email....
>>
>> Most important to keep your system up-to-date and reduce the number of
>> software on your computer. The less software you are running the less
>> is vulnerable.
>
> This makes no sense. The point of the computer is to run software.
> That's why computers were invented, other than that, just connect a
> computerized toaster oven to the Internet.

Reduce the amount of software you are using and installing. I have seen
computers of people where the windows start menu wrapped over four
columns on a high-resolution screen filling well over 200 GB on the hard
disc with software alone. Anything they installed for test purposes they
simply left there. Why bother even deinstalling something if you still
have space left?

Think about what you want to do with your computer and install the
software you need for your purpose. That's it. If you need your
computer, don't use it a toy to install any garbage you come across...

>> The less software the less you have to check for updates manually if
>> it does not come with automatic updates.
>
> That's life in the big city.

But as you have to check for updates yourself the situation is easier to
manage if you only have 5 essential software products (plus the OS of
course) on your computer than 50 most of them hardly or never used.

>> If you do all this you are very likely that your AntiVirus will never
>> ever report anything relevant and thus will prove itself superfluous.
>
> No one is going to do it. So why even bring it up.

Who is doing it what? It is an observation. Noone is doing anything.

> If this is the advice you're giving your users, then they should kick
> you to the curb.

They would certainly prefer advice from someone uncouth...

Gerald

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 10:43:20 +0900, Gerald Vogt wrote:
>> The XP SP2 FW with no exceptions on a computer directly connected to the
>> internet is protecting the computer better than a NAT router. NAT does
>> not provide the protection like a properly setup packet filter.
>
> You don't know what you are talking about. A typical SOHO NAT router, like
> the Linksys BEFSR41, provides more protection for a single PC than Windows
> XP firewall does.
>
> For most users that have more than one computer, rather than using fixed
> or dynamic public IP's for each computer/node, even a typical SOHO NAT
> router provides more protection than Windows XP SP2 firewall.
>
> Only a fool would believe that the Windows firewall provides more/better
> protection for a single PC than a typeical NAT router.

Sorry, but if you cannot explain why that would be so how should any
fool understand your point?

What is the "more" in protection a WRT54G (which we are talking about
here, don't we) with standard firmware (not a third party firmware)
provides over a single or multiple windows PCs with a XP SP2 firewall
set with no exceptions allowed and connected directly to the internet?

You just say NAT is better the SP2 FW but you never explain why. You
give no arguments why that would be so. I have tried to explain the
reasons for my statement (which you have not cited).

And whenever I see someone whose only "arguments" are like "it is
obvious" or "only a fool" I get very suspicious...

Thus would you please explain?

Gerald

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Leythos wrote:
>
>>>> 3) The windows non-firewall included in XP SP2 will be more than
>>>> enough,
>>>> but, if you take your laptop to other networks (school, work,
>>>> friends) it
>>>> won't be enough in most cases.
>>>
>>> That is not conclusive: The NAT does block (most) incoming
>>> connections. The XP SP2 firewall does block all (most) incoming
>>> connections when configured with no exceptions.
>>
>>
>> It blocks intrusions, but what holes does it have that have not yet been
>> exposed? What about the next one that's found and exposes the system?
>
>
> Vulnerablities which have not yet been exposed are always a problem. But
> you have the same problem with a NAT router, too. For the XP SP2
> firewall is has been very much tested. NAT routers don't undergo that
> throrough tests simply because they are not used so much out there.

I would say that routers are used more and more by those who are
informed. Routers do come with SPI (Statefull Packet Inspection), look
it up if you don't know what it means.

>
> Plus: it is in the nature of NAT that there is a lot of guessing
> involved which ports to open and which not. The router must let response
> packets in and must figure out where to send it. Thus, if you use a
> packet sniffer or use some logging functions on the computer you'll see
> that some unsolicited packets occassionally get through.

Not with any router that's running SPI.
>
>>> Where is the difference which explains why something else then the XP
>>> SP2 FW is needed elsewhere?
>>
>>
>> The NAT router is the better first line of defense when it can be used,
>
>
> The XP SP2 FW with no exceptions on a computer directly connected to the
> internet is protecting the computer better than a NAT router. NAT does
> not provide the protection like a properly setup packet filter.

Do you know what SPI is?

>
>> but, as the OP mentions wireless, well, you can't NAT a wireless
>> connection - what I mean is that the wireless connection is from the
>> router to the laptop, there is no intermediate NAT between the wireless
>> and the laptop - so, anything that makes it to the wireless also makes it
>> to the laptop unless it's got some form of localized firewall.
>
>
> That does not explain why the computer would need another (different)
> firewall from the XP SP2 FW when it is connected to other networks.

You have not explained why the XP FW it's better. XP's FW may be on par
with a NAT router that's running SPI.

>
>>>> 4) If you use your laptop on OTHER networks you really need to learn
>>>> how
>>>> to check the Windows TCP/IP Settings, disable File/Printer sharing when
>>>> you are not home, and how to adjust/check the Windows XP SP2
>>>> non-firewall
>>>> settings for "Exceptions".
>>>
>>> Again contradictory to 3): if you think you need something else than
>>> the XP SP2 firewall in other networks and you are running a other
>>> brand "non-firewall" software then the recommendation should be to
>>> check that the XP SP2 firewall is turned off and the 3rd party
>>> "non-firewall" is on. Two or more firewalls running on a computer
>>> result on average in less security then a single one as it is
>>> unpredicted what actually is blocked and what not and by which
>>> firewall which will jeopardize the consistency of and state table in
>>> any firewall (as they are generally stateful).
>>
>>
>> I never mentioned another firewall application, not a single one, not
>> even
>> suggesting it. Stop playing the old/tired mantra.
>
>
> Well you wrote: "The windows non-firewall included in XP SP2 will be
> more than enough, but, if you take your laptop to other networks school,
> work, friends) it won't be enough in most cases.". If it is not a 3rd
> party firmware then what else do you need? You don't explain it. I have
> guess you have thought of a 3rd party firmware. If it is not, then you
> really have to explain what would fill the "not enough" if the computer
> is in other networks.

You can't read and understand English.

>
>>>> 5) More important than a firewall, when behind a NAT router, is the
>>>> Antivirus software and your security methods - like not running as an
>>>> Administrator (best to run as a limited user), installing Fire Fox, not
>>>> using Outlook Express or Outlook if you use POP3 for email....
>>>
>>> Most important to keep your system up-to-date and reduce the number
>>> of software on your computer. The less software you are running the
>>> less is vulnerable. The less software the less you have to check for
>>> updates manually if it does not come with automatic updates.
>>> Subscribe to some good security notification lists like the one from
>>> Microsoft or US-Cert. Then you get timely notification of updates and
>>> you can update very quickly.
>>>
>>> If you do all this you are very likely that your AntiVirus will never
>>> ever report anything relevant and thus will prove itself superfluous.
>>
>>
>> So you mean that if you access email, through POP3, that you don't need
>> antivirus? So, you mean that if you download via FTP or other, since the
>> net has more than just MS and Cert, that you don't really need AV?
>
>
> I access my e-mails through pop3 and imap. I don't need antivirus. Why
> should I need antivirus? For what? The antivirus usually does not show
> any useful messages. All the antivirus potentially did was damaging my
> mail folders when the mail program downloaded an old blaster from my
> pop3 box and annoyed me with some 20 virus access warnings (which I had
> to allow each time) until I was able to delete the virus e-mail from my
> Inbox and emptied the trash. The computer was at no time at any danger
> still the antivirus will give you a hard time to do what you are
> supposed to do with an virus e-mail: DELETE.

Well, the AV that I use has IMON (Internet Monitor) that will detect
anomalies coming in the TCP connection, stop it and allow me to
terminate the connection. This allows be to use an email proxy client
application to go to the ISP's email server and delete the suspicious
email. The email never reaches my machines.

>
> And what should I donwload via FTP for which I need an antivirus? Can
> you be more specific?

An infected or dubious file can be downloaded from a FTP site. Do you
think it cannot happen?
>
>> Come one, AV is mandatory, even as a limited user, for anyone running an
>> OS that can be exploited by malware.
>
>
> No. I don't have AV nor FW. I run as limited user. I don't know why it
> should be mandatory. As there is no 100% security anything can
> potentially be exploited by malware. But the best protection against
> malware is still me. As I am better than some AV which well slows down
> my computer it is a easy choice for me.

That's you. You make your own bed and you lay in it. One doesn't rely on
detection software like a crutch, but they don't hurt in the prevention.

For a machine that has a direct connection to the modem and to the
Internet, a user would be some kind of fool not to run what an AV and
some kind of PFW/personal packet filter or XP's FW/personal packet
filter, if using the XP O/S or some other MS NT based O/S.

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 11:13:59 +0900, Gerald Vogt wrote:

> Leythos wrote:
>> On Mon, 26 Mar 2007 10:43:20 +0900, Gerald Vogt wrote:
>>> The XP SP2 FW with no exceptions on a computer directly connected to the
>>> internet is protecting the computer better than a NAT router. NAT does
>>> not provide the protection like a properly setup packet filter.
>>
>> You don't know what you are talking about. A typical SOHO NAT router, like
>> the Linksys BEFSR41, provides more protection for a single PC than Windows
>> XP firewall does.
>>
>> For most users that have more than one computer, rather than using fixed
>> or dynamic public IP's for each computer/node, even a typical SOHO NAT
>> router provides more protection than Windows XP SP2 firewall.
>>
>> Only a fool would believe that the Windows firewall provides more/better
>> protection for a single PC than a typeical NAT router.
>
> Sorry, but if you cannot explain why that would be so how should any
> fool understand your point?
>
> What is the "more" in protection a WRT54G (which we are talking about
> here, don't we) with standard firmware (not a third party firmware)
> provides over a single or multiple windows PCs with a XP SP2 firewall
> set with no exceptions allowed and connected directly to the internet?
>
> You just say NAT is better the SP2 FW but you never explain why. You
> give no arguments why that would be so. I have tried to explain the
> reasons for my statement (which you have not cited).
>
> And whenever I see someone whose only "arguments" are like "it is
> obvious" or "only a fool" I get very suspicious...
>
> Thus would you please explain?

I did give reasons, you just ignore them.

1) Holes in the XP Firewall that may or may not be present.

2) Holes in the firewall (XP SP2) put there by accident, by applications,
by users that don't understand.

3) File and printer sharing enabled on a public connection....

The typical SOHO NAT router, by default, does not suffer any of those
problems.

Are you really that ignorant of the modern NAT Routers that vendors
mistakenly call Firewalls?


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 11:06:34 +0900, Gerald Vogt wrote:
>
> The question is: if there is some reason why the XP SP2 FW is not enough
> in another network although NAT router and XP SP2 FW are basically doing
> the same, why does that reason not apply to the NAT router as well? But
> as it is not explained why the XP SP2 FW is not enough in another
> network I can only ask that unspecific question...

They are not basically the same thing, they are not subject to the same
issues.

The NAT router is not under control of the OS or applicaitons on the
computer.

The NAT router is secured by default, except for wireless, and they are
starting to change that.

The NAT router is not something that the user can screw up without
connecting to it knowingly.

The NAT router does not have port-forwarding (exceptions) enabled by
default.

The NAT router can provide, when setup, blocking of some outbound ports,
that the OS/Applications can not unblock.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Maximum Dog9 wrote:
>
>> Gerald Vogt wrote:
>>
>>> Leythos wrote:
>>>
>>>> 1) You don't need a personal firewall when you are behind a NAT device
>>>> that provides a private network without anything port forwarded.
>>>>
>>>> 3) The windows non-firewall included in XP SP2 will be more than
>>>> enough,
>>>> but, if you take your laptop to other networks (school, work,
>>>> friends) it
>>>> won't be enough in most cases.
>>>
>>>
>>> That is not conclusive: The NAT does block (most) incoming
>>> connections. The XP SP2 firewall does block all (most) incoming
>>> connections when configured with no exceptions.
>>
>>
>> I am trying to figure out what you are talking about. The above
>> statement makes no sense. The XP packet filter blocks all (most)
>> incoming connections. And the NAT router blocks (most) incoming
>> connections.
>>
>> What does that have to do with the #3 statement when all that's being
>> stated is that the XP FW may not be good enough when the OP's machine
>> is not connected to the OP's network.
>
>
> The NAT router and the XP SP FW basically do the same. Still the XP SP
> FW is not enough at some places while the NAT router is enough always?

No, they do not both do the same thing. A router protects a network, and
in the case of the XP FW running on a machine, it's machine level
protection, although I seen use of the XP machine and the XP FW in an
ICS situation as a gateway, but FW(s)/packet filters were running on the
other machines.

>
> The question is: if there is some reason why the XP SP2 FW is not enough
> in another network although NAT router and XP SP2 FW are basically doing
> the same, why does that reason not apply to the NAT router as well? But
> as it is not explained why the XP SP2 FW is not enough in another
> network I can only ask that unspecific question...

The XP FW/packet filter is doing the same thing as any other PFW or
personal packet filter. That is to stop unsolicited inbound traffic from
reaching the machine.

>
>
>>> Where is the difference which explains why something else then the XP
>>> SP2 FW is needed elsewhere?
>>
>>
>> If the OP wanted to set a rule to stop outbound packets from leaving
>> the machine, which the XP packet filter cannot do is one difference.
>
>
> O.K. But that was not mentioned before. Plus the WRT54G with standard
> firmware does not do reliable outbound filtering.

What does the 54G have to do with the difference between two host based
software packet filters?
>
>>> Two or more firewalls running on a computer result on average in less
>>> security then a single one as it is unpredicted what actually is
>>> blocked and what not and by which firewall which will jeopardize the
>>> consistency of and state table in any firewall (as they are generally
>>> stateful).
>>
>>
>> The poster never said that. Where are you coming up with this
>> conclusion that it was even said by the poster?
>>
>> You're reading into it what you want to read into it.
>
>
> As I wrote elsewhere I thought he was thinking of another firewall. But
> if he is not thinking of another firewall than it remains open what
> would be necessary to fill this "not enough" when the computer is
> connected to another network. Behind the NAT router the XP SP2 FW is
> enough. In another network it is not. So what is the suggestion here?
> Not to connect to another network? Is that the only point here?

You have to ask him.

>
>>>> 5) More important than a firewall, when behind a NAT router, is the
>>>> Antivirus software and your security methods - like not running as an
>>>> Administrator (best to run as a limited user), installing Fire Fox, not
>>>> using Outlook Express or Outlook if you use POP3 for email....
>>>
>>>
>>> Most important to keep your system up-to-date and reduce the number
>>> of software on your computer. The less software you are running the
>>> less is vulnerable.
>>
>>
>> This makes no sense. The point of the computer is to run software.
>> That's why computers were invented, other than that, just connect a
>> computerized toaster oven to the Internet.
>
>
> Reduce the amount of software you are using and installing. I have seen
> computers of people where the windows start menu wrapped over four
> columns on a high-resolution screen filling well over 200 GB on the hard
> disc with software alone. Anything they installed for test purposes they
> simply left there. Why bother even deinstalling something if you still
> have space left?

Disk space is cheap. If that's what they want to do, that's their business.

>
> Think about what you want to do with your computer and install the
> software you need for your purpose. That's it. If you need your
> computer, don't use it a toy to install any garbage you come across...

As long as programs are protected from the Internet, what difference
does it make? You have no idea as to how someone will use his or her
computer. It's their choice to do with the computer what he or she wants.


>
>>> The less software the less you have to check for updates manually if
>>> it does not come with automatic updates.
>>
>>
>> That's life in the big city.
>
>
> But as you have to check for updates yourself the situation is easier to
> manage if you only have 5 essential software products (plus the OS of
> course) on your computer than 50 most of them hardly or never used.

If one is in that situation, then he or she is in that situation and
they should take the appropriate measures to stay updated, if he or she
chooses to do so.
>
>>> If you do all this you are very likely that your AntiVirus will never
>>> ever report anything relevant and thus will prove itself superfluous.
>>
>>
>> No one is going to do it. So why even bring it up.
>
>
> Who is doing it what? It is an observation. Noone is doing anything.
>
>> If this is the advice you're giving your users, then they should kick
>> you to the curb.
>
>
> They would certainly prefer advice from someone uncouth...

I am not going to say anything here. It's too easy to hammer you.

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 02:46:22 +0000, Maximum Dog9 wrote:
>
> The XP FW/packet filter is doing the same thing as any other PFW or
> personal packet filter. That is to stop unsolicited inbound traffic from
> reaching the machine.

Not technically correct - they actually reach the machine and if there was
an exploit path it would get through.

The NAT router (a typical SOHO unit) would never let the packet make it to
the computer in the first place. Exploits at the machine would not be
reached by "unsolicited" connections.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> I did give reasons, you just ignore them.
>
> 1) Holes in the XP Firewall that may or may not be present.

The may or may not be holes in NAT routers. Where is the difference? You
rely on the proper implementation of the XP firewall or the NAT router.

> 2) Holes in the firewall (XP SP2) put there by accident, by applications,
> by users that don't understand.
>
> 3) File and printer sharing enabled on a public connection....

The XP SP2 FW set to no exception with the user running as limited user
cannot be changed by accident or intentionally to allow any application
or file sharing on any connection.

And "users that don't understand" are no argument in a comparison what
is objectively better. If you want to talk about the users and what they
do we would first have to define what "users" we are talking about,
their knowledge and willingness to learn.

> Are you really that ignorant of the modern NAT Routers that vendors
> mistakenly call Firewalls?

I am absolutely not ignorant. I have several and I even know what they
are running inside. I also know that NAT as concept is bound to have
troubles at times, in particular if you are having many computers behind
the NAT and you have heavy use of UDP to a few servers. It is easier
with TCP but even then there are times when packets go through
unsolicited (which occasionally makes a PFW running on a computer behind
the NAT router think it is attacked and blocks everything).

Gerald

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 11:51:45 +0900, Gerald Vogt wrote:
>
> I also know that NAT as concept is bound to have
> troubles at times

Um, you shoot yourself in the foot - if a simple NAT router, with a
limited amount of code, has "troubles" then a complex amount of code like
the Windows XP SP2 firewall would be subject to "troubles" too.

I've been using firewalls (appliances) for years and have never seen them
"leak", and every one of them uses NAT as part of their routing methods.


--
Leythos
spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 11:06:34 +0900, Gerald Vogt wrote:
>> The question is: if there is some reason why the XP SP2 FW is not enough
>> in another network although NAT router and XP SP2 FW are basically doing
>> the same, why does that reason not apply to the NAT router as well? But
>> as it is not explained why the XP SP2 FW is not enough in another
>> network I can only ask that unspecific question...
>
> They are not basically the same thing, they are not subject to the same
> issues.
>
> The NAT router is not under control of the OS or applicaitons on the
> computer.

Yes. But the NAT router is directly connected to the internet connection
and it is completely unprotected (i.e. no filtering at all) on the LAN
side.

> The NAT router is secured by default, except for wireless, and they are
> starting to change that.

NAT router's are not "secured" per se by default. They run NAT. NAT
tries to match incoming packets to established connections and
conversations. It's purpose it not to block but to allow traffic
through. NAT thus drops any packets which it does not know where to send
them. But the reasons is not to secure anything but simply because it
does not know where to send the packet. If it thinks it knows because
there is something in the SPI table it sends it there. Check the filter
rules on an actual NAT router. Look at the rules. The "security" NAT
provides is simply dropping packets if it does not know what else to do
with it.

> The NAT router is not something that the user can screw up without
> connecting to it knowingly.

Yes. But many routers are used mostly unconfigured, often not even
changing the default password. Many routers even have UPnP enabled.

> The NAT router does not have port-forwarding (exceptions) enabled by
> default.

Nor has the XP SP2 FW.

Gerald

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 11:51:45 +0900, Gerald Vogt wrote:
>> I also know that NAT as concept is bound to have
>> troubles at times
>
> Um, you shoot yourself in the foot - if a simple NAT router, with a
> limited amount of code, has "troubles" then a complex amount of code like
> the Windows XP SP2 firewall would be subject to "troubles" too.

He? The NAT router runs a packet filter, NAT, and much more in a
package. The XP SP2 is only a packet filter. No NAT. No flaky "access
restrictions". No port forwarding.

Gerald

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 12:00:43 +0900, Gerald Vogt wrote:

> Leythos wrote:
>> On Mon, 26 Mar 2007 11:06:34 +0900, Gerald Vogt wrote:
>>> The question is: if there is some reason why the XP SP2 FW is not enough
>>> in another network although NAT router and XP SP2 FW are basically doing
>>> the same, why does that reason not apply to the NAT router as well? But
>>> as it is not explained why the XP SP2 FW is not enough in another
>>> network I can only ask that unspecific question...
>>
>> They are not basically the same thing, they are not subject to the same
>> issues.
>>
>> The NAT router is not under control of the OS or applicaitons on the
>> computer.
>
> Yes. But the NAT router is directly connected to the internet connection
> and it is completely unprotected (i.e. no filtering at all) on the LAN
> side.

Oh, and you think that XP, directly connected to the PUBLIC Internet is
completely protected? Nope.

Now, the NAT router, WAN port, the device was specifically designed to
block unsolicited traffic inbound, which is not what the XP firewall was
designed to do.

Oh, and lan side - you mean like if the packets get past the XP Firewall
they don't have full access to the computer/OS/apps?

Are you resorting to misdirection because you know you're mistaken?

>> The NAT router is secured by default, except for wireless, and they are
>> starting to change that.
>
> NAT router's are not "secured" per se by default. They run NAT. NAT
> tries to match incoming packets to established connections and
> conversations. It's purpose it not to block but to allow traffic
> through. NAT thus drops any packets which it does not know where to send
> them. But the reasons is not to secure anything but simply because it
> does not know where to send the packet. If it thinks it knows because
> there is something in the SPI table it sends it there. Check the filter
> rules on an actual NAT router. Look at the rules. The "security" NAT
> provides is simply dropping packets if it does not know what else to do
> with it.

NAT routers don't "Think" they either match or don't match. There is no
thinking in it. Dropping "unsolicited" or "unmatched" traffic is proper
and what should be done.

>> The NAT router is not something that the user can screw up without
>> connecting to it knowingly.
>
> Yes. But many routers are used mostly unconfigured, often not even
> changing the default password. Many routers even have UPnP enabled.

And almost everyone of those with upnp and a default password don't have
remote management enabled - so, agian, they are secure by default - except
for unsecured wireless, but as I mentioned, they are getting much better
at not enabling wireless.

>> The NAT router does not have port-forwarding (exceptions) enabled by
>> default.
>
> Nor has the XP SP2 FW.

LOL - you're completely wrong. If I pickup any computer by any big box
outfit it will have preconfigured exceptions. If I setup file and printer
sharing it will setup exceptions. If I run as an administrator and install
AOL it will punch holes/exceptions in it...

If I install a NAT Router (SOHO Typical) from the store, just bought
today, no port forwarding, no holes, no way for the OS to configure it
without my permission and knowing the password/IP, etc....

--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 12:03:08 +0900, Gerald Vogt wrote:

> Leythos wrote:
>> On Mon, 26 Mar 2007 11:51:45 +0900, Gerald Vogt wrote:
>>> I also know that NAT as concept is bound to have
>>> troubles at times
>>
>> Um, you shoot yourself in the foot - if a simple NAT router, with a
>> limited amount of code, has "troubles" then a complex amount of code like
>> the Windows XP SP2 firewall would be subject to "troubles" too.
>
> He? The NAT router runs a packet filter, NAT, and much more in a
> package. The XP SP2 is only a packet filter. No NAT. No flaky "access
> restrictions". No port forwarding.

If my computer, running the OS and apps was limited to XP SP2 Firewall you
might have a point, but, you can't run the XP SP2 firewall without XP.

The NAT router does not run a zillion line OS, does not run zillions of
lines of code in applications....

Try again champ.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 02:46:22 +0000, Maximum Dog9 wrote:
>> The XP FW/packet filter is doing the same thing as any other PFW or
>> personal packet filter. That is to stop unsolicited inbound traffic from
>> reaching the machine.
>
> Not technically correct - they actually reach the machine and if there was
> an exploit path it would get through.
>
> The NAT router (a typical SOHO unit) would never let the packet make it to
> the computer in the first place. Exploits at the machine would not be
> reached by "unsolicited" connections.

Yes. Therefore all the malware has to do is to "open" the port on the
router. An unconfigured router with default password is an easy target.
You could even run a quick dictionary attack if you wanted as the router
won't bother repeated attempts to access the configuration interface
from the LAN.

But even if it cannot access the management interface, the router may be
configured for UPnP by default. Makes it easy to open the port.

The WRT is so popular there is even customized hacker firmware available
which gives you full control of the router and the internet connection
while the average user behind the router won't even notice as everything
so far works normal...

And if there is nothing else, simply open the port by sending frequent
UDP packets out. This allows you "unsolicited" incoming traffic through UDP.

But anyway, it still does not explain why my laptop with XP SP2 FW with
no exceptions connected to a public hotspot is any more vulnerable than
while it is connected behind a NAT router with or without the SP2 FW.

Gerald

Re: Linksys WRT54G and Firewall software

Leythos wrote:
>> Yes. But the NAT router is directly connected to the internet connection
>> and it is completely unprotected (i.e. no filtering at all) on the LAN
>> side.
>
> Oh, and you think that XP, directly connected to the PUBLIC Internet is
> completely protected? Nope.

Yes. It is protected. In some respects it does the same as the NAT
router except for the NAT.

> Now, the NAT router, WAN port, the device was specifically designed to
> block unsolicited traffic inbound, which is not what the XP firewall was
> designed to do.

What exactly was the XP firewall designed to do if not block unsolicited
inbound traffic?

> Oh, and lan side - you mean like if the packets get past the XP Firewall
> they don't have full access to the computer/OS/apps?

If something gets past the XP firewall it must not necessarily have full
access to the computer. It may be just a limited user access. It depends
where the packets ends.

But what I have meant is that a average router is a very vulnerable
target on the LAN side as it basically has no protection at all on the
LAN side. Any malware on a computer on the LAN side, even a simply
script which is running in a limited user account can openly attack the
router to reconfigure or even flash with a hacker firmware. The malware
could even run a brute force attack on the password...

>>> The NAT router is secured by default, except for wireless, and they are
>>> starting to change that.
>> NAT router's are not "secured" per se by default. They run NAT. NAT
>> tries to match incoming packets to established connections and
>> conversations. It's purpose it not to block but to allow traffic
>> through. NAT thus drops any packets which it does not know where to send
>> them. But the reasons is not to secure anything but simply because it
>> does not know where to send the packet. If it thinks it knows because
>> there is something in the SPI table it sends it there. Check the filter
>> rules on an actual NAT router. Look at the rules. The "security" NAT
>> provides is simply dropping packets if it does not know what else to do
>> with it.
>
> NAT routers don't "Think" they either match or don't match. There is no
> thinking in it. Dropping "unsolicited" or "unmatched" traffic is proper
> and what should be done.

Yes. But it depends on the definition of "unmatched". The router does
not consider if the packet is unmatched or not. It tries to match as
good as it can. You usually won't notice if it does the job to good and
forwards an unsolicited packet because the computer it gets to may
consider it unsolicited, too. But generally, you can observe that there
are some unsolicited (or misdirected) packets going through, in
particular in situations where you have several computers behind the NAT
and you are using UDP.

>>> The NAT router is not something that the user can screw up without
>>> connecting to it knowingly.
>> Yes. But many routers are used mostly unconfigured, often not even
>> changing the default password. Many routers even have UPnP enabled.
>
> And almost everyone of those with upnp and a default password don't have
> remote management enabled - so, agian, they are secure by default - except
> for unsecured wireless, but as I mentioned, they are getting much better
> at not enabling wireless.

If the user screws up and has some malware on the computer, even if it
is only running as limited user, the complete router can be taken over
with some simple reconfigurations or a proper hacker firmware. The user
won't even notice because the internet connection works as usual.

>>> The NAT router does not have port-forwarding (exceptions) enabled by
>>> default.
>> Nor has the XP SP2 FW.
>
> LOL - you're completely wrong. If I pickup any computer by any big box
> outfit it will have preconfigured exceptions. If I setup file and printer
> sharing it will setup exceptions. If I run as an administrator and install
> AOL it will punch holes/exceptions in it...

Setting up file and printer sharing or installing AOL is no default port
forwarding. The last time I have checked Windows asked before opening
some ports for file and printer sharing. But not as default.

> If I install a NAT Router (SOHO Typical) from the store, just bought
> today, no port forwarding, no holes, no way for the OS to configure it
> without my permission and knowing the password/IP, etc....

O.K. I take my laptop from the store, turn on the XP SP2 FW with no
exceptions and connect to a public hotspot. No problem either. Works
fine to download all the newest updates from microsoft... And I am
pretty sure that the FW will be on by default in an OEM installation.

Gerald

Re: Linksys WRT54G and Firewall software

Maximum Dog9 wrote:
> The XP FW/packet filter is doing the same thing as any other PFW or
> personal packet filter. That is to stop unsolicited inbound traffic from
> reaching the machine.

And what is "not enough" when a computer with a XP SP2 FW with no
exceptions connects to another network compared to a NAT router (which
seems to be enough)?

>>>> Where is the difference which explains why something else then the
>>>> XP SP2 FW is needed elsewhere?
>>>
>>> If the OP wanted to set a rule to stop outbound packets from leaving
>>> the machine, which the XP packet filter cannot do is one difference.
>>
>> O.K. But that was not mentioned before. Plus the WRT54G with standard
>> firmware does not do reliable outbound filtering.
>
> What does the 54G have to do with the difference between two host based
> software packet filters?

I don't know what that is about. We are comparing the XP SP2 FW with the
NAT router WRT54G. I first assumed that there was another 3rd party
firmware involved but was told that it is not so.

>> As I wrote elsewhere I thought he was thinking of another firewall.
>> But if he is not thinking of another firewall than it remains open
>> what would be necessary to fill this "not enough" when the computer is
>> connected to another network. Behind the NAT router the XP SP2 FW is
>> enough. In another network it is not. So what is the suggestion here?
>> Not to connect to another network? Is that the only point here?
>
> You have to ask him.

Then, why do you answer?

>> Think about what you want to do with your computer and install the
>> software you need for your purpose. That's it. If you need your
>> computer, don't use it a toy to install any garbage you come across...
>
> As long as programs are protected from the Internet, what difference
> does it make? You have no idea as to how someone will use his or her
> computer. It's their choice to do with the computer what he or she wants.

But if you are really concerned about security of your computer, not
installing any junk you come across is far more efficient and better
then installing PFW, AV, 5 malware scanner, etc.

Gerald

Re: Linksys WRT54G and Firewall software

Mr. Arnold wrote:
>> Plus: it is in the nature of NAT that there is a lot of guessing
>> involved which ports to open and which not. The router must let
>> response packets in and must figure out where to send it. Thus, if you
>> use a packet sniffer or use some logging functions on the computer
>> you'll see that some unsolicited packets occassionally get through.
>
> Not with any router that's running SPI.

Check again.

>>> but, as the OP mentions wireless, well, you can't NAT a wireless
>>> connection - what I mean is that the wireless connection is from the
>>> router to the laptop, there is no intermediate NAT between the wireless
>>> and the laptop - so, anything that makes it to the wireless also
>>> makes it
>>> to the laptop unless it's got some form of localized firewall.
>>
>>
>> That does not explain why the computer would need another (different)
>> firewall from the XP SP2 FW when it is connected to other networks.
>
> You have not explained why the XP FW it's better. XP's FW may be on par
> with a NAT router that's running SPI.

The XP SP2 FW is SPI, too.

>> Well you wrote: "The windows non-firewall included in XP SP2 will be
>> more than enough, but, if you take your laptop to other networks
>> school, work, friends) it won't be enough in most cases.". If it is
>> not a 3rd party firmware then what else do you need? You don't explain
>> it. I have guess you have thought of a 3rd party firmware. If it is
>> not, then you really have to explain what would fill the "not enough"
>> if the computer is in other networks.
>
> You can't read and understand English.

Even that you cannot explain.

>> And what should I donwload via FTP for which I need an antivirus? Can
>> you be more specific?
>
> An infected or dubious file can be downloaded from a FTP site. Do you
> think it cannot happen?

But why do you want to download the dubious file in the first place?

> For a machine that has a direct connection to the modem and to the
> Internet, a user would be some kind of fool not to run what an AV and
> some kind of PFW/personal packet filter or XP's FW/personal packet
> filter, if using the XP O/S or some other MS NT based O/S.

I connect my laptop with XP SP2 FW with no exception to public hotspots.
Nothing is happending. I did that before when I still had PFW and AV on
it. None of them ever reported anything relevant for a couple of years.
All they did well was slowing down the computer.

Gerald

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 12:03:08 +0900, Gerald Vogt wrote:
>
>> Leythos wrote:
>>> On Mon, 26 Mar 2007 11:51:45 +0900, Gerald Vogt wrote:
>>>> I also know that NAT as concept is bound to have
>>>> troubles at times
>>> Um, you shoot yourself in the foot - if a simple NAT router, with a
>>> limited amount of code, has "troubles" then a complex amount of code like
>>> the Windows XP SP2 firewall would be subject to "troubles" too.
>> He? The NAT router runs a packet filter, NAT, and much more in a
>> package. The XP SP2 is only a packet filter. No NAT. No flaky "access
>> restrictions". No port forwarding.
>
> If my computer, running the OS and apps was limited to XP SP2 Firewall you
> might have a point, but, you can't run the XP SP2 firewall without XP.

Yes. And? What is your point? Running an application like MS Word on the
computer will severely affect the function of the firewall? Run
PowerPoint and the firewall dies and exposes the whole interface?

> The NAT router does not run a zillion line OS, does not run zillions of
> lines of code in applications....

And running some crappy code on a crappy cheap router with crappy
hardware is so much more reliable? I haven't seen a standard consumer
router where the firmware is not full of bugs (which affect the actual
normal operation) and where occasionally having a whole hardware series
with a fairly high return due to hardware issues. There is a reason why
a Cisco or 3com SOHO router costs 10 or 20 times as much as a Netgear,
Linksys, or D-Link. Only a part of that is due to mass production.

I would not want to bet on whether it is so much more likely the XP SP2
FW will be affected from load on a computer than some cheap router.

Also: suppose there is new vulnerability in the MS TCP/IP stack or FW
which allows elevated code execution. You can expect to have that fixed
quickly. The stack is one of the core components of communication.
Suppose a vulnerability is found in Linux TCP/IP stack. The fix will be
available very quickly, too, but how long will it take until the Linux
based routers have new firmware available and are updated?

Gerald

Re: Linksys WRT54G and Firewall software

Post removed (X-No-Archive: yes)

Re: Linksys WRT54G and Firewall software

Post removed (X-No-Archive: yes)

Re: Linksys WRT54G and Firewall software

Post removed (X-No-Archive: yes)

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Mr. Arnold wrote:
>
>>> Plus: it is in the nature of NAT that there is a lot of guessing
>>> involved which ports to open and which not. The router must let
>>> response packets in and must figure out where to send it. Thus, if
>>> you use a packet sniffer or use some logging functions on the
>>> computer you'll see that some unsolicited packets occassionally get
>>> through.
>>
>>
>> Not with any router that's running SPI.
>
>
> Check again.

I don't have to check as I have already experienced an attack coming
through a NAT router that Blackice stopped at the machine level, when
Linksys removed SPI from the BEFW11s4 router years ago that I used years
ago. Prior to that and the router was running with SPI in the firmware,
there were no attacks that BI detected.

That's why I went to a FW appliance and dropped the NAT router, because
it didn't have SPI and couldn't stop outbound traffic, if need be.


>
>>>> but, as the OP mentions wireless, well, you can't NAT a wireless
>>>> connection - what I mean is that the wireless connection is from the
>>>> router to the laptop, there is no intermediate NAT between the wireless
>>>> and the laptop - so, anything that makes it to the wireless also
>>>> makes it
>>>> to the laptop unless it's got some form of localized firewall.
>>>
>>>
>>>
>>> That does not explain why the computer would need another (different)
>>> firewall from the XP SP2 FW when it is connected to other networks.
>>
>>
>> You have not explained why the XP FW it's better. XP's FW may be on
>> par with a NAT router that's running SPI.
>
>
> The XP SP2 FW is SPI, too.

So?

>
>>> Well you wrote: "The windows non-firewall included in XP SP2 will be
>>> more than enough, but, if you take your laptop to other networks
>>> school, work, friends) it won't be enough in most cases.". If it is
>>> not a 3rd party firmware then what else do you need? You don't
>>> explain it. I have guess you have thought of a 3rd party firmware. If
>>> it is not, then you really have to explain what would fill the "not
>>> enough" if the computer is in other networks.
>>
>>
>> You can't read and understand English.
>
>
> Even that you cannot explain.

I don't see anything coming from you either, and on top if that, I
didn't make the statement.
>
>>> And what should I donwload via FTP for which I need an antivirus? Can
>>> you be more specific?
>>
>>
>> An infected or dubious file can be downloaded from a FTP site. Do you
>> think it cannot happen?
>
>
> But why do you want to download the dubious file in the first place?

Because one doesn't know it was a dubious file in the first place. And
you take the word *you* out of it, because I don't need or want to do
anything.

>
>> For a machine that has a direct connection to the modem and to the
>> Internet, a user would be some kind of fool not to run what an AV and
>> some kind of PFW/personal packet filter or XP's FW/personal packet
>> filter, if using the XP O/S or some other MS NT based O/S.
>
>
> I connect my laptop with XP SP2 FW with no exception to public hotspots.
> Nothing is happending. I did that before when I still had PFW and AV on
> it. None of them ever reported anything relevant for a couple of years.
> All they did well was slowing down the computer.

That's you, the world is not made up of you(s) nor are all public spots
the same.

Re: Linksys WRT54G and Firewall software

Mr. Arnold wrote:
> Gerald Vogt wrote:
>> Mr. Arnold wrote:
>>>> Well you wrote: "The windows non-firewall included in XP SP2 will be
>>>> more than enough, but, if you take your laptop to other networks
>>>> school, work, friends) it won't be enough in most cases.". If it is
>>>> not a 3rd party firmware then what else do you need? You don't
>>>> explain it. I have guess you have thought of a 3rd party firmware.
>>>> If it is not, then you really have to explain what would fill the
>>>> "not enough" if the computer is in other networks.
>>>
>>> You can't read and understand English.
>>
>> Even that you cannot explain.
>
> I don't see anything coming from you either, and on top if that, I
> didn't make the statement.

You did not make the statement "You can't read and understand English."?

What should come here from me? Someone writes, something is "not
enough". I ask what is not enough and what is missing exactly to fix
that problem but noone can explain.

>>> For a machine that has a direct connection to the modem and to the
>>> Internet, a user would be some kind of fool not to run what an AV and
>>> some kind of PFW/personal packet filter or XP's FW/personal packet
>>> filter, if using the XP O/S or some other MS NT based O/S.
>>
>> I connect my laptop with XP SP2 FW with no exception to public hotspots.
>> Nothing is happending. I did that before when I still had PFW and AV on
>> it. None of them ever reported anything relevant for a couple of years.
>> All they did well was slowing down the computer.
>
> That's you, the world is not made up of you(s) nor are all public spots
> the same.

So but it is the decision of the user what happens on the computer.
There is no inherent law that requires to run an AV or PFW on the a
computer connected to a public hotspot. There is no law of nature due to
which a computer must have a PFW and AV else it is being infected with
malware. It is not "a user would be some kind of fool" but "a fool's a
fool". A foolish user may think he needs PFW and AV but that won't make
the computer fool-proof. Either the user wants to have a secure computer
and is willing to invest the time to learn how to achieve that or he
installs a PFW and AV and might think he can remain a fool...

Gerald

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 07:07:26 +0000, B. Nice wrote:
>
> On Sun, 25 Mar 2007 17:45:46 -0500, Leythos wrote:
>
>>3) The windows non-firewall included in XP SP2 will be more than enough,
>>but, if you take your laptop to other networks (school, work, friends) it
>>won't be enough in most cases.
>
> Then what would you suggest instead?

Several things - and We've gone into this in another thread already.




--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 07:07:26 +0000, B. Nice wrote:
>> On Sun, 25 Mar 2007 17:45:46 -0500, Leythos wrote:
>>
>>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>>> but, if you take your laptop to other networks (school, work, friends) it
>>> won't be enough in most cases.
>> Then what would you suggest instead?
>
> Several things - and We've gone into this in another thread already.

Haha. The usual answer. Look somewhere else. The list cannot be too long
to briefly post here. If it is too long, you could simply post the
message id of the elaborate answer in that other thread...

BTW, do you actually know that nowhere.com is a normal internet domain
which is in use? Don't you think the owner of nowhere.com could become a
little bit annoyed if someone else simply uses his domain? Sends usenet
posts with an email address from his domain? Generating a lot of spam
traffic on his domain? Ever thought about this?

Either get a random free e-mail address at some of the free mailers like
yahoo or hotmail or use a domain domain which is reserved for those
purposes as mentioned in RFC 2606: TLD .invalid or second level
example.{com,net,org}.

Gerald

Re: Linksys WRT54G and Firewall software

On Mon, 26 Mar 2007 21:55:24 +0900, Gerald Vogt wrote:

> Leythos wrote:
>> On Mon, 26 Mar 2007 07:07:26 +0000, B. Nice wrote:
>>> On Sun, 25 Mar 2007 17:45:46 -0500, Leythos wrote:
>>>
>>>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>>>> but, if you take your laptop to other networks (school, work, friends) it
>>>> won't be enough in most cases.
>>> Then what would you suggest instead?
>>
>> Several things - and We've gone into this in another thread already.
>
> Haha. The usual answer. Look somewhere else. The list cannot be too long
> to briefly post here. If it is too long, you could simply post the
> message id of the elaborate answer in that other thread...
>
> BTW, do you actually know that nowhere.com is a normal internet domain
> which is in use? Don't you think the owner of nowhere.com could become a
> little bit annoyed if someone else simply uses his domain? Sends usenet
> posts with an email address from his domain? Generating a lot of spam
> traffic on his domain? Ever thought about this?
>
> Either get a random free e-mail address at some of the free mailers like
> yahoo or hotmail or use a domain domain which is reserved for those
> purposes as mentioned in RFC 2606: TLD .invalid or second level
> example.{com,net,org}.

I see, since you can't understand NAT Routers or how they are different
than the XP Firewall, you decide to divert from the subject.

B.Nice has already had this discussion with me, Usenet has a long history
in case you didn't know that, and the threads can be searched on google.





--

Leythos

spam999free@rrohio.com (remove 999 for proper email address)

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 21:55:24 +0900, Gerald Vogt wrote:
>> Leythos wrote:
>>> On Mon, 26 Mar 2007 07:07:26 +0000, B. Nice wrote:
>>>> On Sun, 25 Mar 2007 17:45:46 -0500, Leythos wrote:
>>>>
>>>>> 3) The windows non-firewall included in XP SP2 will be more than enough,
>>>>> but, if you take your laptop to other networks (school, work, friends) it
>>>>> won't be enough in most cases.
>>>> Then what would you suggest instead?
>>> Several things - and We've gone into this in another thread already.
>> Haha. The usual answer. Look somewhere else. The list cannot be too long
>> to briefly post here. If it is too long, you could simply post the
>> message id of the elaborate answer in that other thread...
>>
>> BTW, do you actually know that nowhere.com is a normal internet domain
>> which is in use? Don't you think the owner of nowhere.com could become a
>> little bit annoyed if someone else simply uses his domain? Sends usenet
>> posts with an email address from his domain? Generating a lot of spam
>> traffic on his domain? Ever thought about this?
>>
>> Either get a random free e-mail address at some of the free mailers like
>> yahoo or hotmail or use a domain domain which is reserved for those
>> purposes as mentioned in RFC 2606: TLD .invalid or second level
>> example.{com,net,org}.
>
> I see, since you can't understand NAT Routers or how they are different
> than the XP Firewall, you decide to divert from the subject.

???? You are sick, man! You are using a sender address in an existing
domain of somebody else! Don't you get it? That's not to divert from the
subject. That's a fact! How can you be so ignorant not to change your
sender address to something unused as I have pointed out with RFC 2606?
You are knowingly generate spam traffic to e-mail addresses in other
people's domains!! If you have any decency or know anything about usenet
rules you would change that.

> B.Nice has already had this discussion with me, Usenet has a long history
> in case you didn't know that, and the threads can be searched on google.

Yes. I know the Usenet very well. Probably longer than you. From times
even before there was dejanews. But I am not a mind reader thus I cannot
tell which thread you are talking about. There are 47504 threads in
groups google. You have been using this sender address for quite a
while. Not knowing what thread you have in mind I cannot really enter
any search words except maybe "enough" or "firewall" or what?

Gerald

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Maximum Dog9 wrote:
>
>> The XP FW/packet filter is doing the same thing as any other PFW or
>> personal packet filter. That is to stop unsolicited inbound traffic
>> from reaching the machine.
>
>
> And what is "not enough" when a computer with a XP SP2 FW with no
> exceptions connects to another network compared to a NAT router (which
> seems to be enough)?

This is boring, as you keep asking the same question.
No matter what anyone else may indicate, your mind can't see past it and
it's set.

>
>>>>> Where is the difference which explains why something else then the
>>>>> XP SP2 FW is needed elsewhere?
>>>>
>>>>
>>>> If the OP wanted to set a rule to stop outbound packets from leaving
>>>> the machine, which the XP packet filter cannot do is one difference.
>>>
>>>
>>> O.K. But that was not mentioned before. Plus the WRT54G with standard
>>> firmware does not do reliable outbound filtering.
>>
>>
>> What does the 54G have to do with the difference between two host
>> based software packet filters?
>
>
> I don't know what that is about. We are comparing the XP SP2 FW with the
> NAT router WRT54G. I first assumed that there was another 3rd party
> firmware involved but was told that it is not so.

It's a moot point in the first place, and I'll leave it at that.
>
>>> As I wrote elsewhere I thought he was thinking of another firewall.
>>> But if he is not thinking of another firewall than it remains open
>>> what would be necessary to fill this "not enough" when the computer
>>> is connected to another network. Behind the NAT router the XP SP2 FW
>>> is enough. In another network it is not. So what is the suggestion
>>> here? Not to connect to another network? Is that the only point here?
>>
>>
>> You have to ask him.
>
>
> Then, why do you answer?

I'll make it simple for you, get rid of the XP FW. That's it. It can't
get anymore simpler than that.


>
>>> Think about what you want to do with your computer and install the
>>> software you need for your purpose. That's it. If you need your
>>> computer, don't use it a toy to install any garbage you come across...
>>
>>
>> As long as programs are protected from the Internet, what difference
>> does it make? You have no idea as to how someone will use his or her
>> computer. It's their choice to do with the computer what he or she wants.
>
>
> But if you are really concerned about security of your computer, not
> installing any junk you come across is far more efficient and better
> then installing PFW, AV, 5 malware scanner, etc.

I suggest that you talk to someone who is doing that, not me, because I
am not doing it.

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Leythos wrote:
>
>> On Mon, 26 Mar 2007 02:46:22 +0000, Maximum Dog9 wrote:
>>
>>> The XP FW/packet filter is doing the same thing as any other PFW or
>>> personal packet filter. That is to stop unsolicited inbound traffic
>>> from reaching the machine.
>>
>>
>> Not technically correct - they actually reach the machine and if there
>> was
>> an exploit path it would get through.
>>
>> The NAT router (a typical SOHO unit) would never let the packet make
>> it to
>> the computer in the first place. Exploits at the machine would not be
>> reached by "unsolicited" connections.
>
>
> Yes. Therefore all the malware has to do is to "open" the port on the
> router. An unconfigured router with default password is an easy target.
> You could even run a quick dictionary attack if you wanted as the router
> won't bother repeated attempts to access the configuration interface
> from the LAN.

That's why you configure the router to use a strong named user-id and
password, which is no different from doing the same with an O/S that
uses a userid and psw to logon.

>
> But even if it cannot access the management interface, the router may be
> configured for UPnP by default. Makes it easy to open the port.

Then you disable UPnP.
>
> The WRT is so popular there is even customized hacker firmware available
> which gives you full control of the router and the internet connection
> while the average user behind the router won't even notice as everything
> so far works normal...

That's with any 3rd party software that someone has installed on a device.

>
> And if there is nothing else, simply open the port by sending frequent
> UDP packets out. This allows you "unsolicited" incoming traffic through
> UDP.

But the computer has to be compromised. It seems to me that it would
come past the XP FW as well if it were running behind the router, since
it can't stop outbound packets either.

>
> But anyway, it still does not explain why my laptop with XP SP2 FW with
> no exceptions connected to a public hotspot is any more vulnerable than
> while it is connected behind a NAT router with or without the SP2 FW.

Any software that runs with the O/S is vulnerable to attack just like
the O/S can be attacked.


On the other hand, a NAT router has a lower attack vector, since the
firmware is not running on the computer with the O/S.

Re: Linksys WRT54G and Firewall software

Leythos wrote:
> On Mon, 26 Mar 2007 02:46:22 +0000, Maximum Dog9 wrote:
>
>>The XP FW/packet filter is doing the same thing as any other PFW or
>>personal packet filter. That is to stop unsolicited inbound traffic from
>>reaching the machine.
>
>
> Not technically correct - they actually reach the machine and if there was
> an exploit path it would get through.

Technically you're correct that the O/S and the packet filter are
running on the computer, with the packet filter blocking packets that
have reached the machine.

>
> The NAT router (a typical SOHO unit) would never let the packet make it to
> the computer in the first place. Exploits at the machine would not be
> reached by "unsolicited" connections.

I agree for the most part.

Re: Linksys WRT54G and Firewall software

Gerald Vogt wrote:
> Mr. Arnold wrote:
>
>> Gerald Vogt wrote:
>>
>>> Mr. Arnold wrote:
>>>
>>>>> Well you wrote: "The windows non-firewall included in XP SP2 will
>>>>> be more than enough, but, if you take your laptop to other networks
>>>>> school, work, friends) it won't be enough in most cases.". If it is
>>>>> not a 3rd party firmware then what else do you need? You don't
>>>>> explain it. I have guess you have thought of a 3rd party firmware.
>>>>> If it is not, then you really have to explain what would fill the
>>>>> "not enough" if the computer is in other networks.
>>>>
>>>>
>>>> You can't read and understand English.
>>>
>>>
>>> Even that you cannot explain.
>>
>>
>> I don't see anything coming from you either, and on top if that, I
>> didn't make the statement.
>
>
> You did not make the statement "You can't read and understand English."?

Yeah, I made the statement in regards to your mis-interpretation that
was being stated, by another poster.



4) If you use your laptop on OTHER networks you really need to learn how
to check the Windows TCP/IP Settings, disable File/Printer sharing when
you are not home, and how to adjust/check the Windows XP SP2
non-firewall settings for "Exceptions".




Again contradictory to 3): if you think you need something else than the
XP SP2 firewall in other networks and you are running a other brand
"non-firewall" software then the recommendation should be to check that
the XP SP2 firewall is turned off and the 3rd party "non-firewall" is
on. Two or more firewalls running on a computer result on average in
less security then a single one as it is unpredicted what actually is
blocked and what not and by which firewall which will jeopardize the
consistency of and state table in any firewall (as they are generally




Your response was nowhere in the ballpark as to what was actually
stated, by the poster.

>
> What should come here from me? Someone writes, something is "not
> enough". I ask what is not enough and what is missing exactly to fix
> that problem but noone can explain.

Whatever you should have come back with, it should have addressed the
statement that was made, which you response didn't do that.

>
>>>> For a machine that has a direct connection to the modem and to the
>>>> Internet, a user would be some kind of fool not to run what an AV
>>>> and some kind of PFW/personal packet filter or XP's FW/personal
>>>> packet filter, if using the XP O/S or some other MS NT based O/S.
>>>
>>>
>>> I connect my laptop with XP SP2 FW with no exception to public hotspots.
>>> Nothing is happending. I did that before when I still had PFW and AV on
>>> it. None of them ever reported anything relevant for a couple of years.
>>> All they did well was slowing down the computer.
>>
>>
>> That's you, the world is not made up of you(s) nor are all public
>> spots the same.
>
>
> So but it is the decision of the user what happens on the computer.
> There is no inherent law that requires to run an AV or PFW on the a
> computer connected to a public hotspot.

It's called common sense.
> There is no law of nature due to
> which a computer must have a PFW and AV else it is being infected with
> malware.

Yes, for the average job blow user, again, it's the nature of common sense.

> It is not "a user would be some kind of fool" but "a fool's a
> fool".

A fool is a fool is a fool. So what?
> A foolish user may think he needs PFW and AV but that won't make
> the computer fool-proof.

No one said it did.

> Either the user wants to have a secure computer
> and is willing to invest the time to learn how to achieve that or he
> installs a PFW and AV and might think he can remain a fool...

No one's hand can be held and life is cheap and then you die. I suggest
you worry about your little world, because there is nothing you can do
about someone else's little world.