firewall on budget ?

Hi there,

I have a PC built for me, and I installed Windows XP SP2 on it. I
presume I need to put a firewall and antivirus on it to ward off worms
and viruses. I am more concerned about the firewall. I installed
ZoneAlarm Free Edition, and it worked al'right. However, it always
bothered me by asking me to pay up, so that I uninstalled it. My
computer is currently running on the in-built Windows firewall. Is
this OK ?

As an antivurus, I am using AVG Free Edition, and it seems doing its
job. Also, I can get a corporate edition of Trend Micro's PC-cillin
from my employer for little money; should I get it ? Thanks.

Re: firewall on budget ?

In article <1185073133.439352.249850@e9g2000prf.googlegroups.com>,
nasra11a@yahoo.com says...
> Hi there,
>
> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses. I am more concerned about the firewall. I installed
> ZoneAlarm Free Edition, and it worked al'right. However, it always
> bothered me by asking me to pay up, so that I uninstalled it. My
> computer is currently running on the in-built Windows firewall. Is
> this OK ?
>
> As an antivurus, I am using AVG Free Edition, and it seems doing its
> job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> from my employer for little money; should I get it ? Thanks.

A simple NAT router will do more and better than ZAP or Windows XP
Firewall in most all cases. Linksys BEFSR41 or a wireless version is
under $50 and provides protection from inbound attacks.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 22, 12:03 pm, Leythos wrote:
> In article <1185073133.439352.249...@e9g2000prf.googlegroups.com>,
> nasra...@yahoo.com says...
>
> > Hi there,
>
> > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > presume I need to put a firewall and antivirus on it to ward off worms
> > and viruses. I am more concerned about the firewall. I installed
> > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > bothered me by asking me to pay up, so that I uninstalled it. My
> > computer is currently running on the in-built Windows firewall. Is
> > this OK ?
>
> > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > from my employer for little money; should I get it ? Thanks.
>
> A simple NAT router will do more and better than ZAP or Windows XP
> Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> under $50 and provides protection from inbound attacks.

My early experience with connecting a PC with no firwall to the
Internet (via dial up) shows that it gets infected with a worm within
20 minutes. So that now I always put a firewall between my PC and the
Internet. Now my PC is connected to the Internet via a NetComm NB5
ADSL2+ modem router. You think this will repel the worms ?

Re: firewall on budget ?

In article <1185074631.141883.271760@z24g2000prh.googlegroups.com>,
nasra11a@yahoo.com says...
> On Jul 22, 12:03 pm, Leythos wrote:
> > In article <1185073133.439352.249...@e9g2000prf.googlegroups.com>,
> > nasra...@yahoo.com says...
> >
> > > Hi there,
> >
> > > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > > presume I need to put a firewall and antivirus on it to ward off worms
> > > and viruses. I am more concerned about the firewall. I installed
> > > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > > bothered me by asking me to pay up, so that I uninstalled it. My
> > > computer is currently running on the in-built Windows firewall. Is
> > > this OK ?
> >
> > > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > > from my employer for little money; should I get it ? Thanks.
> >
> > A simple NAT router will do more and better than ZAP or Windows XP
> > Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> > under $50 and provides protection from inbound attacks.
>
> My early experience with connecting a PC with no firwall to the
> Internet (via dial up) shows that it gets infected with a worm within
> 20 minutes. So that now I always put a firewall between my PC and the
> Internet. Now my PC is connected to the Internet via a NetComm NB5
> ADSL2+ modem router. You think this will repel the worms ?

The NAT router blocks "unsolicited" connections to the PC, it's sort of
a 1 way filter - it lets you out, but only lets external sites
talk/reach your PC if you contact them first.

Many people use NAT routers are their primary protection method with no
firewall at all and have no problems.

Security is more than the firewall, it's not using easy to compromise
apps, keeping updates installed, not doing things that put you in harms
way, monitoring your firewall logs (as you can easily monitor the
Linksys devices for in/out traffic), and many other things.

If your address is not a private address then your Modem is not doing
NAT, and if you have a live public IP then you're screwed without a
barrier device.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 22, 1:39 pm, Leythos wrote:
> In article <1185074631.141883.271...@z24g2000prh.googlegroups.com>,
> nasra...@yahoo.com says...
>
>
>
>
>
> > On Jul 22, 12:03 pm, Leythos wrote:
> > > In article <1185073133.439352.249...@e9g2000prf.googlegroups.com>,
> > > nasra...@yahoo.com says...
>
> > > > Hi there,
>
> > > > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > > > presume I need to put a firewall and antivirus on it to ward off worms
> > > > and viruses. I am more concerned about the firewall. I installed
> > > > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > > > bothered me by asking me to pay up, so that I uninstalled it. My
> > > > computer is currently running on the in-built Windows firewall. Is
> > > > this OK ?
>
> > > > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > > > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > > > from my employer for little money; should I get it ? Thanks.
>
> > > A simple NAT router will do more and better than ZAP or Windows XP
> > > Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> > > under $50 and provides protection from inbound attacks.
>
> > My early experience with connecting a PC with no firwall to the
> > Internet (via dial up) shows that it gets infected with a worm within
> > 20 minutes. So that now I always put a firewall between my PC and the
> > Internet. Now my PC is connected to the Internet via a NetComm NB5
> > ADSL2+ modem router. You think this will repel the worms ?
>
> The NAT router blocks "unsolicited" connections to the PC, it's sort of
> a 1 way filter - it lets you out, but only lets external sites
> talk/reach your PC if you contact them first.
>
> Many people use NAT routers are their primary protection method with no
> firewall at all and have no problems.
>
> Security is more than the firewall, it's not using easy to compromise
> apps, keeping updates installed, not doing things that put you in harms
> way, monitoring your firewall logs (as you can easily monitor the
> Linksys devices for in/out traffic), and many other things.
>
> If your address is not a private address then your Modem is not doing
> NAT, and if you have a live public IP then you're screwed without a
> barrier device.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
>
> - Show quoted text -

Check out ghostwall. It resembles a rule based router-firewall more
than a bloatware internet protection package. If you are savy enough
to set it up, it works as advertised.

Re: firewall on budget ?

In comp.security.firewalls Beladi Nasralla wrote:
> My early experience with connecting a PC with no firwall to the
> Internet (via dial up) shows that it gets infected with a worm within
> 20 minutes.

Only, if you're offering network services to the Internet. Better stop
that, and you don't need such a packet filter.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

Beladi Nasralla wrote:
> Hi there,
>
> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses. I am more concerned about the firewall. I installed
> ZoneAlarm Free Edition, and it worked al'right. However, it always
> bothered me by asking me to pay up, so that I uninstalled it.

Then you did something wrong during setup: mine never asks that.

> My
> computer is currently running on the in-built Windows firewall. Is
> this OK ?

It's satisfactory, unless something manages to get inside and call out.
Then you're stuffed.

>
> As an antivurus, I am using AVG Free Edition, and it seems doing its
> job.

I use that, it's good. I'm thinking of upgrading to the full version on
at least one of my home systems to make use of the extended features.
It's pretty cheap to do so as their licenses are two years for the price
of one from competitors (IIRC).

> Also, I can get a corporate edition of Trend Micro's PC-cillin
> from my employer for little money; should I get it ? Thanks.

How does that licensing work? If you're happy with AVG Free edition, why
change?

Cheers,

Ari


--
spammage trappage: remove the underscores to reply
Many people around the world are waiting for a marrow transplant. Please
volunteer to be a marrow donor and literally save someone's life:
http://www.abmdr.org.au/
http://www.marrow.org/

Re: firewall on budget ?

"Beladi Nasralla" wrote in message
news:1185073133.439352.249850@e9g2000prf.googlegroups.com...
> Hi there,
>
> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses. I am more concerned about the firewall. I installed
> ZoneAlarm Free Edition, and it worked al'right. However, it always
> bothered me by asking me to pay up, so that I uninstalled it. My
> computer is currently running on the in-built Windows firewall. Is
> this OK ?
>
> As an antivurus, I am using AVG Free Edition, and it seems doing its
> job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> from my employer for little money; should I get it ? Thanks.


I've used Sygate for years. It doesn't bug you. You can still get it here.
http://www.oldversion.com/program.php?n=sygate

Re: firewall on budget ?

In comp.security.firewalls Mellowed wrote:
> I've used Sygate for years. It doesn't bug you. You can still get it here.
> http://www.oldversion.com/program.php?n=sygate

I've used a bowl of holy water for years. It doesn't bug you. You can
still get it here:

http://www.discountcatholicstore.com/holywater.htm

Yours,
VB.
--
> Ja, ZA hat bei mir in den letzten 5 Jahren (?), genauer: noch nie,
> Probleme bereitet.
Das Schälchen Weihwasser neben meinem Monitor auch nicht.
(Bjoern Schliessmann in d.c.s.f.)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Sat, 21 Jul 2007 23:39:18 -0400, Leythos wrote:
>
> >If your address is not a private address then your Modem is not doing
> >NAT, and if you have a live public IP then you're screwed without a
> >barrier device.
>
> You're implying that the Windows Firewall is remotely exploitable. Got
> any references to that?

It's locally exploitable - look at anyone running as a local admin, and
any software that wants to create an exception in the WF. Even AOL will
create exceptions without you knowing about it. All you have to do is
google.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Volker Birk wrote:
> In comp.security.firewalls Mellowed wrote:
> > I've used Sygate for years. It doesn't bug you. You can still get it here.
> > http://www.oldversion.com/program.php?n=sygate
> I've used a bowl of holy water for years. It doesn't bug you. You can
> still get it here:
> http://www.discountcatholicstore.com/holywater.htm

I'm very sorry for this posting.

Of course, holy water does not endanger your PC by implementing additional
security holes - like Sygate does.

It does not bother you with useless popups - like Sygate does.

And it has no security design flaws - like Sygate does.

Well - at least it maybe /could/ give you a false sense of security:
just like Sygate.

Yours,
VB.
--
> Ja, ZA hat bei mir in den letzten 5 Jahren (?), genauer: noch nie,
> Probleme bereitet.
Das Schälchen Weihwasser neben meinem Monitor auch nicht.
(Bjoern Schliessmann in d.c.s.f.)

Re: firewall on budget ?

In article <1185080864.730283.306800@x40g2000prg.googlegroups.com>,
computerflyer@gmail.com says...
> On Jul 22, 1:39 pm, Leythos wrote:
> > In article <1185074631.141883.271...@z24g2000prh.googlegroups.com>,
> > nasra...@yahoo.com says...
> >
> >
> >
> >
> >
> > > On Jul 22, 12:03 pm, Leythos wrote:
> > > > In article <1185073133.439352.249...@e9g2000prf.googlegroups.com>,
> > > > nasra...@yahoo.com says...
> >
> > > > > Hi there,
> >
> > > > > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > > > > presume I need to put a firewall and antivirus on it to ward off worms
> > > > > and viruses. I am more concerned about the firewall. I installed
> > > > > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > > > > bothered me by asking me to pay up, so that I uninstalled it. My
> > > > > computer is currently running on the in-built Windows firewall. Is
> > > > > this OK ?
> >
> > > > > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > > > > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > > > > from my employer for little money; should I get it ? Thanks.
> >
> > > > A simple NAT router will do more and better than ZAP or Windows XP
> > > > Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> > > > under $50 and provides protection from inbound attacks.
> >
> > > My early experience with connecting a PC with no firwall to the
> > > Internet (via dial up) shows that it gets infected with a worm within
> > > 20 minutes. So that now I always put a firewall between my PC and the
> > > Internet. Now my PC is connected to the Internet via a NetComm NB5
> > > ADSL2+ modem router. You think this will repel the worms ?
> >
> > The NAT router blocks "unsolicited" connections to the PC, it's sort of
> > a 1 way filter - it lets you out, but only lets external sites
> > talk/reach your PC if you contact them first.
> >
> > Many people use NAT routers are their primary protection method with no
> > firewall at all and have no problems.
> >
> > Security is more than the firewall, it's not using easy to compromise
> > apps, keeping updates installed, not doing things that put you in harms
> > way, monitoring your firewall logs (as you can easily monitor the
> > Linksys devices for in/out traffic), and many other things.
> >
> > If your address is not a private address then your Modem is not doing
> > NAT, and if you have a live public IP then you're screwed without a
> > barrier device.
> >
>
> Check out ghostwall. It resembles a rule based router-firewall more
> than a bloatware internet protection package. If you are savy enough
> to set it up, it works as advertised.

A proper Usenet Client would snip the signature lines when you reply,
consider getting one.

Any software that runs on the users computer is a security risk, even
ZAP and others, if it's on a non-dedicated firewall computer then it's a
risk. A NAT Router is transparent, doesn't ask the user anything, and
does its work without exploits when properly setup - this is not the
case for most PC based firewall solutions.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 09:59:38 -0400, Leythos wrote:
>
> >In article ,
> >b__nice@hotmail.com says...
> >> On Sat, 21 Jul 2007 23:39:18 -0400, Leythos wrote:
> >>
> >> >If your address is not a private address then your Modem is not doing
> >> >NAT, and if you have a live public IP then you're screwed without a
> >> >barrier device.
> >>
> >> You're implying that the Windows Firewall is remotely exploitable. Got
> >> any references to that?
> >
> >It's locally exploitable - look at anyone running as a local admin, and
> >any software that wants to create an exception in the WF.
>
> Any local FW is exploitable when running as local admin.
>
> Anyone running arbitrary code as local admin is likely to get screwed.
> You seem to advocate keep doing so and then have a barrier to minimize
> the damage instead of advocating doing the right thing, which would be
> to run a LUA in which case the WF can't be exploited the way you're
> thinking of.

No, I don't advocate what you are talking about, but I'm also not aware
that many programs won't run under Windows unless the user is an admin,
and I also understand that many users don't have a clue about security.

In the case of a NAT Router, while it doesn't stop stupid people from
infecting their computers, it does stop external sources from directly
accessing the users computer without an invite. Windows ships from many
vendors with lots of exceptions and that makes it a threat to the
ignorant, a NAT Router would mean that exceptions are meaningless.

I a user is going to run as an admin, and most are, even with warnings,
then they need some means to protect them - if ALL ISP were to implement
NAT at the internet device provided to the users, allowing exceptions
for those smart enough to ask for an exception, it would eliminate a LOT
of problems for users.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

There are many free firewalls out there. google for "free firewall".

ZoneALarm Free should never ask you to "pay up"; you have it setup wrong
somehow. I would recommend version 6.1.744, it was small and stable.
6.5.737 was the last version 6, but it was flakey (on my system at least).
The latest version 7 is bloated (IMO).

http://filehippo.com/download_zonealarm_free/?822

Comodo Firewall Free is also highly regarded:

http://www.comodo.com/products/free_products.html

And the XP built-in isn't totally worthless. It simply doesn't try to stop
"baddies" installed in your system from calling home (but then the others
won't stop a SMART bad guy either; the smart bad guys can get past many
outgoing firewalls, you need to scan regularly to make sure they don't get
on your system in the first place).

If you are connecting directly via a modem (dialup/cable/dsl) you NEED a
firewall, for sure. You are exposed directly to the internet, and the
firewall log will confirm for you that it is blocking packets all the time
(the estimate in prev post of <20 mins before attack is right-on).

If you are behind a NAT router (ie, residential gateway, like a $50
linksys or the like) then you are somewhat protected by the gateway
itself, but I'd still use a software firewall anyway. Most likely its logs
will show almost no blocked incomming packets even after many hours (since
the router dropped them).

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In comp.security.firewalls frodo@theshire.net wrote:
> And the XP built-in isn't totally worthless. It simply doesn't try to
> stop "baddies" installed in your system from calling home (but then
> the others won't stop a SMART bad guy either; the smart bad guys can
> get past many outgoing firewalls, you need to scan regularly to make
> sure they don't get on your system in the first place).

You have no idea of what you're talking about. Regular scanning does not
prevent malware from being installed. It merely may detect maleware once
it already is installed. Which is something any decent virus scanner
will do just fine. It's not a task for a firewall.

What a personal firewall can do reliably is blocking inbound connections
and preventing applications run by users from opening listening sockets.
The Windows Fireall does either of these just fine.

> If you are connecting directly via a modem (dialup/cable/dsl) you NEED
> a firewall, for sure. You are exposed directly to the internet, and
> the firewall log will confirm for you that it is blocking packets all
> the time (the estimate in prev post of <20 mins before attack is
> right-on).

So? Just don't provide any services towards the internet. And now? What
more protection will a firewall offer? It will just add more code with
additional (potentially exploitable) bugs.

Granted, Windows makes it rather difficult to unbind services from
interfaces, so a firewall is the easiest and least error-prone way to
make services unavailable on a given interface, but that's about it.

F'up adjusted.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall on budget ?

In alt.comp.hardware.pc-homebuilt Ansgar -59cobalt- Wiechers
wrote:

>In comp.security.firewalls frodo@theshire.net wrote:
>> And the XP built-in isn't totally worthless. It simply doesn't try to
>> stop "baddies" installed in your system from calling home (but then
>> the others won't stop a SMART bad guy either; the smart bad guys can
>> get past many outgoing firewalls, you need to scan regularly to make
>> sure they don't get on your system in the first place).
>
>You have no idea of what you're talking about. Regular scanning does not
>prevent malware from being installed.

Any *DECENT* spyware, malware, or virus scanner does more than just
"scan" for already installed viruses and Trojans. They also SCAN any
incoming data, whether from the Internet, Email, or installation-program
for containing known threats; and announcing to the user if any are
found BEFORE they get installed.

"Protection" programs that DON'T do this are pretty much useless; as
there are all too many vicious programs out there, that the first thing
they do is disable known virus-scanners from noticing them at all, once
they do get installed.

>It merely may detect maleware once
>it already is installed. Which is something any decent virus scanner
>will do just fine. It's not a task for a firewall.
>
>What a personal firewall can do reliably is blocking inbound connections

A *good* one blocks outbound connections too; except from programs you
specifically authorize.

>and preventing applications run by users from opening listening sockets.
>The Windows Fireall does either of these just fine.
>
It really ain't worth *shit* on outbound connections, where (for
example) a Trojan starts connecting and sending everything from your
personal information to mailbombs to anybody, everybody, or specifically
targeted DOS addresses.

>> If you are connecting directly via a modem (dialup/cable/dsl) you NEED
>> a firewall, for sure. You are exposed directly to the internet, and
>> the firewall log will confirm for you that it is blocking packets all
>> the time (the estimate in prev post of <20 mins before attack is
>> right-on).
>
>So? Just don't provide any services towards the internet. And now? What
>more protection will a firewall offer? It will just add more code with
>additional (potentially exploitable) bugs.
>
It seems you don't really know what a good firewall does or even what
it's intended use is.

And Windows Firewall is NOT a good example ... Nor even a real example
of a true firewall at all.

>Granted, Windows makes it rather difficult to unbind services from
>interfaces, so a firewall is the easiest and least error-prone way to
>make services unavailable on a given interface, but that's about it.
>
A good firewall does FAR more than that.
It not only prevents attacks; but stops them when they happen and notify
users when they try. Sometimes obnoxiously; but that's often the only
way to get lusers to stop things when they go bad ... and sometimes not
even then.

All too often I've seen idiots go ahead and install known viruses when
AV software tells them its bad, defeat firewalls when told that an
unauthorized program is trying to send garbage, and even turn off either
or both when the complaints start coming every minute or so.

Then they wonder why their computer slows down, and eventually craps
out. "Well, how was I supposed to know that would happen?"

Geesh.

--
_____
/ ' / ™
,-/-, __ __. ____ /_
(_/ / (_(_/|_/ / <_/ <_

Re: firewall on budget ?

Frank McCoy wrote:
> In alt.comp.hardware.pc-homebuilt Ansgar -59cobalt- Wiechers wrote:
>> In comp.security.firewalls frodo@theshire.net wrote:
>>> And the XP built-in isn't totally worthless. It simply doesn't try
>>> to stop "baddies" installed in your system from calling home (but
>>> then the others won't stop a SMART bad guy either; the smart bad
>>> guys can get past many outgoing firewalls, you need to scan
>>> regularly to make sure they don't get on your system in the first
>>> place).
>>
>> You have no idea of what you're talking about. Regular scanning does
>> not prevent malware from being installed.
>
> Any *DECENT* spyware, malware, or virus scanner does more than just
> "scan" for already installed viruses and Trojans. They also SCAN any
> incoming data, whether from the Internet, Email, or installation-
> program for containing known threats; and announcing to the user if
> any are found BEFORE they get installed.

That's still a task for a virus scanner, not for a firewall. Besides, I
were specifically referring to the previous poster's claim regular
scanning would prevent infections. Which is still plain wrong.

[...]
>> It merely may detect maleware once it already is installed. Which is
>> something any decent virus scanner will do just fine. It's not a task
>> for a firewall.
>>
>> What a personal firewall can do reliably is blocking inbound connections
^^^^^^^^
> A *good* one blocks outbound connections too; except from programs you
> specifically authorize.

Look up the term "reliable" in a dictionary of your choice. Then look up
"firewall leak".

>> and preventing applications run by users from opening listening
>> sockets. The Windows Fireall does either of these just fine.
>
> It really ain't worth *shit* on outbound connections, where (for
> example) a Trojan starts connecting and sending everything from your
> personal information to mailbombs to anybody, everybody, or
> specifically targeted DOS addresses.

Once a trojan starts an outbound connection your machine is already
infected and you're toast anyway. Meaning that trying to prevent malware
from communicating outbound once it's already running, rather than
preventing it from being installed (or at least from being executed), is
worth "shit" (to put it with your words).

>>> If you are connecting directly via a modem (dialup/cable/dsl) you
>>> NEED a firewall, for sure. You are exposed directly to the internet,
>>> and the firewall log will confirm for you that it is blocking
>>> packets all the time (the estimate in prev post of <20 mins before
>>> attack is right-on).
>>
>> So? Just don't provide any services towards the internet. And now?
>> What more protection will a firewall offer? It will just add more
>> code with additional (potentially exploitable) bugs.
>
> It seems you don't really know what a good firewall does or even what
> it's intended use is.

Unlike yourself I have a pretty good idea of what they can do, what they
cannot do, and why I won't use any of them.

> And Windows Firewall is NOT a good example ... Nor even a real example
> of a true firewall at all.

Whatever you believe to be a "true firewall".

>> Granted, Windows makes it rather difficult to unbind services from
>> interfaces, so a firewall is the easiest and least error-prone way to
>> make services unavailable on a given interface, but that's about it.
>
> A good firewall does FAR more than that.
> It not only prevents attacks; but stops them when they happen and
> notify users when they try.

Only if a) the malware hadn't been tampering with the firewall in the
first place, and b) the firewall actually detects (and prevents) the
attack.

> Sometimes obnoxiously; but that's often the only way to get lusers to
> stop things when they go bad ... and sometimes not even then.

Nope. That's a sure-fire path to have the user disable the software
that's supposed to protect him.

> All too often I've seen idiots go ahead and install known viruses when
> AV software tells them its bad, defeat firewalls when told that an
> unauthorized program is trying to send garbage, and even turn off
> either or both when the complaints start coming every minute or so.
>
> Then they wonder why their computer slows down, and eventually craps
> out. "Well, how was I supposed to know that would happen?"

M-hm. And a "true" firewall would have helped there how?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article <13a6v2dhqrdvkb5@corp.supernews.com>, frodo@theshire.net
says...
> There are many free firewalls out there. google for "free firewall".
>
> ZoneALarm Free should never ask you to "pay up"; you have it setup wrong
> somehow. I would recommend version 6.1.744, it was small and stable.
> 6.5.737 was the last version 6, but it was flakey (on my system at least).
> The latest version 7 is bloated (IMO).
>
> http://filehippo.com/download_zonealarm_free/?822
>
> Comodo Firewall Free is also highly regarded:
>
> http://www.comodo.com/products/free_products.html
>
> And the XP built-in isn't totally worthless. It simply doesn't try to stop
> "baddies" installed in your system from calling home (but then the others
> won't stop a SMART bad guy either; the smart bad guys can get past many
> outgoing firewalls, you need to scan regularly to make sure they don't get
> on your system in the first place).

Actually, the windows firewall is a bad concept from the start - people
think they are protected, but many machines have file/printer sharing
enabled and an exception for it, and many people run as local admin, so,
it's easy to subvert the firewall with simple malware, even non-malware
apps subvert it without warning.

The general rule is that your computer does not need a direct wired
connection to the internet at all.

> If you are connecting directly via a modem (dialup/cable/dsl) you NEED a
> firewall, for sure. You are exposed directly to the internet, and the
> firewall log will confirm for you that it is blocking packets all the time
> (the estimate in prev post of <20 mins before attack is right-on).

And the Cable/DSL anthing with a Network jack, should be behind some NAT
device or a real firewall appliance.

For the Dial-up, the windows firewall is a start, but I still have a old
modem/router device for dialup that does NAT. For my verizon BB card I
use the Windows firewall alone, but I also don't run as local admin,
don't screw around, etc...

> If you are behind a NAT router (ie, residential gateway, like a $50
> linksys or the like) then you are somewhat protected by the gateway
> itself, but I'd still use a software firewall anyway. Most likely its logs
> will show almost no blocked incomming packets even after many hours (since
> the router dropped them).

And the routers logs will provide a more accurate indication as they
can't really be screwed with like software on your PC can.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In article <94e7a39tec3hfgidr7798bqut68fu5co8m@4ax.com>,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 11:10:22 -0400, Leythos wrote:
>
> >In article ,
> >b__nice@hotmail.com says...
> >> Any local FW is exploitable when running as local admin.
> >>
> >> Anyone running arbitrary code as local admin is likely to get screwed.
> >> You seem to advocate keep doing so and then have a barrier to minimize
> >> the damage instead of advocating doing the right thing, which would be
> >> to run a LUA in which case the WF can't be exploited the way you're
> >> thinking of.
> >
> >No, I don't advocate what you are talking about,
>
> Yes.
>
> >but I'm also not aware that many programs won't run under Windows
> >unless the user is an admin,
>
> There are ways around that.

Not in every case, at least not with users that are willing to wrangle
around it on a daily basis - you know human nature, it's what gets
people compromised in the first place.

> >and I also understand that many users don't have a clue about security.
>
> Probably true, but that calls for education, not damage control.

But, until they get educated, and we've had security threats for more
than a decade and fewer and fewer people are educated, we need a measure
that will protect the ignorant masses from harming the rest of us - ISP
Mandated NAT implemented at the users gateway device would be a first
real help.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 22, 4:10 pm, Leythos wrote:
> In article ,
> b__n...@hotmail.com says...
>
>
>
>
>
> > On Sun, 22 Jul 2007 09:59:38 -0400, Leythos wrote:
>
> > >In article ,
> > >b__n...@hotmail.com says...
> > >> On Sat, 21 Jul 2007 23:39:18 -0400, Leythos wrote:
>
> > >> >If your address is not a private address then your Modem is not doing
> > >> >NAT, and if you have a live public IP then you're screwed without a
> > >> >barrier device.
>
> > >> You're implying that the Windows Firewall is remotely exploitable. Got
> > >> any references to that?
>
> > >It's locally exploitable - look at anyone running as a local admin, and
> > >any software that wants to create an exception in the WF.
>
> > Any local FW is exploitable when running as local admin.
>
> > Anyone running arbitrary code as local admin is likely to get screwed.
> > You seem to advocate keep doing so and then have a barrier to minimize
> > the damage instead of advocating doing the right thing, which would be
> > to run a LUA in which case the WF can't be exploited the way you're
> > thinking of.
>
> No, I don't advocate what you are talking about, but I'm also not aware
> that many programs won't run under Windows unless the user is an admin,
> and I also understand that many users don't have a clue about security.
>
> In the case of a NAT Router, while it doesn't stop stupid people from
> infecting their computers, it does stop external sources from directly
> accessing the users computer without an invite. Windows ships from many
> vendors with lots of exceptions and that makes it a threat to the
> ignorant, a NAT Router would mean that exceptions are meaningless.
>
> I a user is going to run as an admin, and most are, even with warnings,
> then they need some means to protect them - if ALL ISP were to implement
> NAT at the internet device provided to the users, allowing exceptions
> for those smart enough to ask for an exception, it would eliminate a LOT
> of problems for users.
>

Can you link me to some devices for DSL internet, that -don't- use
NAT?

I looked once on ebay.co.uk but didn't find any. There was a 1 port
westell router/modem which I was told didn't use NAT, but it turned
out that it did.

I reckon, maybe, maybe, a PCI DSL modem doesn't use NAT. And maybe an
ISP's cable modem e.g. NTL cable modem when not used with a NAT
router. But i'm interested in any others. DSL devices that don't use
NAT

A DSL device that doesn't use NAT is so hard to find, I don't know
anybody in the UK that has one.

I'm asking this as a theoretical question , in the sense that i'm not
considering recommending them over NAT, so you needn't fear that!

Re: firewall on budget ?

In article <1185142179.733331.202040@d55g2000hsg.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> A DSL device that doesn't use NAT is so hard to find, I don't know
> anybody in the UK that has one.
>
> I'm asking this as a theoretical question , in the sense that i'm not
> considering recommending them over NAT, so you needn't fear that!

You don't want to look at cheap devices then, you want to use a Firewall
Appliance in "Drop-In" mode - it still filters traffic based on rules,
but it allows all ports (jacks) to have the same public IP.

There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
LAN IP.

Why would you not want NAT?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Hi,



> Can you link me to some devices for DSL internet, that -don't- use
> NAT?

All Ciscos, for example? The can use NAT, though.

Cheers,
Jens

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

On Jul 22, 11:44 pm, Leythos wrote:
> In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
> > A DSL device that doesn't use NAT is so hard to find, I don't know
> > anybody in the UK that has one.
>
> > I'm asking this as a theoretical question , in the sense that i'm not
> > considering recommending them over NAT, so you needn't fear that!
>
> You don't want to look at cheap devices then, you want to use a Firewall
> Appliance in "Drop-In" mode - it still filters traffic based on rules,
> but it allows all ports (jacks) to have the same public IP.
>
> There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> LAN IP.
>
> Why would you not want NAT?
>
> --
>
> Leythos

I would use NAT. But i'm wondering, theoretically, and since you say
it's a shame some end users don't use NAT, and ISPs should make it
mandatory.

What end users on DSL, don't use NAT . What devices are they buying,
can you link me to any? presumably you've seen some.

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 16:22:32 -0400, Leythos wrote:
>
> >In article <94e7a39tec3hfgidr7798bqut68fu5co8m@4ax.com>,
> >b__nice@hotmail.com says...
> >> On Sun, 22 Jul 2007 11:10:22 -0400, Leythos wrote:
> >>
> >> >In article ,
> >> >b__nice@hotmail.com says...
> >> >> Any local FW is exploitable when running as local admin.
> >> >>
> >> >> Anyone running arbitrary code as local admin is likely to get screwed.
> >> >> You seem to advocate keep doing so and then have a barrier to minimize
> >> >> the damage instead of advocating doing the right thing, which would be
> >> >> to run a LUA in which case the WF can't be exploited the way you're
> >> >> thinking of.
> >> >
> >> >No, I don't advocate what you are talking about,
> >>
> >> Yes.
> >>
> >> >but I'm also not aware that many programs won't run under Windows
> >> >unless the user is an admin,
> >>
> >> There are ways around that.
> >
> >Not in every case, at least not with users that are willing to wrangle
> >around it on a daily basis - you know human nature, it's what gets
> >people compromised in the first place.
>
> What does some users willingness to wrangle around have to do with the
> fact that there are workarounds to the issue raised?

What work around issues?

>
> >> >and I also understand that many users don't have a clue about security.
> >>
> >> Probably true, but that calls for education, not damage control.
> >
> >But, until they get educated, and we've had security threats for more
> >than a decade and fewer and fewer people are educated, we need a measure
> >that will protect the ignorant masses from harming the rest of us - ISP
> >Mandated NAT implemented at the users gateway device would be a first
> >real help.
>
> I fail to see how NAT would protect the rest of us?

By keeping the ignorant masses machines from being compromised
immediately, before they even start using them. It also means that we
don't have the issues of them being FTP, SMTP, etc.. relays.... Come on,
think - if the computer can't be reached then it's going to be harder
for the hackers to abuse it. Yes, I know about phone home malware, but
we're talking about all the idiots that leave their computer, without a
password, connected to a public IP with file/printer sharing enabled.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In article <1185185208.751091.229450@k79g2000hse.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 22, 11:44 pm, Leythos wrote:
> > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > jameshanle...@yahoo.co.uk says...
> >
> > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > anybody in the UK that has one.
> >
> > > I'm asking this as a theoretical question , in the sense that i'm not
> > > considering recommending them over NAT, so you needn't fear that!
> >
> > You don't want to look at cheap devices then, you want to use a Firewall
> > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > but it allows all ports (jacks) to have the same public IP.
> >
> > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > LAN IP.
> >
> > Why would you not want NAT?
> >
> > --
> >
> > Leythos
>
> I would use NAT. But i'm wondering, theoretically, and since you say
> it's a shame some end users don't use NAT, and ISPs should make it
> mandatory.
>
> What end users on DSL, don't use NAT . What devices are they buying,
> can you link me to any? presumably you've seen some.

Every DSL device I've seen can be setup for NAT or Routed mode - it's in
the DSL Maintenance screen on their devices. I know a bunch of people,
like SBS/Yahoo DSL that get public IP from their DSL service.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Comodo firewall is free.
Avast is free.
Spybot-Search & Destroy is free.


I use these and all is well. I do not have a hardware based firewall for
the moment and I seem to be OK.

However, the two people who use our PC don't run as admin.

(I have a PIX but cannot connect it for the moment because the ISP uses
PPPoA and only provide clients with a USB modem. Grr - I digress.)

Simon.

Re: firewall on budget ?

>
> (I have a PIX but cannot connect it for the moment because the ISP uses
> PPPoA and only provide clients with a USB modem. Grr - I digress.)
>

Why can't you buy own modem that's approved to run on the ISP's network?

Re: firewall on budget ?

On Jul 23, 1:03 pm, Leythos wrote:
> In article <1185185208.751091.229...@k79g2000hse.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 22, 11:44 pm, Leythos wrote:
> > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > anybody in the UK that has one.
>
> > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > considering recommending them over NAT, so you needn't fear that!
>
> > > You don't want to look at cheap devices then, you want to use a Firewall
> > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > but it allows all ports (jacks) to have the same public IP.
>
> > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > LAN IP.
>
> > > Why would you not want NAT?
>
> > > --
>
> > > Leythos
>
> > I would use NAT. But i'm wondering, theoretically, and since you say
> > it's a shame some end users don't use NAT, and ISPs should make it
> > mandatory.
>
> > What end users on DSL, don't use NAT . What devices are they buying,
> > can you link me to any? presumably you've seen some.
>
> Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> the DSL Maintenance screen on their devices. I know a bunch of people,
> like SBS/Yahoo DSL that get public IP from their DSL service.
>
> --
>
> Leythos

if it's set for Routed mode(by this you mean no NAT). Do you then need
a public IP for your router, and a (different) public ip for the
computer connected to it?

Do you have in mind such end users - that have 2 public ips?

BTW, you mention you know people that "get public IP from their DSL
service". Who has an ISP and doesn't get that?

Re: firewall on budget ?

On Sat, 21 Jul 2007 19:58:53 -0700, Beladi Nasralla wrote:

> I have a PC built for me, and I installed Windows XP SP2 on it. I
> presume I need to put a firewall and antivirus on it to ward off worms
> and viruses.

Kerio 2.15 free and works great.

Re: firewall on budget ?

In article <1185235335.550334.183430@n60g2000hse.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 23, 1:03 pm, Leythos wrote:
> > In article <1185185208.751091.229...@k79g2000hse.googlegroups.com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 22, 11:44 pm, Leythos wrote:
> > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > anybody in the UK that has one.
> >
> > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > considering recommending them over NAT, so you needn't fear that!
> >
> > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > but it allows all ports (jacks) to have the same public IP.
> >
> > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > LAN IP.
> >
> > > > Why would you not want NAT?
> >
> > > > --
> >
> > > > Leythos
> >
> > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > it's a shame some end users don't use NAT, and ISPs should make it
> > > mandatory.
> >
> > > What end users on DSL, don't use NAT . What devices are they buying,
> > > can you link me to any? presumably you've seen some.
> >
> > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > the DSL Maintenance screen on their devices. I know a bunch of people,
> > like SBS/Yahoo DSL that get public IP from their DSL service.
> >
>
> if it's set for Routed mode(by this you mean no NAT). Do you then need
> a public IP for your router, and a (different) public ip for the
> computer connected to it?
>
> Do you have in mind such end users - that have 2 public ips?

Many users want firewall functions that don't have to include NAT as one
of them - they might have public facing servers and just want to protect
them.

The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
by the ISP's device, you route traffic between them using rules.

So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.

You can do this with as many IP as you want - the condition being that
one combination of IP:PORT can only be routed to one destination.

> BTW, you mention you know people that "get public IP from their DSL
> service". Who has an ISP and doesn't get that?

Many people don't get it, many DSL providers have their routers set to
NAT by default.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article <4p7ba3lda8gjog60cmhsthopa77or4qbq3@4ax.com>,
b__nice@hotmail.com says...
> Post SP2 this is becoming much less of a problem. The biggest problem
> still is malware spread through websites, e-mail and file sharing.
> Your suggestion won't seriously protect us from the "ignorant masses".

Actually, depending on the NAT device, you can block downloads of many
malware infectors via HTTP. Not much one can do about SMTP type
infectors unless they have their own mini-mail server or a standard
server as other firewall products can clean SMTP sessions.

So, again, the NAT device provides MORE/Better protection than Windows
Firewall in all cases.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Sun, 22 Jul 2007 16:11:29 -0400, Leythos wrote:
>
> >Actually, the windows firewall is a bad concept from the start - people
> >think they are protected, but many machines have file/printer sharing
> >enabled and an exception for it, and many people run as local admin, so,
> >it's easy to subvert the firewall with simple malware, even non-malware
> >apps subvert it without warning.
>
> Your idea that since the "ignorant masses" aren't immediately able to
> cope with a concept doesn't mean the concept itself is bad. The WF is
> a very good concept. It's the way it's used that causes the problem.

And in the real world it means that it's just a bad product.

> The other firewalls mentioned earlier continue to promote and support
> the idea of running as admin. And *that* is a bad concept.

And other firewalls, while still able to compromise them, have a much
better reporting/alert system than the report-nothing WF does.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 24, 2:39 am, Leythos wrote:
> In article <1185235335.550334.183...@n60g2000hse.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 23, 1:03 pm, Leythos wrote:
> > > In article <1185185208.751091.229...@k79g2000hse.googlegroups.com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > On Jul 22, 11:44 pm, Leythos wrote:
> > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > anybody in the UK that has one.
>
> > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > considering recommending them over NAT, so you needn't fear that!
>
> > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > but it allows all ports (jacks) to have the same public IP.
>
> > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > LAN IP.
>
> > > > > Why would you not want NAT?
>
> > > > > --
>
> > > > > Leythos
>
> > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > mandatory.
>
> > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > can you link me to any? presumably you've seen some.
>
> > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > like SBS/Yahoo DSL that get public IP from their DSL service.
>
> > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > a public IP for your router, and a (different) public ip for the
> > computer connected to it?
>
> > Do you have in mind such end users - that have 2 public ips?
>
> Many users want firewall functions that don't have to include NAT as one
> of them - they might have public facing servers and just want to protect
> them.
>
> The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> by the ISP's device, you route traffic between them using rules.
>
> So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
>
> You can do this with as many IP as you want - the condition being that
> one combination of IP:PORT can only be routed to one destination.
>

Oddly enough, what you describe as not using NAT, looks like NAT, one
ip for the router, you could've said that there isn't an ip on the
router's ports(which would make sense also because what is going on in
that area uses ports and isn't routing!). Infact, it looks like NAT
and PAT !

Furthermore, In the system you describe, a machine on the LAN or on
the DMZ would still need a unique ip address though, distinct from
the firewall-router appliance.

If the computers (on the DMZ or LAN ) had private addresses, then it
really looks like NAT now!

If a DSL user doesn't have one of these firewall-router appliances,
then in that instance, would he need 2 different public ips, one for
his router and one for his computer ?



> > BTW, you mention you know people that "get public IP from their DSL
> > service". Who has an ISP and doesn't get that?
>
> Many people don't get it, many DSL providers have their routers set to
> NAT by default.
>

Then their DSL service does provide a public IP. Their router gets
it.

Re: firewall on budget ?

In article <1185277078.502314.145240@g4g2000hsf.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 24, 2:39 am, Leythos wrote:
> > In article <1185235335.550334.183...@n60g2000hse.googlegroups.com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 23, 1:03 pm, Leythos wrote:
> > > > In article <1185185208.751091.229...@k79g2000hse.googlegroups.com>,
> > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > On Jul 22, 11:44 pm, Leythos wrote:
> > > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > > > > > jameshanle...@yahoo.co.uk says...
> >
> > > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > > anybody in the UK that has one.
> >
> > > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > > considering recommending them over NAT, so you needn't fear that!
> >
> > > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > > but it allows all ports (jacks) to have the same public IP.
> >
> > > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > > LAN IP.
> >
> > > > > > Why would you not want NAT?
> >
> > > > > > --
> >
> > > > > > Leythos
> >
> > > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > > mandatory.
> >
> > > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > > can you link me to any? presumably you've seen some.
> >
> > > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > > like SBS/Yahoo DSL that get public IP from their DSL service.
> >
> > > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > > a public IP for your router, and a (different) public ip for the
> > > computer connected to it?
> >
> > > Do you have in mind such end users - that have 2 public ips?
> >
> > Many users want firewall functions that don't have to include NAT as one
> > of them - they might have public facing servers and just want to protect
> > them.
> >
> > The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> > by the ISP's device, you route traffic between them using rules.
> >
> > So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> > x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
> >
> > You can do this with as many IP as you want - the condition being that
> > one combination of IP:PORT can only be routed to one destination.
> >
>
> Oddly enough, what you describe as not using NAT, looks like NAT, one
> ip for the router, you could've said that there isn't an ip on the
> router's ports(which would make sense also because what is going on in
> that area uses ports and isn't routing!). Infact, it looks like NAT
> and PAT !
>
> Furthermore, In the system you describe, a machine on the LAN or on
> the DMZ would still need a unique ip address though, distinct from
> the firewall-router appliance.
>
> If the computers (on the DMZ or LAN ) had private addresses, then it
> really looks like NAT now!
>
> If a DSL user doesn't have one of these firewall-router appliances,
> then in that instance, would he need 2 different public ips, one for
> his router and one for his computer ?
>
>
>
> > > BTW, you mention you know people that "get public IP from their DSL
> > > service". Who has an ISP and doesn't get that?
> >
> > Many people don't get it, many DSL providers have their routers set to
> > NAT by default.
> >
>
> Then their DSL service does provide a public IP. Their router gets
> it.

Are you trying to be difficult or just missing the point?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 22, 12:07 am, Computerflyer wrote:
> On Jul 22, 1:39 pm, Leythos wrote:
>
>
>
> > In article <1185074631.141883.271...@z24g2000prh.googlegroups.com>,
> > nasra...@yahoo.com says...
>
> > > On Jul 22, 12:03 pm, Leythos wrote:
> > > > In article <1185073133.439352.249...@e9g2000prf.googlegroups.com>,
> > > > nasra...@yahoo.com says...
>
> > > > > Hi there,
>
> > > > > I have a PC built for me, and I installed Windows XP SP2 on it. I
> > > > > presume I need to put a firewall and antivirus on it to ward off worms
> > > > > and viruses. I am more concerned about the firewall. I installed
> > > > > ZoneAlarm Free Edition, and it worked al'right. However, it always
> > > > > bothered me by asking me to pay up, so that I uninstalled it. My
> > > > > computer is currently running on the in-built Windows firewall. Is
> > > > > this OK ?
>
> > > > > As an antivurus, I am using AVG Free Edition, and it seems doing its
> > > > > job. Also, I can get a corporate edition of Trend Micro's PC-cillin
> > > > > from my employer for little money; should I get it ? Thanks.
>
> > > > A simple NAT router will do more and better than ZAP or Windows XP
> > > > Firewall in most all cases. Linksys BEFSR41 or a wireless version is
> > > > under $50 and provides protection from inbound attacks.
>
> > > My early experience with connecting a PC with no firwall to the
> > > Internet (via dial up) shows that it gets infected with a worm within
> > > 20 minutes. So that now I always put a firewall between my PC and the
> > > Internet. Now my PC is connected to the Internet via a NetComm NB5
> > > ADSL2+ modem router. You think this will repel the worms ?
>
> > The NAT router blocks "unsolicited" connections to the PC, it's sort of
> > a 1 way filter - it lets you out, but only lets external sites
> > talk/reach your PC if you contact them first.
>
> > Many people use NAT routers are their primary protection method with no
> > firewall at all and have no problems.
>
> > Security is more than the firewall, it's not using easy to compromise
> > apps, keeping updates installed, not doing things that put you in harms
> > way, monitoring your firewall logs (as you can easily monitor the
> > Linksys devices for in/out traffic), and many other things.
>
> > If your address is not a private address then your Modem is not doing
> > NAT, and if you have a live public IP then you're screwed without a
> > barrier device.
>
> > --
>
> > Leythos
> > - Igitur qui desiderat pacem, praeparet bellum.
> > - Calling an illegal alien an "undocumented worker" is like calling a
> > drug dealer an "unlicensed pharmacist"
> > spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
>
> > - Show quoted text -
>
> Check out ghostwall. It resembles a rule based router-firewall more
> than a bloatware internet protection package. If you are savy enough
> to set it up, it works as advertised.

NAT is a cheap way to shield you from the outside world but if you
have UPNP disabled and good security practices you shouldn't need
super fancy expensive protection. The PC-Cillin you can get from work
should be adequate protection since that will protect both directions,
where as the windows firewall is only one way. NAT is more than a one
way filter. It allows multiple computers to appear to have one public
IP instead of multiple IPs. With the proper subnet mask you can
control access.

Re: firewall on budget ?

On Jul 24, 4:42 pm, Leythos wrote:
> In article <1185277078.502314.145...@g4g2000hsf.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 24, 2:39 am, Leythos wrote:
> > > In article <1185235335.550334.183...@n60g2000hse.googlegroups.com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > On Jul 23, 1:03 pm, Leythos wrote:
> > > > > In article <1185185208.751091.229...@k79g2000hse.googlegroups.com>,
> > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > On Jul 22, 11:44 pm, Leythos wrote:
> > > > > > > In article <1185142179.733331.202...@d55g2000hsg.googlegroups.com>,
> > > > > > > jameshanle...@yahoo.co.uk says...
>
> > > > > > > > A DSL device that doesn't use NAT is so hard to find, I don't know
> > > > > > > > anybody in the UK that has one.
>
> > > > > > > > I'm asking this as a theoretical question , in the sense that i'm not
> > > > > > > > considering recommending them over NAT, so you needn't fear that!
>
> > > > > > > You don't want to look at cheap devices then, you want to use a Firewall
> > > > > > > Appliance in "Drop-In" mode - it still filters traffic based on rules,
> > > > > > > but it allows all ports (jacks) to have the same public IP.
>
> > > > > > > There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single
> > > > > > > LAN IP.
>
> > > > > > > Why would you not want NAT?
>
> > > > > > > --
>
> > > > > > > Leythos
>
> > > > > > I would use NAT. But i'm wondering, theoretically, and since you say
> > > > > > it's a shame some end users don't use NAT, and ISPs should make it
> > > > > > mandatory.
>
> > > > > > What end users on DSL, don't use NAT . What devices are they buying,
> > > > > > can you link me to any? presumably you've seen some.
>
> > > > > Every DSL device I've seen can be setup for NAT or Routed mode - it's in
> > > > > the DSL Maintenance screen on their devices. I know a bunch of people,
> > > > > like SBS/Yahoo DSL that get public IP from their DSL service.
>
> > > > if it's set for Routed mode(by this you mean no NAT). Do you then need
> > > > a public IP for your router, and a (different) public ip for the
> > > > computer connected to it?
>
> > > > Do you have in mind such end users - that have 2 public ips?
>
> > > Many users want firewall functions that don't have to include NAT as one
> > > of them - they might have public facing servers and just want to protect
> > > them.
>
> > > The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
> > > by the ISP's device, you route traffic between them using rules.
>
> > > So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
> > > x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
>
> > > You can do this with as many IP as you want - the condition being that
> > > one combination of IP:PORT can only be routed to one destination.
>
> > Oddly enough, what you describe as not using NAT, looks like NAT, one
> > ip for the router, you could've said that there isn't an ip on the
> > router's ports(which would make sense also because what is going on in
> > that area uses ports and isn't routing!). Infact, it looks like NAT
> > and PAT !
>
> > Furthermore, In the system you describe, a machine on the LAN or on
> > the DMZ would still need a unique ip address though, distinct from
> > the firewall-router appliance.
>
> > If the computers (on the DMZ or LAN ) had private addresses, then it
> > really looks like NAT now!
>
> > If a DSL user doesn't have one of these firewall-router appliances,
> > then in that instance, would he need 2 different public ips, one for
> > his router and one for his computer ?
>
> > > > BTW, you mention you know people that "get public IP from their DSL
> > > > service". Who has an ISP and doesn't get that?
>
> > > Many people don't get it, many DSL providers have their routers set to
> > > NAT by default.
>
> > Then their DSL service does provide a public IP. Their router gets
> > it.
>
> Are you trying to be difficult or just missing the point?
>

At this point, I don't understand you since have stopped addressing
the problems i've mentioned.

I really can only understand that which I recognise as technically
correct. *for example *

I have no idea what you mean when you say that with NAT, "their DSL
service doesn't provide a public ip". I know what that statement
would mean - technically, and i'd say it's wrong, the 'dsl service'
does provide a public ip, and that ip goes to the router.
I know you know that, and that you you don't mean that.
But I still don't know what you do mean. (By me pointing that out, it
didn't mean that I was telling you some basic point. But it makes it
fairly clear why I don't know what you mean)

Similarly with the other issue we discussed, where I wrote an
objection. You discussed a system which you said didn't use NAT. But
to me , a router with one ip forwarding to different physical ports
based on tcp port, looks like NAT and PAT. Almost a textbook case of
it.

I can only read what you're writing in a technical way, without
reading things in. It's not because i'm trying to be difficult. But I
haven't physically seen the different systems that you have. My
understanding is based on a technical reading of the word you write.

If you would address the objections then I might understand you. If
you quit then I won't. At least now your posts are archived, you won't
have to repeat yourself. I don't see relating to technical queries one
knows, as difficult. It's more difficult to turn this into get into a
discussion where you claim i'm trying to be difficult, and respond
that i'm not. To have such a discussion would make things more
difficult.

As you can see, judging by the amount i've had to write to give you as
complete an answer as possible. But i'd rather discuss the technical
aspects, and what you mean. Not this philosophical point that i'm sure
you too feel leads nowhere. At least technical discussion would've/
would led/lead somewhere , if you had/do persued/persue it.

As I said. There's no harm. You don't have to worry about having to
repeat yourself, as people do so often in this newsgroup. Things are
archived.

You'll notice the technical discussion was short and sweet, only a
succinct line or paragraph. No reason to leave that for a non-
technical philosophical marathon . I hope we can now leave discussion
of the response to the philosophical question you asked, and get back
to the concise technical discussion we were having.

Re: firewall on budget ?

In article <1185309187.676162.238160@k79g2000hse.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> At this point, I don't understand you since have stopped addressing
> the problems i've mentioned.
>
> I really can only understand that which I recognise as technically
> correct. *for example *
>
> I have no idea what you mean when you say that with NAT, "their DSL
> service doesn't provide a public ip". I know what that statement
> would mean - technically, and i'd say it's wrong, the 'dsl service'
> does provide a public ip, and that ip goes to the router.
> I know you know that, and that you you don't mean that.
> But I still don't know what you do mean. (By me pointing that out, it
> didn't mean that I was telling you some basic point. But it makes it
> fairly clear why I don't know what you mean)

Ok, depending on the level of the person I try and word my text
accordingly - so I may not have presented it the way that you needed it.

When I said: "their DSL service doesn't provide a public ip". it means
that the User, directly connected to the ISP's device, does not get a
Public IP at their device and that the ISP device is providing a non-
routable private IP to them. So, for their purpose, they don't have a
public IP as the inbound in blocked like every other cheap NAT Router.

> Similarly with the other issue we discussed, where I wrote an
> objection. You discussed a system which you said didn't use NAT. But
> to me , a router with one ip forwarding to different physical ports
> based on tcp port, looks like NAT and PAT. Almost a textbook case of
> it.

If the Firewall has the same IP on all jacks, then it's not NAT.

As an example, I can have 16 IP on the WAN jack of my firewall, the same
16 IP are on the DMZ and LAN jacks of the same firewall. The connection
between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by
firewall rules.

From the LAN I can take a public IP and connect it to a NAT Router and
provide my internal LAN with a private IP scheme.

In some cases, speed, a Drop-In configured device will be faster than
one that does NAT - think of a Web Farm behind a firewall - they don't
need private addresses for the web servers, they use public IP on the
server NIC's and let the firewall do it's job without doing NAT.

There are cases where I might want to put a firewall between two
departments, on the same network, with the same subnet, but block all
nodes from the nodes in Accounting - a drop-in firewall works great
here, no nat, same subnet, transparent except for the blocking rules.

In the case of most small businesses and home users, a Drop-In (or 1:1
NAT) is not going to work well, they don't have the additional hardware
and want to share a single IP with multiple devices, so traditional NAT
devices work great.

So, again, some DSL providers provide a device that implements NAT to
the customer, so the customer never sees a public IP for their hardware,
others provide no-nat and the customer is directly connected to the
public IP.


> I can only read what you're writing in a technical way, without
> reading things in. It's not because i'm trying to be difficult. But I
> haven't physically seen the different systems that you have. My
> understanding is based on a technical reading of the word you write.
>
> If you would address the objections then I might understand you. If
> you quit then I won't. At least now your posts are archived, you won't
> have to repeat yourself. I don't see relating to technical queries one
> knows, as difficult. It's more difficult to turn this into get into a
> discussion where you claim i'm trying to be difficult, and respond
> that i'm not. To have such a discussion would make things more
> difficult.

I understand you now, didn't before, that's why I asked. I'm ok if you
are.

> As you can see, judging by the amount i've had to write to give you as
> complete an answer as possible. But i'd rather discuss the technical
> aspects, and what you mean. Not this philosophical point that i'm sure
> you too feel leads nowhere. At least technical discussion would've/
> would led/lead somewhere , if you had/do persued/persue it.
>
> As I said. There's no harm. You don't have to worry about having to
> repeat yourself, as people do so often in this newsgroup. Things are
> archived.
>
> You'll notice the technical discussion was short and sweet, only a
> succinct line or paragraph. No reason to leave that for a non-
> technical philosophical marathon . I hope we can now leave discussion
> of the response to the philosophical question you asked, and get back
> to the concise technical discussion we were having.

I hope I explained it above well enough, if not, just let me know where
I missed the mark for you.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In comp.security.firewalls Straight Talk wrote:
> On Tue, 24 Jul 2007 06:48:24 -0400, Leythos wrote:
>> b__nice@hotmail.com says...
>>> Post SP2 this is becoming much less of a problem. The biggest
>>> problem still is malware spread through websites, e-mail and file
>>> sharing. Your suggestion won't seriously protect us from the
>>> "ignorant masses".
>>
>> Actually, depending on the NAT device, you can block downloads of
>> many malware infectors via HTTP. Not much one can do about SMTP type
>> infectors unless they have their own mini-mail server or a standard
>> server as other firewall products can clean SMTP sessions.
>>
>> So, again, the NAT device provides MORE/Better protection than
>> Windows Firewall in all cases.
>
> You are being very persistent. Now you're bringing firewalling
> technology into the game also, even though it has nothing to do with
> NAT.

Several people in this group (including myself) have already tried to
explain to him what you are trying to explain here. Without any success.
Don't bother, it's just a waste of your time.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall on budget ?

On Jul 24, 10:06 pm, Leythos wrote:
> In article <1185309187.676162.238...@k79g2000hse.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
> > At this point, I don't understand you since have stopped addressing
> > the problems i've mentioned.
>
> > I really can only understand that which I recognise as technically
> > correct. *for example *
>
> > I have no idea what you mean when you say that with NAT, "their DSL
> > service doesn't provide a public ip". I know what that statement
> > would mean - technically, and i'd say it's wrong, the 'dsl service'
> > does provide a public ip, and that ip goes to the router.
> > I know you know that, and that you you don't mean that.
> > But I still don't know what you do mean. (By me pointing that out, it
> > didn't mean that I was telling you some basic point. But it makes it
> > fairly clear why I don't know what you mean)
>
> Ok, depending on the level of the person I try and word my text
> accordingly - so I may not have presented it the way that you needed it.
>
> When I said: "their DSL service doesn't provide a public ip". it means
> that the User, directly connected to the ISP's device, does not get a
> Public IP at their device and that the ISP device is providing a non-
> routable private IP to them. So, for their purpose, they don't have a
> public IP as the inbound in blocked like every other cheap NAT Router.
>

ok

> > Similarly with the other issue we discussed, where I wrote an
> > objection. You discussed a system which you said didn't use NAT. But
> > to me , a router with one ip forwarding to different physical ports
> > based on tcp port, looks like NAT and PAT. Almost a textbook case of
> > it.
>
> If the Firewall has the same IP on all jacks, then it's not NAT.
>
> As an example, I can have 16 IP on the WAN jack of my firewall, the same
> 16 IP are on the DMZ and LAN jacks of the same firewall. The connection
> between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by
> firewall rules.
>
> From the LAN I can take a public IP and connect it to a NAT Router and
> provide my internal LAN with a private IP scheme.
>

ok. I see. Makes sense now you mention using NAT Routers connected to
it. so you didn't mean no NAT in the system. just no NAT in the
firewall appliance thing.

> In some cases, speed, a Drop-In configured device will be faster than
> one that does NAT - think of a Web Farm behind a firewall - they don't
> need private addresses for the web servers, they use public IP on the
> server NIC's and let the firewall do it's job without doing NAT.
>
> There are cases where I might want to put a firewall between two
> departments, on the same network, with the same subnet, but block all
> nodes from the nodes in Accounting - a drop-in firewall works great
> here, no nat, same subnet, transparent except for the blocking rules.
>

indeed..Though when I said about 'no nat' I meant, examples of no NAT
anywhere.

I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
- maybe, I can't remember, though I suspect that they, or that one I
had, gave a private ip too actually.

Even the router/modems with one LAN port, tend to do NAT! (with the
DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp
connected)


I thought you had seen such examples and wondered if you could link me
to them. or name them ?

By the way., what is an example of make/model of such a firewall
appliance that can do so-called routing amongst its physical ports all
of whome have the same ip?

can that firewall appliance sort of routing thing be used in a system
with no NAT at all? If the physical ports have ips then I think not.
'cos that'd be the only ip available on each physical port's subnet

you mentioned about ISPs making NAT mandatory.
But, when it comes to DSL, who doesn't?

Your firewall appliance thing is designed for a NAT situation, as you
said, NAT routers are connected to it.

> In the case of most small businesses and home users, a Drop-In (or 1:1
> NAT) is not going to work well, they don't have the additional hardware
> and want to share a single IP with multiple devices, so traditional NAT
> devices work great.
>


> So, again, some DSL providers provide a device that implements NAT to
> the customer, so the customer never sees a public IP for their hardware,

ok, you have a different way of thinking to me. I'd think of 'the
router/modem' as the user's hardware too, and they can see its public
ip by going to www.whatismyip.com !


> others provide no-nat and the customer is directly connected to the
> public IP.
>
> > I can only read what you're writing in a technical way, without
> > reading things in. It's not because i'm trying to be difficult. But I
> > haven't physically seen the different systems that you have. My
> > understanding is based on a technical reading of the word you write.
>
> > If you would address the objections then I might understand you. If
> > you quit then I won't. At least now your posts are archived, you won't
> > have to repeat yourself. I don't see relating to technical queries one
> > knows, as difficult. It's more difficult to turn this into get into a
> > discussion where you claim i'm trying to be difficult, and respond
> > that i'm not. To have such a discussion would make things more
> > difficult.
>
> I understand you now, didn't before, that's why I asked. I'm ok if you
> are.
>
> > As you can see, judging by the amount i've had to write to give you as
> > complete an answer as possible. But i'd rather discuss the technical
> > aspects, and what you mean. Not this philosophical point that i'm sure
> > you too feel leads nowhere. At least technical discussion would've/
> > would led/lead somewhere , if you had/do persued/persue it.
>
> > As I said. There's no harm. You don't have to worry about having to
> > repeat yourself, as people do so often in this newsgroup. Things are
> > archived.
>
> > You'll notice the technical discussion was short and sweet, only a
> > succinct line or paragraph. No reason to leave that for a non-
> > technical philosophical marathon . I hope we can now leave discussion
> > of the response to the philosophical question you asked, and get back
> > to the concise technical discussion we were having.
>
> I hope I explained it above well enough, if not, just let me know where
> I missed the mark for you.
>

doing fine, thanks!

Re: firewall on budget ?

In article <1185367172.983347.322840@q75g2000hsh.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 24, 10:06 pm, Leythos wrote:
> > In article <1185309187.676162.238...@k79g2000hse.googlegroups.com>,
> > jameshanle...@yahoo.co.uk says...
> >
> > > At this point, I don't understand you since have stopped addressing
> > > the problems i've mentioned.
> >
> > > I really can only understand that which I recognise as technically
> > > correct. *for example *
> >
> > > I have no idea what you mean when you say that with NAT, "their DSL
> > > service doesn't provide a public ip". I know what that statement
> > > would mean - technically, and i'd say it's wrong, the 'dsl service'
> > > does provide a public ip, and that ip goes to the router.
> > > I know you know that, and that you you don't mean that.
> > > But I still don't know what you do mean. (By me pointing that out, it
> > > didn't mean that I was telling you some basic point. But it makes it
> > > fairly clear why I don't know what you mean)
> >
> > Ok, depending on the level of the person I try and word my text
> > accordingly - so I may not have presented it the way that you needed it.
> >
> > When I said: "their DSL service doesn't provide a public ip". it means
> > that the User, directly connected to the ISP's device, does not get a
> > Public IP at their device and that the ISP device is providing a non-
> > routable private IP to them. So, for their purpose, they don't have a
> > public IP as the inbound in blocked like every other cheap NAT Router.
> >
>
> ok
>
> > > Similarly with the other issue we discussed, where I wrote an
> > > objection. You discussed a system which you said didn't use NAT. But
> > > to me , a router with one ip forwarding to different physical ports
> > > based on tcp port, looks like NAT and PAT. Almost a textbook case of
> > > it.
> >
> > If the Firewall has the same IP on all jacks, then it's not NAT.
> >
> > As an example, I can have 16 IP on the WAN jack of my firewall, the same
> > 16 IP are on the DMZ and LAN jacks of the same firewall. The connection
> > between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by
> > firewall rules.
> >
> > From the LAN I can take a public IP and connect it to a NAT Router and
> > provide my internal LAN with a private IP scheme.
> >
>
> ok. I see. Makes sense now you mention using NAT Routers connected to
> it. so you didn't mean no NAT in the system. just no NAT in the
> firewall appliance thing.

And I can't keep going around in circles with you.

NAT does not have to be used anywhere in the networks, you could have
all computers on a PUBLIC IP and still be protected by a firewall setup
in Drop-In mode.

So, I could be assigned a c-block, have my firewall setup in Drop-In
mode, and all my PC's could use public IP's assigned to each of them,
and no private addresses at all.

> > In some cases, speed, a Drop-In configured device will be faster than
> > one that does NAT - think of a Web Farm behind a firewall - they don't
> > need private addresses for the web servers, they use public IP on the
> > server NIC's and let the firewall do it's job without doing NAT.
> >
> > There are cases where I might want to put a firewall between two
> > departments, on the same network, with the same subnet, but block all
> > nodes from the nodes in Accounting - a drop-in firewall works great
> > here, no nat, same subnet, transparent except for the blocking rules.
> >
>
> indeed..Though when I said about 'no nat' I meant, examples of no NAT
> anywhere.
>
> I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
> - maybe, I can't remember, though I suspect that they, or that one I
> had, gave a private ip too actually.

If your device is in Bridge Mode it will give the user a public IP at
their LAN network connection, if not, many provide a private IP address
at their lan connection.

> Even the router/modems with one LAN port, tend to do NAT! (with the
> DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp
> connected)

Why are you going in circles? DSL Modems often have two modes, one of
them is Bridge mode and it provides a PUBLIC IP to the users device
connected to it - the other mode provides a Private IP to the users
device.

> I thought you had seen such examples and wondered if you could link me
> to them. or name them ?

Thought? I see them all the time, I don't write down their part numbers.
Yahoo DSL is one that provides routers that do Bridge or NAT mode, so do
several other DSL services I see. Most of the Cable provides don't do
NAT.

> By the way., what is an example of make/model of such a firewall
> appliance that can do so-called routing amongst its physical ports all
> of whome have the same ip?

Pick ANY major vendor of firewalls - WatchGuard is one I like to use a
lot.

> can that firewall appliance sort of routing thing be used in a system
> with no NAT at all? If the physical ports have ips then I think not.
> 'cos that'd be the only ip available on each physical port's subnet

Yes, it can. If I assign X.x.x.x/24 to the WAN port, it's assigned as
avaialble to all jacks - so that means I can assign the public IP's to
the devices on the LAN and then setup rules to allow traffic to them -
no NAT needed.

> you mentioned about ISPs making NAT mandatory.
> But, when it comes to DSL, who doesn't?

Ever DSL provider we have seen allows users to set their device for
Bridge Mode giving them a public ip at their device - all of them
started with a private IP at their device.

> Your firewall appliance thing is designed for a NAT situation, as you
> said, NAT routers are connected to it.

No, the firewall is designed to work in a network, NAT has nothing to do
with this.

> > In the case of most small businesses and home users, a Drop-In (or 1:1
> > NAT) is not going to work well, they don't have the additional hardware
> > and want to share a single IP with multiple devices, so traditional NAT
> > devices work great.
>
>
> > So, again, some DSL providers provide a device that implements NAT to
> > the customer, so the customer never sees a public IP for their hardware,
>
> ok, you have a different way of thinking to me. I'd think of 'the
> router/modem' as the user's hardware too, and they can see its public
> ip by going to www.whatismyip.com !

And we're talking about the IP that the user gets from the ISP's device
- they either get a Private IP or a Public IP, for their connection.

I'm not sure I can keep going around in circles with you on this.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

On Jul 25, 2:10 pm, Leythos wrote:
> In article <1185367172.983347.322...@q75g2000hsh.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 24, 10:06 pm, Leythos wrote:
> > > In article <1185309187.676162.238...@k79g2000hse.googlegroups.com>,
> > > jameshanle...@yahoo.co.uk says...
>
> > > > At this point, I don't understand you since have stopped addressing
> > > > the problems i've mentioned.
>
> > > > I really can only understand that which I recognise as technically
> > > > correct. *for example *
>
> > > > I have no idea what you mean when you say that with NAT, "their DSL
> > > > service doesn't provide a public ip". I know what that statement
> > > > would mean - technically, and i'd say it's wrong, the 'dsl service'
> > > > does provide a public ip, and that ip goes to the router.
> > > > I know you know that, and that you you don't mean that.
> > > > But I still don't know what you do mean. (By me pointing that out, it
> > > > didn't mean that I was telling you some basic point. But it makes it
> > > > fairly clear why I don't know what you mean)
>
> > > Ok, depending on the level of the person I try and word my text
> > > accordingly - so I may not have presented it the way that you needed it.
>
> > > When I said: "their DSL service doesn't provide a public ip". it means
> > > that the User, directly connected to the ISP's device, does not get a
> > > Public IP at their device and that the ISP device is providing a non-
> > > routable private IP to them. So, for their purpose, they don't have a
> > > public IP as the inbound in blocked like every other cheap NAT Router.
>
> > ok
>
> > > > Similarly with the other issue we discussed, where I wrote an
> > > > objection. You discussed a system which you said didn't use NAT. But
> > > > to me , a router with one ip forwarding to different physical ports
> > > > based on tcp port, looks like NAT and PAT. Almost a textbook case of
> > > > it.
>
> > > If the Firewall has the same IP on all jacks, then it's not NAT.
>
> > > As an example, I can have 16 IP on the WAN jack of my firewall, the same
> > > 16 IP are on the DMZ and LAN jacks of the same firewall. The connection
> > > between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by
> > > firewall rules.
>
> > > From the LAN I can take a public IP and connect it to a NAT Router and
> > > provide my internal LAN with a private IP scheme.
>
> > ok. I see. Makes sense now you mention using NAT Routers connected to
> > it. so you didn't mean no NAT in the system. just no NAT in the
> > firewall appliance thing.
>
> And I can't keep going around in circles with you.
>
> NAT does not have to be used anywhere in the networks, you could have
> all computers on a PUBLIC IP and still be protected by a firewall setup
> in Drop-In mode.
>
> So, I could be assigned a c-block, have my firewall setup in Drop-In
> mode, and all my PC's could use public IP's assigned to each of them,
> and no private addresses at all.
>
>
>
>
>
> > > In some cases, speed, a Drop-In configured device will be faster than
> > > one that does NAT - think of a Web Farm behind a firewall - they don't
> > > need private addresses for the web servers, they use public IP on the
> > > server NIC's and let the firewall do it's job without doing NAT.
>
> > > There are cases where I might want to put a firewall between two
> > > departments, on the same network, with the same subnet, but block all
> > > nodes from the nodes in Accounting - a drop-in firewall works great
> > > here, no nat, same subnet, transparent except for the blocking rules.
>
> > indeed..Though when I said about 'no nat' I meant, examples of no NAT
> > anywhere.
>
> > I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
> > - maybe, I can't remember, though I suspect that they, or that one I
> > had, gave a private ip too actually.
>
> If your device is in Bridge Mode it will give the user a public IP at
> their LAN network connection, if not, many provide a private IP address
> at their lan connection.
>
> > Even the router/modems with one LAN port, tend to do NAT! (with the
> > DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp
> > connected)
>
> Why are you going in circles? DSL Modems often have two modes, one of
> them is Bridge mode and it provides a PUBLIC IP to the users device
> connected to it - the other mode provides a Private IP to the users
> device.
>
> > I thought you had seen such examples and wondered if you could link me
> > to them. or name them ?
>
> Thought? I see them all the time, I don't write down their part numbers.
> Yahoo DSL is one that provides routers that do Bridge or NAT mode, so do
> several other DSL services I see. Most of the Cable provides don't do
> NAT.
>
> > By the way., what is an example of make/model of such a firewall
> > appliance that can do so-called routing amongst its physical ports all
> > of whome have the same ip?
>
> Pick ANY major vendor of firewalls - WatchGuard is one I like to use a
> lot.
>
> > can that firewall appliance sort of routing thing be used in a system
> > with no NAT at all? If the physical ports have ips then I think not.
> > 'cos that'd be the only ip available on each physical port's subnet
>
> Yes, it can. If I assign X.x.x.x/24 to the WAN port, it's assigned as
> avaialble to all jacks - so that means I can assign the public IP's to
> the devices on the LAN and then setup rules to allow traffic to them -
> no NAT needed.
>
> > you mentioned about ISPs making NAT mandatory.
> > But, when it comes to DSL, who doesn't?
>
> Ever DSL provider we have seen allows users to set their device for
> Bridge Mode giving them a public ip at their device - all of them
> started with a private IP at their device.
>
> > Your firewall appliance thing is designed for a NAT situation, as you
> > said, NAT routers are connected to it.
>
> No, the firewall is designed to work in a network, NAT has nothing to do
> with this.
>
> > > In the case of most small businesses and home users, a Drop-In (or 1:1
> > > NAT) is not going to work well, they don't have the additional hardware
> > > and want to share a single IP with multiple devices, so traditional NAT
> > > devices work great.
>



> > > So, again, some DSL providers provide a device that implements NAT to
> > > the customer, so the customer never sees a public IP for their hardware,
>
> > ok, you have a different way of thinking to me. I'd think of 'the
> > router/modem' as the user's hardware too, and they can see its public
> > ip by going towww.whatismyip.com!
>
> And we're talking about the IP that the user gets from the ISP's device
> - they either get a Private IP or a Public IP, for their connection.
>

I wasn't disagreeing with you there. Or questioning you there. Maybe I
should've prefaced my sentence saying so!

> I'm not sure I can keep going around in circles with you on this.
>
> --
>
> Leythos


you might think you're going round in circles with me, but actually
you've answered most of it.


One of your answers, I don't disagree with but you misunderstood me.
The following paragraph from "When" to "NAT)" is what I meant. So you
may want to reconsider the answer to that one.
When I asked if your firewall appliance can be used without any NAT
anywhere i.e. without even NAT routers connected. I meant in a
situation where only one public ip is provided by the ISP. (your
answer addressed only when the isp provides many ips e.g. a block of
ips, and I agree it could be used with that without NAT)

By the way. The following/last paragraph starting from "what" and
ending in "sense". There's no disagreement with anything you said over
there!! so no need to 'worry' about the following paragraph or
anything after it!

What you said about the bridge mode and the comp getting the public
ip, was news to me(i.e. I don't disagree, I learnt something). I tried
it some years ago but couldn't get a net connection. I thought it was
disabling the modem. But I guess not. Now I now know why..
http://www.dslreports.com/faq/11340
"This modem can also be configured in bridge mode. In bridge mode, the
modem does not perform authentication. You need to configure your
operating system to connect for you (through Access Manager, RASPPPoE,
or Windows XP), or use a broadband router to perform the
authentication duties. "
So, it's a bit like [setting up] a usb dsl modem in that sense

Re: firewall on budget ?

On Jul 25, 1:34 pm, Ansgar -59cobalt- Wiechers
wrote:
> In comp.security.firewalls Straight Talk wrote:
>
>
>
>
>
> > On Tue, 24 Jul 2007 06:48:24 -0400, Leythos wrote:
> >> b__n...@hotmail.com says...
> >>> Post SP2 this is becoming much less of a problem. The biggest
> >>> problem still is malware spread through websites, e-mail and file
> >>> sharing. Your suggestion won't seriously protect us from the
> >>> "ignorant masses".
>
> >> Actually, depending on the NAT device, you can block downloads of
> >> many malware infectors via HTTP. Not much one can do about SMTP type
> >> infectors unless they have their own mini-mail server or a standard
> >> server as other firewall products can clean SMTP sessions.
>
> >> So, again, the NAT device provides MORE/Better protection than
> >> Windows Firewall in all cases.
>
> > You are being very persistent. Now you're bringing firewalling
> > technology into the game also, even though it has nothing to do with
> > NAT.
>
> Several people in this group (including myself) have already tried to
> explain to him what you are trying to explain here. Without any success.
> Don't bother, it's just a waste of your time.
>
> cu
> 59cobalt
> --


I think the big waste of time is that soon all "straight talk's" posts
will dissapear, all the time was wasted, and the arguments or
misunderstandings will start all over again. (because the
conversation he had with leythos will become ruined. The thread will
be ruined. Not because of leythos, but because of him).

Re: firewall on budget ?

On Jul 24, 7:47 am, Straight Talk wrote:
> On Mon, 23 Jul 2007 08:01:32 -0400, Leythos wrote:
> >In article ,
> >b__n...@hotmail.com says...
> >> On Sun, 22 Jul 2007 16:22:32 -0400, Leythos wrote:
>
> >> >In article <94e7a39tec3hfgidr7798bqut68fu5c...@4ax.com>,
> >> >b__n...@hotmail.com says...
> >> >> On Sun, 22 Jul 2007 11:10:22 -0400, Leythos wrote:
>
> >> >> >In article ,
> >> >> >b__n...@hotmail.com says...
> >> >> >> Any local FW is exploitable when running as local admin.
>
> >> >> >> Anyone running arbitrary code as local admin is likely to get screwed.
> >> >> >> You seem to advocate keep doing so and then have a barrier to minimize
> >> >> >> the damage instead of advocating doing the right thing, which would be
> >> >> >> to run a LUA in which case the WF can't be exploited the way you're
> >> >> >> thinking of.
>
> >> >> >No, I don't advocate what you are talking about,
>
> >> >> Yes.
>
> >> >> >but I'm also not aware that many programs won't run under Windows
> >> >> >unless the user is an admin,
>
> >> >> There are ways around that.
>
> >> >Not in every case, at least not with users that are willing to wrangle
> >> >around it on a daily basis - you know human nature, it's what gets
> >> >people compromised in the first place.
>
> >> What does some users willingness to wrangle around have to do with the
> >> fact that there are workarounds to the issue raised?
>
> >What work around issues?
>
> Not work around issues. Workarounds to the issue.
>
>
>
>
>
>
>
> >> >> >and I also understand that many users don't have a clue about security.
>
> >> >> Probably true, but that calls for education, not damage control.
>
> >> >But, until they get educated, and we've had security threats for more
> >> >than a decade and fewer and fewer people are educated, we need a measure
> >> >that will protect the ignorant masses from harming the rest of us - ISP
> >> >Mandated NAT implemented at the users gateway device would be a first
> >> >real help.
>
> >> I fail to see how NAT would protect the rest of us?
>
> >By keeping the ignorant masses machines from being compromised
> >immediately, before they even start using them. It also means that we
> >don't have the issues of them being FTP, SMTP, etc.. relays.... Come on,
> >think - if the computer can't be reached then it's going to be harder
> >for the hackers to abuse it.
>
> Post SP2 this is becoming much less of a problem. The biggest problem
> still is malware spread through websites, e-mail and file sharing.
> Your suggestion won't seriously protect us from the "ignorant masses".-

I don't see reason why you need to disagree. It reminds me of 2
people having a discussion about what should be done to deal with the
drug problem. Do you bomb the drug fields or do you work with people
and get them off their addiction. You do both. I told that to those 2
guys and one of them agreed with me, and the other didin't disagree. I
don't want to keep to that analogy.

Looking at the real thing.
I see, one doesn't need NAT for security, if he doesn't get the
software firewall on his computer compromised. A tall order.

You speak of workarounds to the issue of the firewall getting taken
down when in admin mode.
workarounds that you don't mention (wise given that leythos knows them
anyway and the detail is a side point to the disagreement, but a bit
selfish not to mention them, given that it's a public newsgroup and
others can benefit)

I know of 2 workarounds
1)Work in Admin mode (many techies do), and through 'run as', browse
in a guest account.
2)Work in Guest mode, and if you want to make an administrative
change, log in as administrator. Or, if it's something like double
clicking the clock and seeing the time, then go into admin and give
yourself the right. Or if you want to install a program whose
installation needs admin access to install it, then let the
installation program 'run as' admin.

but there are issues with the workarounds.

For '1'
If working in admin mode and doing runas to browse in a guest account.
How do you quickly get the browser open? I'd like something as quick
as start..run..iexplore, and and an icon too. Is that possible? If so
then I may be converted.

For '2'
If working in Guest mode and you want to make an administrative
change, you have to log off!!!! What a hassle!! I don't want to close
my programs. and even if somehow there's a way to get windows to keep
them open, i'd have to save everything and wait around for a while.
I seriously doubt you have a way around that, you're not Q from star
trek tng.
Or do you have a way?

note-
NAT also has its inconveniences, doing port forwarding, but that
inconvenience is not as often. And anyhow, it's necessary if one needs
many ips.. I don't see you arguing not to use NAT...

Re: firewall on budget ?

In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> You speak of workarounds to the issue of the firewall getting taken
> down when in admin mode.
> workarounds that you don't mention (wise given that leythos knows them
> anyway and the detail is a side point to the disagreement, but a bit
> selfish not to mention them, given that it's a public newsgroup and
> others can benefit)
>
> I know of 2 workarounds
> 1)Work in Admin mode (many techies do), and through 'run as', browse
> in a guest account.
> 2)Work in Guest mode, and if you want to make an administrative
> change, log in as administrator. Or, if it's something like double
> clicking the clock and seeing the time, then go into admin and give
> yourself the right. Or if you want to install a program whose
> installation needs admin access to install it, then let the
> installation program 'run as' admin.
>
> but there are issues with the workarounds.
>
> For '1'
> If working in admin mode and doing runas to browse in a guest account.
> How do you quickly get the browser open? I'd like something as quick
> as start..run..iexplore, and and an icon too. Is that possible? If so
> then I may be converted.
>
> For '2'
> If working in Guest mode and you want to make an administrative
> change, you have to log off!!!! What a hassle!! I don't want to close
> my programs. and even if somehow there's a way to get windows to keep
> them open, i'd have to save everything and wait around for a while.
> I seriously doubt you have a way around that, you're not Q from star
> trek tng.
> Or do you have a way?

Work as a normal user (not guest). Adjust the rights for programs that
need to be run by users but won't run as a normal user [1]. Replace
programs where this isn't possible.

For administrative tasks use runas or log in as an administrative user.
The latter is the preferred method, because the former may allow for
shatter attacks against the programs started with admin privileges.

[1] http://www.planetcobalt.net/sdb/submission.shtml

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article <0efga3pt9k30ss7nmlv862v9a3l7vr2qk0@4ax.com>,
b__nice@hotmail.com says...
> On Wed, 25 Jul 2007 10:35:15 -0700, "jameshanley39@yahoo.co.uk"
> wrote:
>
> >I don't see reason why you need to disagree.
>
> I disagree to a false claim that NAT devices would be some kind of
> "silver bullet" to protect the rest of us from the ignorant masses.

And yet they are, clearly, a great way to protect people from
compromised machines.

> >It reminds me of 2 people having a discussion about what should be
> >done to deal with the drug problem. Do you bomb the drug fields or do
> >you work with people and get them off their addiction. You do both.
> >I told that to those 2 guys and one of them agreed with me, and the other
> >didin't disagree. I don't want to keep to that analogy.
>
> Difference is, Leythos is promoting a solution that doesn't work. NAT
> does not provide protection from the ignorant masses. Period.

Yes, it clearly does. If the infected machine can't reach another
infected machine then it's protected.

You just don't seem to understand how networking works.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Thu, 26 Jul 2007 08:18:54 -0400, Leythos wrote:
>
> >In article <0efga3pt9k30ss7nmlv862v9a3l7vr2qk0@4ax.com>,
> >b__nice@hotmail.com says...
> >> On Wed, 25 Jul 2007 10:35:15 -0700, "jameshanley39@yahoo.co.uk"
> >> wrote:
> >>
> >> >I don't see reason why you need to disagree.
> >>
> >> I disagree to a false claim that NAT devices would be some kind of
> >> "silver bullet" to protect the rest of us from the ignorant masses.
> >
> >And yet they are, clearly, a great way to protect people from
> >compromised machines.
>
> But this wasn't what you were advocating. You were advocating
> installing NAT on the ignorant masses machines to protect the so
> called rest of us.

And I still say that, even above, you just seem to be missing the
technology and how it works.

> >> >It reminds me of 2 people having a discussion about what should be
> >> >done to deal with the drug problem. Do you bomb the drug fields or do
> >> >you work with people and get them off their addiction. You do both.
> >> >I told that to those 2 guys and one of them agreed with me, and the other
> >> >didin't disagree. I don't want to keep to that analogy.
> >>
> >> Difference is, Leythos is promoting a solution that doesn't work. NAT
> >> does not provide protection from the ignorant masses. Period.
> >
> >Yes, it clearly does. If the infected machine can't reach another
> >infected machine then it's protected.
>
> It's protected against certain threats just like if a simple packet
> filter like the WF is installed.

No, the NAT appliance is not anywhere near as easy to compromise as the
Windows firewall is, and it's not subject to applications making holes
(exceptions) in it.

> Still, NAT doesn't protect "the rest of us" from being DDoS'ed into
> oblivion by "the ignorant masses" behind NAT devices.

LOL - and DDOS is such a minor part of what the ignorant masses impact
us with. But you appear to mave missed the point again, even if my NAT
device is being DDOS's, I can still work behind my NAT device, still
print to my network printer, still get work done, I just have an issue
with internet traffic, but it never impacts my local network.

> >You just don't seem to understand how networking works.
>
> Oh yes, let's get personal...
>
> What I do understand is that you are very good at constantly twisting
> the topic a little bit.

LOL, really, me twisting? You've got to be kidding, you're twisting like
Chilly does.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

something went wrong here..

My reply to ansgar only went to
microsoft.public.windowsxp.security_admin not to
comp.security.firewalls. I think 'cos ansgar added a 'follow-up'
field, and it seems what that did was cause my reply to only go there,
and not to the newsgroup where I read the message and clicked
reply(comp.security.firewalls). I was only looking in csf so didn't
see them. I hadn't encountered that before, it's true of not just
google's web interface, but forte or any news reader client. Was news
to me.

this explains my duplicate posts in that windows xp security
newsgroup.

sorry

Re: firewall on budget ?

On Jul 25, 11:34 pm, Ansgar -59cobalt- Wiechers
wrote:
> jameshanle...@yahoo.co.uk wrote:
> > On Jul 25, 7:26 pm, Ansgar -59cobalt- Wiechers wrote:
> >> Work as a normal user (not guest). Adjust the rights for programs that
> >> need to be run by users but won't run as a normal user [1]. Replace
> >> programs where this isn't possible.
>
> >> For administrative tasks use runas or log in as an administrative user.
> >> The latter is the preferred method, because the former may allow for
> >> shatter attacks against the programs started with admin privileges.
>
> >> [1]http://www.planetcobalt.net/sdb/submission.shtml
>
> > You reference currently only brings up or redirects to a welcome page.
> > I don't see what article has the relevant info.
>
> The URL worked with Mozilla, but apparently not with other browsers.
> Fixed.
>

thanks, i'll look at that info

> > For what I called running as guest, I had in mind limited user account
> > or non-admin account...
>
> Guest is something completely different from LUA. Don't confuse the two.
>

ok

> > But it's quite a nuisance. For reasons mentioned . Maybe ok for an
> > end user that doesn't need administrative rights very often. Or for a
> > techie using the family machine (not commonly experimenting on it
> > putting servers on or amending the firewall settings, installing other
> > programs)
>
> Once a box is set up properly, people do not need administrative rights
> very often. BTDT.
>

end users in a company don't, at home - some want it at their own
risk, and call a cheap geek if it goes wrong.

But techie users may well need it.

What do you do? Suppose you browse frequently, and do admin operations
sometimes during te day, and install programs often. Are you logging
off and on often for the admin operations?

Are you spending extra time to load up your browser, Right clicking an
icon and typing a password? Just to start your browser.
Then if you close it, you have to do it again!!!



> > An obvious nuisance is you can't get the date up by double clicking
> > the clock. That can be sorted out. Under 'local security policy'.
>
> Exactly.
>
> > You can't write a little file like c:\a.txt, ok, that can be sorted..
> > you can create a folder on c:\, so can do c:\a\a.txt or c:\crp\a.txt
>
> Ummm... normal users are not supposed to create files in C:\. Users have
> full write access in their %USERPROFILE%, which is the place where they
> are supposed to create their files (preferrably either in the "My
> Documents" subfolder or %TEMP%).
>

*end users* But a techie user may well want to put a txt file on c:\ ,
for the benefit of it being a short easy path. Easy to get to from the
command line.

What do you do?

For your computer.


> Besides, I don't see any reason at all why non-administrative users
> should be allowed to create anything (be it files or folders) in C:\ in
> the first place. Which is why I restrict limited users to read-only
> access to C:\ on all systems I set up.
>

what about you, a techie user ?

I can do notepad c:\a.txt
and even a LUA account allows c:\a\a.txt
Do you type
notepad c:\document...bloody long path..\

or a load of percentages to type an environment variable?!! Don't you
ever want to type things with a brush of the hand


notepad, easy.
cd \ , easy. Even easier on a uk keyboard, to do cd\
%userprofile%\desktop . Even the %s are an issue. that's not nice to
type often. You have to look where the number is.. People tend to
touchtype with the keypad.. Typing shift+ one of those top numbers
isn't so smooth.
All you want to do is create a file on the comp. Your comp !!

At the moment i'm in a room and some idiot turned the lights out. I
can still type but % are even more of a nuisance than usual 'cos I
can't see the numbers. I'd have to get out of my chair to turn the
lights on. Anyhow, besides that, one should be able to touchtype
something so simple. Those top numbers aren' so accessible without
looking beforehand.. To create a file on the computer I shouldn't have
to squint or even look, at the keyboard.


> > Installing a program, getting an error, then doing the run as, can be
> > a nuisance. If I was installing many programs, trying loads out, over
> > a few days, and I wanted to browse the internet and do other things.
> > It'd be too much hassle doing so from a limited account. It's a good
> > reason why a techie's computer may most practically be best off
> > running as administrator all the time.
>
> I've been doing exactly what you call "too much hassle" for years now,
> without any problems. If you need to grow progress bars while doing
> other work as a limited user, you just start your preferred file manager
> via runas and run all setups from there. Problem solved.
>

So you're doing runas once, but then you need you file manager's
window open all the time.

Here's a big issue. Windows xp only has preinstalled, windows explorer
as a file manager. Doing runas on that has issues.

(probably linked to the fact that in the ctrl alt delete world, it's a
shell one can end and restart, and one the windows shell has started,
explorer.exe is a file manager! well, if you double click the icon)

A Workaround I briefly read of that I hadn't tried, is to do runas on
IE, and use the address bar to access local files (though I read
something about that not working with IE7) .
A workaround I use on the rare occassions that I use a LUA, is to do
runas on cmd.exe (typing a long runas command to bring up a command
prompt with administrative priviledges)
And apparently there's a fix that can be done on a per account basis,
to allow you to do runas on explorer.exe

http://blogs.msdn.com/aaron_margosis/archive/2004/07/07/1754 88.aspx
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_ gci1251819,00.html

If you use a 3rd party file manager and get around it that way, you
have to install that + do so for all your end users.


> > My experience is that you can't burn a CD from a limited account. I
> > tried with a few different pieces of software. nero, cdburnerxp, and
> > prob another one. I guess maybe your reference would work for that.
>
> Install Nero Burn Rights and put the users that should be able to burn
> CDs into the group "Nero" (works for other burning software too). Or use
> a different program. Deep Burner for instance works just fine as a
> limited user here.
>

Such a trivial thing, and nero needs special treatment. Doesn't cover
other cd burners though . At least that hassle is a one-off, ok.
Though for the rare times I burn a CD. I can deal with runas.


> > Logging off and on is a hassle in time, and especially moreso if it
> > means closing your programs. Is a bit off-putting too. If you're busy
> > with all these windows up.
>
> Then use runas. It's only the second best option, but an option
> nonetheless.
>

That doesn't apply here.
Runas works for installing or running programs that need
administrative priviledges to install or run respectively.

But it doesn't let you make administrative amendments, e.g. to the
windows firewall. Or adding/deleting users, resetting a password.

If doing admin tasks many times a day, at any time, it'a a hassle to
close all your programs and go to administrative mode, do them. Then
to go back as LUA to browse the web. And what if you want to do an
admin task and browse the web to check something.


> > Furthermore, if one had a P2P app it means they'd end up far away in
> > the queue..
>
> I'm running a BitTorrent client on this Win2k box as a limited user
> without any problems. Your point being? It's not like somebody's forcing
> you to use crappy P2P software.
>

Bit Torrent does not supercede P2P in any way. It has its issues

For a start, there's playing the game of searching for torrents. It
may take searching on a few websites to find what you want, and those
websites go down often and you have to be \in the loop' as to what the
current good torrent search sites are.

They are also different communities, diferent programs are availale.
Even from one P2P app to another. One may be good for music, another
for various genre of short video clips, another for (big) movies.. I
found an old program AA - autodesk animator - on kazaa. Kazaa made it
easy to share files. Yet, te first bit torrent client (The standard
one), i didnt' 'use it much but I recall it being messy to share the
files you downloaded, I think you had to keep windows open, one per
file.. Maybe a good client like uTorrent improves that. But all these
things have issues. P2P is good. For programs, vid clips, movies,
anything.

If you can tell me a way to find torrents that doesn't involve
googling myself into a new seat in hell, i'd like to know. One website
with all the torrents, a website that doesn't go down. I sitll doubt
it'll have the array of files that P2P apps do..

Re: firewall on budget ?

On Jul 26, 7:32 am, Straight Talk wrote:
> On Wed, 25 Jul 2007 10:35:15 -0700, "jameshanle...@yahoo.co.uk"
>
> wrote:
> >I don't see reason why you need to disagree.
>
> I disagree to a false claim that NAT devices would be some kind of
> "silver bullet" to protect the rest of us from the ignorant masses.
>
> >It reminds me of 2 people having a discussion about what should be
> >done to deal with the drug problem. Do you bomb the drug fields or do
> >you work with people and get them off their addiction. You do both.
> >I told that to those 2 guys and one of them agreed with me, and the other
> >didin't disagree. I don't want to keep to that analogy.
>
> Difference is, Leythos is promoting a solution that doesn't work. NAT
> does not provide protection from the ignorant masses. Period.
>

Whatever Leythos was saying in resposne to you, is a good as lost,
since your posts will vanish from archives, and we don't see the
discussion in the future.

So, without quotinf from that discussion. I'll try to keep any
discussion I have with you self-contained within my posts.

NAT Routers do block incoming.
The Win XP Firewall does too.

They would have different vulnerabilities. The vulnerabilities of the
Win XP FW - or any PFW / software firewalls - have been discussed.
Many users have theirs taken down when they go to a website!

There's no doubt that NAT Routers block incoming, and they don't fool
for the old website thing - website exploiting a commonly used browser
you run, and running malicious code on your system!

Here's a technical question though..
Even if you're in a LUA account. Can't a site run some malicious code.
The code is a bit more limited in what it can access(certain
directories and registry parts are no-go areas), but still it can do
quite a bit. (just as many programs can do what they need in a non-
admin account)

Re: firewall on budget ?

On Jul 26, 7:52 pm, Straight Talk wrote:
> On Thu, 26 Jul 2007 14:06:10 -0400, Leythos wrote:
> >In article ,
> >b__n...@hotmail.com says...
> >> On Thu, 26 Jul 2007 08:18:54 -0400, Leythos wrote:
>
> >> >In article <0efga3pt9k30ss7nmlv862v9a3l7vr2...@4ax.com>,
> >> >b__n...@hotmail.com says...
> >> >> On Wed, 25 Jul 2007 10:35:15 -0700, "jameshanle...@yahoo.co.uk"
> >> >> wrote:
>
> >> >> >I don't see reason why you need to disagree.
>
> >> >> I disagree to a false claim that NAT devices would be some kind of
> >> >> "silver bullet" to protect the rest of us from the ignorant masses.
>
> >> >And yet they are, clearly, a great way to protect people from
> >> >compromised machines.
>
> >> But this wasn't what you were advocating. You were advocating
> >> installing NAT on the ignorant masses machines to protect the so
> >> called rest of us.
>
> >And I still say that, even above, you just seem to be missing the
> >technology and how it works.
>
> Not much of an argument.
>
>
>
>
>
> >> >> >It reminds me of 2 people having a discussion about what should be
> >> >> >done to deal with the drug problem. Do you bomb the drug fields or do
> >> >> >you work with people and get them off their addiction. You do both.
> >> >> >I told that to those 2 guys and one of them agreed with me, and the other
> >> >> >didin't disagree. I don't want to keep to that analogy.
>
> >> >> Difference is, Leythos is promoting a solution that doesn't work. NAT
> >> >> does not provide protection from the ignorant masses. Period.
>
> >> >Yes, it clearly does. If the infected machine can't reach another
> >> >infected machine then it's protected.
>
> >> It's protected against certain threats just like if a simple packet
> >> filter like the WF is installed.
>
> >No, the NAT appliance is not anywhere near as easy to compromise as the
> >Windows firewall is, and it's not subject to applications making holes
> >(exceptions) in it.
>
> That's true. But when it comes to the chance of "the ignorant masses"
> getting compromised, it doesn't make much of a difference.
>
> >> Still, NAT doesn't protect "the rest of us" from being DDoS'ed into
> >> oblivion by "the ignorant masses" behind NAT devices.
>
> >LOL - and DDOS is such a minor part of what the ignorant masses impact
> >us with.
>
> Just one example. Being spammed by bot nets from ignorant masses
> behind NAT devices is another. Having your domain abused by bot nets
> spreading spam or malware from ignorant masses behind NAT devices is
> yet another.
>

Out of interest, what do you mean by bot net ?

Is it a malicious server / trojan that receives a command, and then
could cause trouble to other machines, maybe acting as a client
sending spam mail through a mail server that lets anybody in ?

If it is indeed a server that receives a command, then a NAT router
would prevent it from receiving an incoming connection.

I see if it's a malicious client program, then a NAT router wouldn't
stop that.

There a alot of malicious server programs around though e.g. malicious
smtp servers. Other comps then connect to the compromised one send
spam through it. The user at the compromised machine then gets
contacted by his ISP saying 'stop it or your get DCed/disconnected'.
A NAT router stops that other users getting attacked, and in the
process, stops that poor user from getting an email threat from his
ISP.

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> You seem to be running out of arguments.

And you seem to be trolling by picking a small item and saying that it
invalidates everything else.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In alt.comp.hardware.pc-homebuilt "jameshanley39@yahoo.co.uk"
wrote:

>Whatever Leythos was saying in resposne to you, is a good as lost,
>since your posts will vanish from archives, and we don't see the
>discussion in the future.

I dunno ... I archive about *everything* in the groups I visit.
I'm quite sure I'm not the only person who does.

Then there's Google Groups ....

Large hard-drives these days are CHEAP.

--
_____
/ ' / ™
,-/-, __ __. ____ /_
(_/ / (_(_/|_/ / <_/ <_

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article <2p9ia35in7umnf6hfvmt5lhln8chve62h8@4ax.com>,
b__nice@hotmail.com says...
> On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanley39@yahoo.co.uk"
> wrote:
>
> >Here's a technical question though..
> >Even if you're in a LUA account. Can't a site run some malicious code.
> >The code is a bit more limited in what it can access(certain
> >directories and registry parts are no-go areas), but still it can do
> >quite a bit. (just as many programs can do what they need in a non-
> >admin account)
>
> It sure can. What you seem to be missing is that I made my LUA point
> in response to Leythos claiming that any program could poke holes
> (open servers) in the WF. As a limited user you cannot do that, my
> point being that the fault is not in the WF but in users running with
> admin rights.

And you failed to understand that MOST people run as Admin level users.
Anyone smart enough to run as a limited user has a very reach chance
that they also know more about security than the zillions of ignorant
users with computers.

Additionally, as a limited user there are many things that you can't do,
and even people that run as a limited user login as an Administrator
from time to time.

So, again, for the masses of ignorant users, a NAT Router is a very good
option to protect their computer, to protect us from them, and provides
better logging and opportunity to remain clean and even to block
outbound than does Windows firewall.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

On Jul 27, 12:16 am, Straight Talk wrote:
> On Thu, 26 Jul 2007 14:21:20 -0700, "jameshanle...@yahoo.co.uk"
>
> wrote:
> >Out of interest, what do you mean by bot net ?
>
> A net of bots.
>
> >Is it a malicious server / trojan that receives a command, and then
> >could cause trouble to other machines, maybe acting as a client
> >sending spam mail through a mail server that lets anybody in ?
>
> >If it is indeed a server that receives a command, then a NAT router
> >would prevent it from receiving an incoming connection.
>
> Most bots dial in themselves to receive commands from the controller.
> NAT won't stop that.

interesting about the bot nets. Agreed that NAT won't stop malicious
clients like that. And I guess there'd be redundant 'controllers',
and they'd be hidden behind proxies.

The windows firewall won't stop them either.

But nobody claimed that NAT would, or that it was the be all and end
all in security. However, it does stop incoming. Alot of problems
nowadays are plain malicious servers.

A NAT router is harder to take down, whereas machines with a windows
firewall are getting taken down quite often, and neatly, one may not
even notice. "At least" with PFWs, they probably put up a bit of a
fight and crash in such a situation!!

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

On Jul 27, 12:11 am, Leythos wrote:
> In article <2p9ia35in7umnf6hfvmt5lhln8chve6...@4ax.com>,
> b__n...@hotmail.com says...
>
> > On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanle...@yahoo.co.uk"
> > wrote:
>
> > >Here's a technical question though..
> > >Even if you're in a LUA account. Can't a site run some malicious code.
> > >The code is a bit more limited in what it can access(certain
> > >directories and registry parts are no-go areas), but still it can do
> > >quite a bit. (just as many programs can do what they need in a non-
> > >admin account)
>
> > It sure can. What you seem to be missing is that I made my LUA point
> > in response to Leythos claiming that any program could poke holes
> > (open servers) in the WF. As a limited user you cannot do that, my
> > point being that the fault is not in the WF but in users running with
> > admin rights.
>
> And you failed to understand that MOST people run as Admin level users.
> Anyone smart enough to run as a limited user

I'm sure that you once said you run as an Administrative user.

&/ that you don't work from a limited account.

Re: firewall on budget ?

On Jul 27, 12:04 am, Frank McCoy wrote:
> In alt.comp.hardware.pc-homebuilt "jameshanle...@yahoo.co.uk"
>
> wrote:
> >Whatever Leythos was saying in resposne to you, is a good as lost,
> >since your posts will vanish from archives, and we don't see the
> >discussion in the future.
>
> I dunno ... I archive about *everything* in the groups I visit.
> I'm quite sure I'm not the only person who does.
>
> Then there's Google Groups ....
>
> Large hard-drives these days are CHEAP.
>

you use forte free agent? where's the option in it to do that?
does it do it in plain text too? (though opening it in forte is cool
enough)
how many years have you done?!

Re: firewall on budget ?

On Jul 27, 12:04 am, Straight Talk wrote:
> On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanle...@yahoo.co.uk"
>
> wrote:
> >Here's a technical question though..
> >Even if you're in a LUA account. Can't a site run some malicious code.
> >The code is a bit more limited in what it can access(certain
> >directories and registry parts are no-go areas), but still it can do
> >quite a bit. (just as many programs can do what they need in a non-
> >admin account)
>
> It sure can. What you seem to be missing is that I made my LUA point
> in response to Leythos claiming that any program could poke holes
> (open servers) in the WF. As a limited user you cannot do that, my
> point being that the fault is not in the WF but in users running with
> admin rights.

if you're a techie, it's a hassle to not run with admin rights.

Leythos has a point that in practice, although both the WF and other
PFWs can be taken down or circumvented, the WF is so far more cleanly.
It's small/simple, more common, built for programs to add exceptions
in.

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Thu, 26 Jul 2007 23:04:23 GMT, Straight Talk
> wrote:
>
> >On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanley39@yahoo.co.uk"
> > wrote:
> >
> >>Here's a technical question though..
> >>Even if you're in a LUA account. Can't a site run some malicious code.
> >>The code is a bit more limited in what it can access(certain
> >>directories and registry parts are no-go areas), but still it can do
> >>quite a bit. (just as many programs can do what they need in a non-
> >>admin account)
> >
> >It sure can. What you seem to be missing is that I made my LUA point
> >in response to Leythos claiming that any program could poke holes
> >(open servers) in the WF. As a limited user you cannot do that, my
> >point being that the fault is not in the WF but in users running with
> >admin rights.
>
> Actually, if you go back you'll see that the only topic I wanted to
> discuss was Leythos' claim that the WF was a bad concept. Suddenly
> Leythos brought NAT into the discussion and later firewalling
> technology. And know he calls me a troll :-)

Actually, the thread is about "Firewall on a budget" not about "Windows
Firewall". So, when you look at Budget you have to consider the flaws in
WF and the fact of how most users are using it - meaning that most users
are running as a local admin, have no idea that it has exceptions/holes,
have no idea that simple programs can created holes without their
permission, etc...

The NAT router, a non-computer controlled device, non-OS controlled
device, is a simple method that provides MORE protection than the
Windows Firewall and even offers MORE options for filtering than the
Windows firewall.

The trolling comment was because you keep going around in circles for
some reason I can't fathom. You have suggested that because of one
example, a very small example with your flawed idea, that NAT is not a
better solution. I can't really believe, unless you are Chilly, that
anyone is missing all of these points by accident.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> Them educate those ignorant's, instead of supporting status quo by
> promoting damage control and gap-stopping solutions.

If you could educate people that don't want to be educated there would
not be a problem and we would not be having this discussion - like
drugs, people are going to keep doing stupid things and ignoring
security until it bites them in the ass enough for them to take notice
of what they've been told for at least 10 years.

Until that all changes we can implement simple things that are already
available for NO COST that will provide protection better than what they
currently don't use properly.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In article <1185494056.259579.69780@19g2000hsx.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 27, 12:11 am, Leythos wrote:
> > In article <2p9ia35in7umnf6hfvmt5lhln8chve6...@4ax.com>,
> > b__n...@hotmail.com says...
> >
> > > On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanle...@yahoo.co.uk"
> > > wrote:
> >
> > > >Here's a technical question though..
> > > >Even if you're in a LUA account. Can't a site run some malicious code.
> > > >The code is a bit more limited in what it can access(certain
> > > >directories and registry parts are no-go areas), but still it can do
> > > >quite a bit. (just as many programs can do what they need in a non-
> > > >admin account)
> >
> > > It sure can. What you seem to be missing is that I made my LUA point
> > > in response to Leythos claiming that any program could poke holes
> > > (open servers) in the WF. As a limited user you cannot do that, my
> > > point being that the fault is not in the WF but in users running with
> > > admin rights.
> >
> > And you failed to understand that MOST people run as Admin level users.
> > Anyone smart enough to run as a limited user
>
> I'm sure that you once said you run as an Administrative user.
>
> &/ that you don't work from a limited account.

And even at home I sit behind $4000 of firewall and security measures,
just like the secure networks I design. Having used and designed systems
for 30 years I've never once been compromised on any network that I've
maintained, not once.

We're talking about the ignorant masses, the ones that don't want a
clue, the ones that think that P2P software has no issues, the ones that
have never looked at the Windows Firewall panel for Exceptions, the ones
that think CD/USB drives, DVD/PDA/Cell, etc.. are not a threat to their
computers....

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

In article ,
b__nice@hotmail.com says...
> On Thu, 26 Jul 2007 20:16:11 -0400, Leythos wrote:
>
> >In article ,
> >b__nice@hotmail.com says...
> >> On Thu, 26 Jul 2007 23:04:23 GMT, Straight Talk
> >> wrote:
> >>
> >> >On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanley39@yahoo.co.uk"
> >> > wrote:
> >> >
> >> >>Here's a technical question though..
> >> >>Even if you're in a LUA account. Can't a site run some malicious code.
> >> >>The code is a bit more limited in what it can access(certain
> >> >>directories and registry parts are no-go areas), but still it can do
> >> >>quite a bit. (just as many programs can do what they need in a non-
> >> >>admin account)
> >> >
> >> >It sure can. What you seem to be missing is that I made my LUA point
> >> >in response to Leythos claiming that any program could poke holes
> >> >(open servers) in the WF. As a limited user you cannot do that, my
> >> >point being that the fault is not in the WF but in users running with
> >> >admin rights.
> >>
> >> Actually, if you go back you'll see that the only topic I wanted to
> >> discuss was Leythos' claim that the WF was a bad concept. Suddenly
> >> Leythos brought NAT into the discussion and later firewalling
> >> technology. And know he calls me a troll :-)
> >
> >Actually, the thread is about "Firewall on a budget" not about "Windows
> >Firewall". So, when you look at Budget you have to consider the flaws in
> >WF and the fact of how most users are using it - meaning that most users
> >are running as a local admin, have no idea that it has exceptions/holes,
> >have no idea that simple programs can created holes without their
> >permission, etc...
> >
> >The NAT router, a non-computer controlled device, non-OS controlled
> >device, is a simple method that provides MORE protection than the
> >Windows Firewall and even offers MORE options for filtering than the
> >Windows firewall.
> >
> >The trolling comment was because you keep going around in circles for
> >some reason I can't fathom. You have suggested that because of one
> >example, a very small example with your flawed idea, that NAT is not a
> >better solution. I can't really believe, unless you are Chilly, that
> >anyone is missing all of these points by accident.
>
> Funny thing is, in this thread I never argued NAT vs. WF. I don't know
> where you got that from.

Funny thing is that I mentioned it because of the poor ability of
Windows Firewall to protect users in the default mode that MS installs
users/windows on systems.

Funny thing is that I mentioned it because it's the cheapest, already in
place on most areas, method to implement to get the most protection
against one of the largest problems with Windows systems.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In alt.comp.hardware.pc-homebuilt "jameshanley39@yahoo.co.uk"
wrote:

>On Jul 27, 12:04 am, Frank McCoy wrote:
>> In alt.comp.hardware.pc-homebuilt "jameshanle...@yahoo.co.uk"
>>
>> wrote:
>> >Whatever Leythos was saying in resposne to you, is a good as lost,
>> >since your posts will vanish from archives, and we don't see the
>> >discussion in the future.
>>
>> I dunno ... I archive about *everything* in the groups I visit.
>> I'm quite sure I'm not the only person who does.
>>
>> Then there's Google Groups ....
>>
>> Large hard-drives these days are CHEAP.
>>
>
>you use forte free agent? where's the option in it to do that?
>does it do it in plain text too? (though opening it in forte is cool
>enough)

Groups -> Default Properties -> When to purge
Set both read and unread messages to:
Without bodies: When message is no longer available
With bodies: Never
Groups -> Default Properties -> What to purge
Clear all check-boxes under "When to purge" and "When to compact
databases" (Do your compacting manually. When files get big, it can
take a LONG time.)
Set the checkbox saying, "Ask before purging, compacting, or emptying
trash"

>how many years have you done?!
>
About nine years, since 1998.
I LOST about five years before I realized Agent (or FreeAgent) was
tossing stuff more than so old. DAMN ;-{

I also lost somewhere between three and six months of stuff when a disk
crashed and my last backup had been months earlier. My own bloody
fault, but ....

I still weep sometimes about lost things.
A lot of the stuff I lost before '98 was stuff Google (then DejaNews)
hadn't started archiving. Damn, again.

Yes, I only archive TEXT; and I *do* delete anything I consider SPAM.

Even so, some of my archives go over 4 gigabytes (maximum file size) so
I have to save them off in separate directories to be accessed
separately. An annoyance; but I don't need things more than four years
old very often.

--
_____
/ ' / ™
,-/-, __ __. ____ /_
(_/ / (_(_/|_/ / <_/ <_

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

On Jul 27, 3:07 am, Ansgar -59cobalt- Wiechers
wrote:
> jameshanle...@yahoo.co.uk wrote:
> > On Jul 27, 12:59 am, Ansgar -59cobalt- Wiechers wrote:
> >> On 2007-07-27 jameshanle...@yahoo.co.uk wrote:
> >>> something went wrong here..
>
> >> Yes. And it's you starting to crosspost this back to csf again. Stop it.
> >> What I wrote is NOT related to firewalls.
>
> >>> My reply to ansgar only went to
> >>> microsoft.public.windowsxp.security_admin
>
> >> Which is exactly where it belongs.
>
> >>> not to comp.security.firewalls.
>
> >> Which is because it doesn't belong there.
>
> >>> I think 'cos ansgar added a 'follow-up' field, and it seems what that
> >>> did was cause my reply to only go there, and not to the newsgroup
> >>> where I read the message and clicked reply(comp.security.firewalls).
> >>> I was only looking in csf so didn't see them.
>
> >> If you don't read this group, then don't crosspost to it. And don't run
> >> discussions across several groups.
>
> > I think it gets a bit confusing if the same thread is in different
> > groups but the contents is a bit different. It means that if somebody
> > wants to see all the posts in the thread it's almost impossible.
>
> > If you really don't want to discuss this in csf as well as here, and
> > you only want to discuss it here, and I see why, then I'm happy to
> > start a new thread here, in
> > microsoft.public.windowsxp.security_admin.
>
> > I think that would satisfy both our sensibilities.
>
> > I might make a post there to say that we agreed that this subtopic/
> > outgrowth of the thread, is being discussed in a new thread of a
> > different name in microsoft.public.windowsxp.security_admin..
>
> > is that ok with you?
>
> No.
>
> Usenet 101:
> - If you start a topic, start it in exactly ONE group (the one that is
> most appropriate for the subject).
> - If for some (good) reason you feel that a subject is on-topic in more
> than one group, crosspost the OP to all of these groups, but set a
> followup to ONE group (the one that is most appropriate for the
> subject).
> - Do not break a thread to start a new one about the same topic in
> another (or the same) group.
> - See also [1,2].
>
> That way everyone will be able to follow the discussion, and it won't be
> scattered across several groups or hierarchies.
>
> [1]http://catb.org/~esr/faqs/smart-questions.html
> [2]http://www.rfc-editor.org/rfc/rfc1855.txt
>
> And because this is utterly off-topic here: f'up2poster (in case you're
> not familiar with this: it's a request to do any further discussion in
> private, by mail).
>

As I said. Your way makes it almost impossible for those that follow
the discussion by reading all posts in a thread.

I'd rather everybody benefits directly.
I could do private email, then post any solutions to the group

Re: firewall on budget ?

On Jul 27, 1:21 am, Leythos wrote:
> In article <1185494056.259579.69...@19g2000hsx.googlegroups.com>,
> jameshanle...@yahoo.co.uk says...
>
>
>
>
>
> > On Jul 27, 12:11 am, Leythos wrote:
> > > In article <2p9ia35in7umnf6hfvmt5lhln8chve6...@4ax.com>,
> > > b__n...@hotmail.com says...
>
> > > > On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanle...@yahoo.co.uk"
> > > > wrote:
>
> > > > >Here's a technical question though..
> > > > >Even if you're in a LUA account. Can't a site run some malicious code.
> > > > >The code is a bit more limited in what it can access(certain
> > > > >directories and registry parts are no-go areas), but still it can do
> > > > >quite a bit. (just as many programs can do what they need in a non-
> > > > >admin account)
>
> > > > It sure can. What you seem to be missing is that I made my LUA point
> > > > in response to Leythos claiming that any program could poke holes
> > > > (open servers) in the WF. As a limited user you cannot do that, my
> > > > point being that the fault is not in the WF but in users running with
> > > > admin rights.
>
> > > And you failed to understand that MOST people run as Admin level users.
> > > Anyone smart enough to run as a limited user
>
> > I'm sure that you once said you run as an Administrative user.
>
> > &/ that you don't work from a limited account.
>
> And even at home I sit behind $4000 of firewall and security measures,
> just like the secure networks I design. Having used and designed systems
> for 30 years I've never once been compromised on any network that I've
> maintained, not once.
>
> We're talking about the ignorant masses, the ones that don't want a
> clue, the ones that think that P2P software has no issues, the ones that
> have never looked at the Windows Firewall panel for Exceptions, the ones
> that think CD/USB drives, DVD/PDA/Cell, etc.. are not a threat to their
> computers....
>
> --
>

if alot of the advice you give here is for the ignorant masses, then
techie people reading comp.security.firewalls , following your
solutions, will have the solutions of the ignorant masses.

Re: firewall on budget ?

In article <1185539725.993957.24750@r34g2000hsd.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> On Jul 27, 1:21 am, Leythos wrote:
> > In article <1185494056.259579.69...@19g2000hsx.googlegroups.com>,
> > jameshanle...@yahoo.co.uk says...
> >
> >
> >
> >
> >
> > > On Jul 27, 12:11 am, Leythos wrote:
> > > > In article <2p9ia35in7umnf6hfvmt5lhln8chve6...@4ax.com>,
> > > > b__n...@hotmail.com says...
> >
> > > > > On Thu, 26 Jul 2007 14:02:07 -0700, "jameshanle...@yahoo.co.uk"
> > > > > wrote:
> >
> > > > > >Here's a technical question though..
> > > > > >Even if you're in a LUA account. Can't a site run some malicious code.
> > > > > >The code is a bit more limited in what it can access(certain
> > > > > >directories and registry parts are no-go areas), but still it can do
> > > > > >quite a bit. (just as many programs can do what they need in a non-
> > > > > >admin account)
> >
> > > > > It sure can. What you seem to be missing is that I made my LUA point
> > > > > in response to Leythos claiming that any program could poke holes
> > > > > (open servers) in the WF. As a limited user you cannot do that, my
> > > > > point being that the fault is not in the WF but in users running with
> > > > > admin rights.
> >
> > > > And you failed to understand that MOST people run as Admin level users.
> > > > Anyone smart enough to run as a limited user
> >
> > > I'm sure that you once said you run as an Administrative user.
> >
> > > &/ that you don't work from a limited account.
> >
> > And even at home I sit behind $4000 of firewall and security measures,
> > just like the secure networks I design. Having used and designed systems
> > for 30 years I've never once been compromised on any network that I've
> > maintained, not once.
> >
> > We're talking about the ignorant masses, the ones that don't want a
> > clue, the ones that think that P2P software has no issues, the ones that
> > have never looked at the Windows Firewall panel for Exceptions, the ones
> > that think CD/USB drives, DVD/PDA/Cell, etc.. are not a threat to their
> > computers....
>
> if alot of the advice you give here is for the ignorant masses, then
> techie people reading comp.security.firewalls , following your
> solutions, will have the solutions of the ignorant masses.

Don't know much about Usenet do you?

In Usenet, since MS provided an easy, although broken means to access it
by the ignorant masses, you never really know who or the technical level
of who is asking questions or their level of experience. Unless the OP
explains in great detail about the problem and other information, you
generally need to start at the lower level and work your way up with
them.

In the case of a "Firewall on a Budget" subject, this would have been
posted by someone not very experienced with firewalls and someone that
was just starting to learn - in most cases.

Techie people often think they know a lot, but the good ones know they
don't know everything and will still read posts in order to see if they
might have missed something that could benefit them also. A techie
person will not follow advice that does not help them.

Since most techie people already have a firewall appliance or a NAT
appliance, they already have the solution for the ignorant masses, they
know what they can do with a NAT router, they know that they can, in
most cases, block outbound traffic, etc...

One last thing, I think it's rude to redirect a thread by setting the
Follow-Up to another group when the thread clearly is on-topic in the
groups it started with.

So, again, as we've all seen, the windows firewall is almost worthless
in the hands of the ignorant - we see them running as local admins,
installing software that puts holes in it, running p2p programs that put
holes in it, using File/Printer sharing on a single computer network,
disabling it when the install software tells them to disable it, not
even running with antivirus software in some cases - oh, and the pop-up
that tells them they are infected and to download this xxx program to
clean their system.....

ISP's have taken some small steps, like blocking outbound SMTP except
through their mail servers, blocking inbound SMTP/HTTP to their dynamic
networks, etc... it could be a lot better and it would be free.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

In comp.security.firewalls jameshanley39@yahoo.co.uk wrote:
> On Jul 27, 3:07 am, Ansgar -59cobalt- Wiechers wrote:
>> Usenet 101:
>> - If you start a topic, start it in exactly ONE group (the one that is
>> most appropriate for the subject).
>> - If for some (good) reason you feel that a subject is on-topic in more
>> than one group, crosspost the OP to all of these groups, but set a
>> followup to ONE group (the one that is most appropriate for the
>> subject).
>> - Do not break a thread to start a new one about the same topic in
>> another (or the same) group.
>> - See also [1,2].
>>
>> That way everyone will be able to follow the discussion, and it won't be
>> scattered across several groups or hierarchies.
>>
>> [1]http://catb.org/~esr/faqs/smart-questions.html
>> [2]http://www.rfc-editor.org/rfc/rfc1855.txt
>>
>> And because this is utterly off-topic here: f'up2poster (in case you're
>> not familiar with this: it's a request to do any further discussion in
>> private, by mail).
>
> As I said. Your way makes it almost impossible for those that follow
> the discussion by reading all posts in a thread.
>
> I'd rather everybody benefits directly.
> I could do private email, then post any solutions to the group

*plonk*

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: firewall on budget ?

Straight Talk wrote:

> On Thu, 26 Jul 2007 14:21:20 -0700, "jameshanley39@yahoo.co.uk"
> wrote:
>
> > Out of interest, what do you mean by bot net ?
>
> A net of bots.
>
> > Is it a malicious server / trojan that receives a command, and then
> > could cause trouble to other machines, maybe acting as a client
> > sending spam mail through a mail server that lets anybody in ?
> >
> > If it is indeed a server that receives a command, then a NAT router
> > would prevent it from receiving an incoming connection.
>
> Most bots dial in themselves to receive commands from the controller.
> NAT won't stop that.


that's what i said, but without words like 'dial in' (this isn't about
dial up). I know what you mean there.

Leythos didn't claim that NAT blocks all attacks.

you mentioned DDOS at the NAT device, (which i think leythos said
wouldn't affect the LAN part of it)

and you mentioned botnets, and one could mention other malicious
clients.

And leythos has mentioned some that it would block. I've seen for
myself a comp compromised to be a malicious smtp server.

The windows firewall blocks incoming but is easily compromised. A NAT
router blocks incoming but isn't so easily compromised. one could use
both.

do you have an argument against that?

Re: firewall on budget ?

Post removed (X-No-Archive: yes)

Re: firewall on budget ?

Leythos wrote:

> In article <1185539725.993957.24750@r34g2000hsd.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
> > On Jul 27, 1:21 am, Leythos wrote:
> > > In article <1185494056.259579.69...@19g2000hsx.googlegroups.com>,
> > > jameshanle...@yahoo.co.uk says...
> > >
> > >
> > >
> > >
> > >
> > > > On Jul 27, 12:11 am, Leythos wrote:
> > > > > In article <2p9ia35in7umnf6hfvmt5lhln8chve6...@4ax.com>,
> > > > > b__n...@hotmail.com says...
> > >
> > > > > > On Thu, 26 Jul 2007 14:02:07 -0700,
> > > > > > "jameshanle...@yahoo.co.uk"
> > > > > > wrote:
> > >
> > > > > > > Here's a technical question though..
> > > > > > > Even if you're in a LUA account. Can't a site run some
> > > > > > > malicious code. The code is a bit more limited in what
> > > > > > > it can access(certain directories and registry parts are
> > > > > > > no-go areas), but still it can do quite a bit. (just as
> > > > > > > many programs can do what they need in a non- admin
> > > > > > > account)
> > >
> > > > > > It sure can. What you seem to be missing is that I made my
> > > > > > LUA point in response to Leythos claiming that any program
> > > > > > could poke holes (open servers) in the WF. As a limited
> > > > > > user you cannot do that, my point being that the fault is
> > > > > > not in the WF but in users running with admin rights.
> > >
> > > > > And you failed to understand that MOST people run as Admin
> > > > > level users. Anyone smart enough to run as a limited user
> > > > >
> > >
> > > > I'm sure that you once said you run as an Administrative user.
> > >
> > > > &/ that you don't work from a limited account.
> > >
> > > And even at home I sit behind $4000 of firewall and security
> > > measures, just like the secure networks I design. Having used and
> > > designed systems for 30 years I've never once been compromised on
> > > any network that I've maintained, not once.
> > >
> > > We're talking about the ignorant masses, the ones that don't want
> > > a clue, the ones that think that P2P software has no issues, the
> > > ones that have never looked at the Windows Firewall panel for
> > > Exceptions, the ones that think CD/USB drives, DVD/PDA/Cell,
> > > etc.. are not a threat to their computers....
> >
> > if alot of the advice you give here is for the ignorant masses, then
> > techie people reading comp.security.firewalls , following your
> > solutions, will have the solutions of the ignorant masses.
>
> Don't know much about Usenet do you?
>
> In Usenet, since MS provided an easy, although broken means to access
> it by the ignorant masses, you never really know who or the technical
> level of who is asking questions or their level of experience. Unless
> the OP explains in great detail about the problem and other
> information, you generally need to start at the lower level and work
> your way up with them.
>
> In the case of a "Firewall on a Budget" subject, this would have been
> posted by someone not very experienced with firewalls and someone
> that was just starting to learn - in most cases.
>

But in usenet, you don't write for just one person.

> Techie people often think they know a lot, but the good ones know
> they don't know everything and will still read posts in order to see
> if they might have missed something that could benefit them also. A
> techie person will not follow advice that does not help them.
>

Techie people like to know what the options are.

Maybe one other option will be of interest, maybe many will.


> Since most techie people already have a firewall appliance or a NAT
> appliance, they already have the solution for the ignorant masses,
> they know what they can do with a NAT router, they know that they
> can, in most cases, block outbound traffic, etc...
>

So now a firewall appliance is for the ignorant masses. I was of the
impression that maybe, when you wrote of a watchguard firewall
appliance, you had a higher view of it. What is your option above that?


I figured you're a techie that likes firewall appliances, since that's
the solution you write about, that and NAT Routers. I'm suprised you
called a firewall appliance a solution for the ignorant masses! You're
probably the person that made the term 'firewall appliance' popular in
this newsgroup.

I think, if one has servers, then your description of that firewall
appliance seems quite good.. means one can setup a (real) DMZ, and so
on. More appropriate than a mere NAT Router. i'd like to know what
other options are.. Then maybe people can judge if they'd be useful, it
may even inspire people to do something more interesting that makes use
of them.




> One last thing, I think it's rude to redirect a thread by setting the
> Follow-Up to another group when the thread clearly is on-topic in the
> groups it started with.
>


I didn't do that.


> So, again, as we've all seen, the windows firewall is almost
> worthless in the hands of the ignorant - we see them running as local
> admins, installing software that puts holes in it, running p2p
> programs that put holes in it, using File/Printer sharing on a single
> computer network, disabling it when the install software tells them
> to disable it, not even running with antivirus software in some cases
> - oh, and the pop-up that tells them they are infected and to
> download this xxx program to clean their system.....
>

Well, typical end users call somebody to fix it. We know end users are
computer stupid. Most techies give them a NAT Router. And give
themselves a NAT Router, it's like 'the solution'. People have NAT
Routers without even knowing what the box is. They get broadband, they
get one.

Programs like ZA (people here seem to call them PFWs - i don't know who
coined that one). They also cause problems to end users that can't
google. Anti Virus software causes huge problems to end users that
can't search for free ones, small ones. And pay and find their computer
slowed down as norton or mcafee scans in the background. Anything can
cause a problem for end users. Even a person on the radio telling them
to get a virus checker. They do it themselves and they can install a
malicious program. And even malicious so-called anti-spyware
software. You shouldn't just be writing for end users. THere are many
people reading, many techies, or aspiring techies, people looking to
increase their knowledge.



> ISP's have taken some small steps, like blocking outbound SMTP except
> through their mail servers,


yep
and it'd save users from getting EMs from their ISP that they could be
DC'ed(disconnected), and save people from getting SPAM from those users.

> blocking inbound SMTP/HTTP to their
> dynamic networks, etc... it could be a lot better and it would be
> free.

Re: firewall on budget ?

In article <46abff37$0$24758$da0feed9@news.zen.co.uk>, jameshanley39
@yahoo.co.uk says...
> So now a firewall appliance is for the ignorant masses. I was of the
> impression that maybe, when you wrote of a watchguard firewall
> appliance, you had a higher view of it. What is your option above that?

Are you going to play games like this?

Do know full well what I've been talking about this entire thread, it
was not and is not directed at the tech/security types, and no one
reading the subject would think it was about upper level information.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

>> So now a firewall appliance is for the ignorant masses. I was of the
>> impression that maybe, when you wrote of a watchguard firewall
>> appliance, you had a higher view of it. What is your option above that?
>
> Are you going to play games like this?
>

Yeah, the person is going to do just that, because it's a troll.

Re: firewall on budget ?

In article ,
"Mr. Arnold" says...
>
> >> So now a firewall appliance is for the ignorant masses. I was of the
> >> impression that maybe, when you wrote of a watchguard firewall
> >> appliance, you had a higher view of it. What is your option above that?
> >
> > Are you going to play games like this?
> >
>
> Yeah, the person is going to do just that, because it's a troll.

Yep, sad to say, but that's the way it looks.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Leythos wrote:

> In article <46abff37$0$24758$da0feed9@news.zen.co.uk>, jameshanley39
> @yahoo.co.uk says...
> > So now a firewall appliance is for the ignorant masses. I was of the
> > impression that maybe, when you wrote of a watchguard firewall
> > appliance, you had a higher view of it. What is your option above
> > that?
>
> Are you going to play games like this?
>
> Do know full well what I've been talking about this entire thread, it
> was not and is not directed at the tech/security types, and no one
> reading the subject ould think it was about upper level information.

I didn't just have in mind what you wrote in this thread. But anyhow.

I'm asking you then.

What you suggest that is directed at the tech/security types?

Re: firewall on budget ?

In article <46ad05b1$0$15208$fa0fcedb@news.zen.co.uk>, jameshanley39
@yahoo.co.uk says...
> Leythos wrote:
>
> > In article <46abff37$0$24758$da0feed9@news.zen.co.uk>, jameshanley39
> > @yahoo.co.uk says...
> > > So now a firewall appliance is for the ignorant masses. I was of the
> > > impression that maybe, when you wrote of a watchguard firewall
> > > appliance, you had a higher view of it. What is your option above
> > > that?
> >
> > Are you going to play games like this?
> >
> > Do know full well what I've been talking about this entire thread, it
> > was not and is not directed at the tech/security types, and no one
> > reading the subject ould think it was about upper level information.
>
> I didn't just have in mind what you wrote in this thread. But anyhow.
>
> I'm asking you then.
>
> What you suggest that is directed at the tech/security types?

State a specific question, listing what you want to know, in detail that
a "techie" would and I'll answer it.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: firewall on budget ?

Leythos wrote:

> In article <46ad05b1$0$15208$fa0fcedb@news.zen.co.uk>, jameshanley39
> @yahoo.co.uk says...
> > Leythos wrote:
> >
> > > In article <46abff37$0$24758$da0feed9@news.zen.co.uk>,
> > > jameshanley39 @yahoo.co.uk says...
> > > > So now a firewall appliance is for the ignorant masses. I was
> > > > of the impression that maybe, when you wrote of a watchguard
> > > > firewall appliance, you had a higher view of it. What is your
> > > > option above that?
> > >
> > > Are you going to play games like this?
> > >
> > > Do know full well what I've been talking about this entire
> > > thread, it was not and is not directed at the tech/security
> > > types, and no one reading the subject ould think it was about
> > > upper level information.
> >
> > I didn't just have in mind what you wrote in this thread. But
> > anyhow.
> >
> > I'm asking you then.
> >
> > What you suggest that is directed at the tech/security types?
>
> State a specific question, listing what you want to know, in detail
> that a "techie" would and I'll answer it.

well, i'm interested in an example of what you would consider a
techie's configuration.

I could give you some suggestions, but i'm sure yours are better than
mine. He's a techie, he may run an open web server, an open ftp
server, and he may want to access his computer himself with VNC.
Is that person one of the ignorant masses that you think should use a
NAT Router or Watchguard firewall appliance? Maybe to you, that person
is not a technical person.

I'm interested in an example of what you would call the configuration
of a technical person. Of course, people are different. I'm just asking
for an example.

You've given 2 examples of solutions for the ignorant masses.








--

Re: firewall on budget ?

In article <46ad246d$0$15223$fa0fcedb@news.zen.co.uk>, jameshanley39
@yahoo.co.uk says...
> Leythos wrote:
>
> > In article <46ad05b1$0$15208$fa0fcedb@news.zen.co.uk>, jameshanley39
> > @yahoo.co.uk says...
> > > Leythos wrote:
> > >
> > > > In article <46abff37$0$24758$da0feed9@news.zen.co.uk>,
> > > > jameshanley39 @yahoo.co.uk says...
> > > > > So now a firewall appliance is for the ignorant masses. I was
> > > > > of the impression that maybe, when you wrote of a watchguard
> > > > > firewall appliance, you had a higher view of it. What is your
> > > > > option above that?
> > > >
> > > > Are you going to play games like this?
> > > >
> > > > Do know full well what I've been talking about this entire
> > > > thread, it was not and is not directed at the tech/security
> > > > types, and no one reading the subject ould think it was about
> > > > upper level information.
> > >
> > > I didn't just have in mind what you wrote in this thread. But
> > > anyhow.
> > >
> > > I'm asking you then.
> > >
> > > What you suggest that is directed at the tech/security types?
> >
> > State a specific question, listing what you want to know, in detail
> > that a "techie" would and I'll answer it.
>
> well, i'm interested in an example of what you would consider a
> techie's configuration.
>
> I could give you some suggestions, but i'm sure yours are better than
> mine. He's a techie, he may run an open web server, an open ftp
> server, and he may want to access his computer himself with VNC.
> Is that person one of the ignorant masses that you think should use a
> NAT Router or Watchguard firewall appliance? Maybe to you, that person
> is not a technical person.
>
> I'm interested in an example of what you would call the configuration
> of a technical person. Of course, people are different. I'm just asking
> for an example.
>
> You've given 2 examples of solutions for the ignorant masses.

I've set the follow-up to comp.security.firewalls since the other groups
don't really fall into this - post your question in a thread in that
group, under a new subject, and I'm sure myself and others will answer
it.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)