«

On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> says...
>
>
>
> > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > firewall is more flexible than a NAT router, it is. The question is whether
> > there is a difference in security against unsolicited outside attacks
> > between a firewall which blocks all unsolicited outside connections, and a
> > NAT router with no port holes punched through (Ie no ports forwarded).
>
> Yes, there is a difference.
>
> All quality firewalls have certifications from independent authorities
> that will state how they work and that they are actually providing xyz.
>
> NAT Routers have no certification (at least in the class we're talking
> about) and have been shown, many times, to have exploits that allow
> Unsolicited inbound traffic to pass through - even with no rules set by
> the owner.
>

Where has it been shown many times?

( Not shown [many times] in this newsgroup. I first heard of any such
issue from a few months ago perhaps, from Sebastian, on this
newsgroup, and since by Volker. In a thread where you were advocating
NAT for - I thought - blocking incoming )

In article < .com>,
says...
> On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
> > In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
> > says...
> >
> >
> >
> > > Yes, agreed. But that is irrelevant. The question is not whether or not a
> > > firewall is more flexible than a NAT router, it is. The question is whether
> > > there is a difference in security against unsolicited outside attacks
> > > between a firewall which blocks all unsolicited outside connections, and a
> > > NAT router with no port holes punched through (Ie no ports forwarded).
> >
> > Yes, there is a difference.
> >
> > All quality firewalls have certifications from independent authorities
> > that will state how they work and that they are actually providing xyz.
> >
> > NAT Routers have no certification (at least in the class we're talking
> > about) and have been shown, many times, to have exploits that allow
> > Unsolicited inbound traffic to pass through - even with no rules set by
> > the owner.
> >
>
> Where has it been shown many times?
>
> ( Not shown [many times] in this newsgroup. I first heard of any such
> issue from a few months ago perhaps, from Sebastian, on this
> newsgroup, and since by Volker. In a thread where you were advocating
> NAT for - I thought - blocking incoming )

Try google for reference materials.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
> Leythos <v...@nowhere.lan> writes:
> > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla <"kevin
> > DOT paulus AT skynet DOT be"> says...
> > > Leythos wrote:
> > > > In article <1192120303.414117.236...@g4g2000hsf.googlegroups. com>,
> > > > maniaqu...@gmail.com says...
> > > >> not true. the WRT54G can block outgoing connections based on any
> > > >> number of specified parameters, and then it has all those extra fancy
> > > >> features that I don't understand
>
> > > > it's a NAT device that can block outbound ports - it has no clue what
> > > > those ports are and doesn't know the difference between HTTP and SMTP
> > > > except that they use different ports.
>
> > > just some questions with as goal to learn more
>
> > > so you call a firewall something with complex heuristics ?
> > > really does iptables provide more than filtering between protocol, port
> > > and state information, and do people actually use it. Because in essence
> > > iirc
> > > a nat router does the same it opens up a connection if somebody on the
> > > inside requests it
> > > and after that allows the connection untill it's broken down (FIN or RST)
> > > do i have a point here or not ?
>
> > Does the device, in the standard/default mode, block traffic in both
> > directions?
>
> A cat5 cable cut in half does. Is it a firewall?
>
> > Does the device know the difference between HTTP and SMTP or only
> > TCP 80 and TCP 25?
>
> Firewalls in the traditional definition never did, were they not
> firewalls? Application-level protocol recognition is only recently on
> the scene, yet we've had things people called "firewalls" existing for
> quite a while before that. I'd hate to think I didn't get the memo
> about someone changing the definition of "firewall" with the
> International Standards Organization.
>
> > Does the device understand being attacked and auto-block sources of
> > attacks or unauthorized traffic?
>
> So when did the definition of "firewall" start requiring it to also
> fit the definition of "network intrusion prevention device" or
> "network intrusion detection device?"
>
> Just curious.
>
> > Does the device use NAT or can it be setup with rules without using NAT?
> > If it forces NAT then I don't consider it a firewall unless it can do
> > all the others - since MOST of the devices that force NAT are
> > residential device (yea, not all inclusive, but you should get the idea
> > without us going off the deep end).
>
> Ah, okay here's where we come down to brass tacks--with the use of the
> word "I."
>
> Seme folks seem to have their own definition of a firewall that
> doesn't match that accepted by over the course of a lot of networking
> history inlcluding the present. This view categorically rejects those
> devices which don't fit a personally crafted unique definition of
> "firewalls."
>
> Unfortunately, it's pedantic and pointless. But then again, so it
> much of the banter by the more abusive posters here. To protect their
> identity, we won't mention Leythos and Sebastian by name.
>
> Now, that's not to say there isn't something to learn about the range
> of functionality one might want to consider in their border protection
> in the narrow definition such folks try to paint, but being so prickly
> about what to call a "firewall" and what to call a "NAT router" is
> just a freakin waste of time. Better to say "corporate grade border
> security appliance" which has built into the obvious fact that
> functionality and features of corporate grade hardware exceed that of
> $70 Linksys gear popular among home and small office users.
>
> And let's not forget that there was a time not very long ago where the
> fucntionality packed into your garden variety wrt54g (particularly one
> packing the fucntionality of third party firmware) took a HELL of alot
> of much more expensive hardware and was certainly considered a
> "firewall." And still is for that matter.
>
> Those with what I'll call this "modern purist" view may be shocked to
> see the breadth of defintions for our friend the firewall that are in
> existence that cast a much bigger net than his own:
> http://www.google.com/search?q=define%3Afirewall
>
> We now return you to your regularly scheduled semantic argument.
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/-

unfortunately, those that make a point like the one you make , are
less vocal.


you mention
"
I'd hate to think I didn't get the memo about someone changing the
definition of "firewall" with the International Standards Organization
"

what is the ISO definition of firewall ? I couldn`t find it

can you name some of the firewalls you used in the past, that didn`t
do much more than the "traditional definition". And can you define the
traditional definition ?


What I would GUESS, is that a firewall is a packet filter and a packet
filter is a firewall. Same thing. Can be Device(network firewall) or
Software.

a packet filter controls a network by selectively allowing or blocking
packets.

packet filter is always Layer 3 (stateless/static packet filter)
and can be both Layers 3 and 4. (stateful / dynamic paclet filter )

(definition based on webopedia and the one given in the docs for the
openbsd pf program)

It rules out the broken cable you mentioned

On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
<jameshanle...@yahoo.co.uk> wrote:
> On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
>
>
>
>
>
> > Leythos <v...@nowhere.lan> writes:
> > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla <"kevin
> > > DOT paulus AT skynet DOT be"> says...
> > > > Leythos wrote:
> > > > > In article <1192120303.414117.236...@g4g2000hsf.googlegroups. com>,
> > > > > maniaqu...@gmail.com says...
> > > > >> not true. the WRT54G can block outgoing connections based on any
> > > > >> number of specified parameters, and then it has all those extra fancy
> > > > >> features that I don't understand
>
> > > > > it's a NAT device that can block outbound ports - it has no clue what
> > > > > those ports are and doesn't know the difference between HTTP and SMTP
> > > > > except that they use different ports.
>
> > > > just some questions with as goal to learn more
>
> > > > so you call a firewall something with complex heuristics ?
> > > > really does iptables provide more than filtering between protocol, port
> > > > and state information, and do people actually use it. Because in essence
> > > > iirc
> > > > a nat router does the same it opens up a connection if somebody on the
> > > > inside requests it
> > > > and after that allows the connection untill it's broken down (FIN or RST)
> > > > do i have a point here or not ?
>
> > > Does the device, in the standard/default mode, block traffic in both
> > > directions?
>
> > A cat5 cable cut in half does. Is it a firewall?
>
> > > Does the device know the difference between HTTP and SMTP or only
> > > TCP 80 and TCP 25?
>
> > Firewalls in the traditional definition never did, were they not
> > firewalls? Application-level protocol recognition is only recently on
> > the scene, yet we've had things people called "firewalls" existing for
> > quite a while before that. I'd hate to think I didn't get the memo
> > about someone changing the definition of "firewall" with the
> > International Standards Organization.
>
> > > Does the device understand being attacked and auto-block sources of
> > > attacks or unauthorized traffic?
>
> > So when did the definition of "firewall" start requiring it to also
> > fit the definition of "network intrusion prevention device" or
> > "network intrusion detection device?"
>
> > Just curious.
>
> > > Does the device use NAT or can it be setup with rules without using NAT?
> > > If it forces NAT then I don't consider it a firewall unless it can do
> > > all the others - since MOST of the devices that force NAT are
> > > residential device (yea, not all inclusive, but you should get the idea
> > > without us going off the deep end).
>
> > Ah, okay here's where we come down to brass tacks--with the use of the
> > word "I."
>
> > Seme folks seem to have their own definition of a firewall that
> > doesn't match that accepted by over the course of a lot of networking
> > history inlcluding the present. This view categorically rejects those
> > devices which don't fit a personally crafted unique definition of
> > "firewalls."
>
> > Unfortunately, it's pedantic and pointless. But then again, so it
> > much of the banter by the more abusive posters here. To protect their
> > identity, we won't mention Leythos and Sebastian by name.
>
> > Now, that's not to say there isn't something to learn about the range
> > of functionality one might want to consider in their border protection
> > in the narrow definition such folks try to paint, but being so prickly
> > about what to call a "firewall" and what to call a "NAT router" is
> > just a freakin waste of time. Better to say "corporate grade border
> > security appliance" which has built into the obvious fact that
> > functionality and features of corporate grade hardware exceed that of
> > $70 Linksys gear popular among home and small office users.
>
> > And let's not forget that there was a time not very long ago where the
> > fucntionality packed into your garden variety wrt54g (particularly one
> > packing the fucntionality of third party firmware) took a HELL of alot
> > of much more expensive hardware and was certainly considered a
> > "firewall." And still is for that matter.
>
> > Those with what I'll call this "modern purist" view may be shocked to
> > see the breadth of defintions for our friend the firewall that are in
> > existence that cast a much bigger net than his own:
> > http://www.google.com/search?q=define%3Afirewall
>
> > We now return you to your regularly scheduled semantic argument.
>
> > Best Regards,
> > --
> > Todd H.http://www.toddh.net/-
>
> unfortunately, those that make a point like the one you make , are
> less vocal.
>
> you mention
> "
> I'd hate to think I didn't get the memo about someone changing the
> definition of "firewall" with the International Standards Organization
> "
>
> what is the ISO definition of firewall ? I couldn`t find it
>
> can you name some of the firewalls you used in the past, that didn`t
> do much more than the "traditional definition". And can you define the
> traditional definition ?
>
> What I would GUESS, is that a firewall is a packet filter and a packet
> filter is a firewall. Same thing. Can be Device(network firewall) or
> Software.
>
> a packet filter controls a network by selectively allowing or blocking
> packets.
>
> packet filter is always Layer 3 (stateless/static packet filter)
> and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
>
> (definition based on webopedia and the one given in the docs for the
> openbsd pf program)
>
> It rules out the broken cable you mentioned -

rules out NAT Router too. which is probably good.

http://en.wikipedia.org/wiki/Firewall_(networking)
differs with webopedia, it calls "packet filter" only the first
generation of firewall. at the network layer of the OSI model. (though
if it accesses tcp port , that is something at Layer 4 too).
So, by that definition, SPI != packet filter.

That page does talk of a firewall as sitting between 2 networks.
perhaps, as oppose to an individual computer from a network.

It does not mention about if a concept may be flawed.. like running a
software firewall on a non dedicated machine.

<> wrote in message
news:d7665587-94fc-4017-b589-...
> On Nov 16, 9:11 am, "jameshanle...@yahoo.co.uk"
> <jameshanle...@yahoo.co.uk> wrote:
>> On Oct 12, 4:15 am, comph...@toddh.net (Todd H.) wrote:
>>
>>
>>
>>
>>
>> > Leythos <v...@nowhere.lan> writes:
>> > > In article <470e921a$0$29265$ba620...@news.skynet.be>, goarilla
>> > > <"kevin
>> > > DOT paulus AT skynet DOT be"> says...
>> > > > Leythos wrote:
>> > > > > In article
>> > > > > <1192120303.414117.236...@g4g2000hsf.googlegroups. com>,
>> > > > > maniaqu...@gmail.com says...
>> > > > >> not true. the WRT54G can block outgoing connections based on
>> > > > >> any
>> > > > >> number of specified parameters, and then it has all those extra
>> > > > >> fancy
>> > > > >> features that I don't understand
>>
>> > > > > it's a NAT device that can block outbound ports - it has no clue
>> > > > > what
>> > > > > those ports are and doesn't know the difference between HTTP and
>> > > > > SMTP
>> > > > > except that they use different ports.
>>
>> > > > just some questions with as goal to learn more
>>
>> > > > so you call a firewall something with complex heuristics ?
>> > > > really does iptables provide more than filtering between protocol,
>> > > > port
>> > > > and state information, and do people actually use it. Because in
>> > > > essence
>> > > > iirc
>> > > > a nat router does the same it opens up a connection if somebody on
>> > > > the
>> > > > inside requests it
>> > > > and after that allows the connection untill it's broken down (FIN
>> > > > or RST)
>> > > > do i have a point here or not ?
>>
>> > > Does the device, in the standard/default mode, block traffic in both
>> > > directions?
>>
>> > A cat5 cable cut in half does. Is it a firewall?
>>
>> > > Does the device know the difference between HTTP and SMTP or only
>> > > TCP 80 and TCP 25?
>>
>> > Firewalls in the traditional definition never did, were they not
>> > firewalls? Application-level protocol recognition is only recently on
>> > the scene, yet we've had things people called "firewalls" existing for
>> > quite a while before that. I'd hate to think I didn't get the memo
>> > about someone changing the definition of "firewall" with the
>> > International Standards Organization.
>>
>> > > Does the device understand being attacked and auto-block sources of
>> > > attacks or unauthorized traffic?
>>
>> > So when did the definition of "firewall" start requiring it to also
>> > fit the definition of "network intrusion prevention device" or
>> > "network intrusion detection device?"
>>
>> > Just curious.
>>
>> > > Does the device use NAT or can it be setup with rules without using
>> > > NAT?
>> > > If it forces NAT then I don't consider it a firewall unless it can do
>> > > all the others - since MOST of the devices that force NAT are
>> > > residential device (yea, not all inclusive, but you should get the
>> > > idea
>> > > without us going off the deep end).
>>
>> > Ah, okay here's where we come down to brass tacks--with the use of the
>> > word "I."
>>
>> > Seme folks seem to have their own definition of a firewall that
>> > doesn't match that accepted by over the course of a lot of networking
>> > history inlcluding the present. This view categorically rejects those
>> > devices which don't fit a personally crafted unique definition of
>> > "firewalls."
>>
>> > Unfortunately, it's pedantic and pointless. But then again, so it
>> > much of the banter by the more abusive posters here. To protect their
>> > identity, we won't mention Leythos and Sebastian by name.
>>
>> > Now, that's not to say there isn't something to learn about the range
>> > of functionality one might want to consider in their border protection
>> > in the narrow definition such folks try to paint, but being so prickly
>> > about what to call a "firewall" and what to call a "NAT router" is
>> > just a freakin waste of time. Better to say "corporate grade border
>> > security appliance" which has built into the obvious fact that
>> > functionality and features of corporate grade hardware exceed that of
>> > $70 Linksys gear popular among home and small office users.
>>
>> > And let's not forget that there was a time not very long ago where the
>> > fucntionality packed into your garden variety wrt54g (particularly one
>> > packing the fucntionality of third party firmware) took a HELL of alot
>> > of much more expensive hardware and was certainly considered a
>> > "firewall." And still is for that matter.
>>
>> > Those with what I'll call this "modern purist" view may be shocked to
>> > see the breadth of defintions for our friend the firewall that are in
>> > existence that cast a much bigger net than his own:
>> > http://www.google.com/search?q=define%3Afirewall
>>
>> > We now return you to your regularly scheduled semantic argument.
>>
>> > Best Regards,
>> > --
>> > Todd H.http://www.toddh.net/-
>>
>> unfortunately, those that make a point like the one you make , are
>> less vocal.
>>
>> you mention
>> "
>> I'd hate to think I didn't get the memo about someone changing the
>> definition of "firewall" with the International Standards Organization
>> "
>>
>> what is the ISO definition of firewall ? I couldn`t find it
>>
>> can you name some of the firewalls you used in the past, that didn`t
>> do much more than the "traditional definition". And can you define the
>> traditional definition ?
>>
>> What I would GUESS, is that a firewall is a packet filter and a packet
>> filter is a firewall. Same thing. Can be Device(network firewall) or
>> Software.
>>
>> a packet filter controls a network by selectively allowing or blocking
>> packets.
>>
>> packet filter is always Layer 3 (stateless/static packet filter)
>> and can be both Layers 3 and 4. (stateful / dynamic paclet filter )
>>
>> (definition based on webopedia and the one given in the docs for the
>> openbsd pf program)
>>
>> It rules out the broken cable you mentioned -
>
> rules out NAT Router too. which is probably good.
>
> http://en.wikipedia.org/wiki/Firewall_(networking)
> differs with webopedia, it calls "packet filter" only the first
> generation of firewall. at the network layer of the OSI model. (though
> if it accesses tcp port , that is something at Layer 4 too).
> So, by that definition, SPI != packet filter.
>
> That page does talk of a firewall as sitting between 2 networks.
> perhaps, as oppose to an individual computer from a network.
>

To keep it simplistic for you, the Internet is a massive/giant network the
Wide Area Network being protected from by the firewall. The network being
protected by the FW is the Local Area Network.

> It does not mention about if a concept may be flawed.. like running a
> software firewall on a non dedicated machine.


Your concept of a FW is flawed. A FW must separate two networks. The network
it is protecting from, and the network it is protecting. A FW must have at
least two network interfaces. One interface must face the WAN, and the other
interface must face the LAN. In the case of a software FW running on a
secured host computer, the computer must have two NIC(s) with one facing the
WAN and the other one facing the LAN.

If a software solution is not using two NIC(s), it's not a FW, but rather,
it's a machine level packet filter protecting at the machine level.

Maniaque <> writes:

>On Oct 18, 2:53 pm, Leythos <v...@nowhere.lan> wrote:
>> In article <1192735170.708582.241...@q5g2000prf.googlegroups. com>,
>> jameshanle...@yahoo.co.uk says...
>>
>> > NAT Blocks incoming, unless port forwarding. He says he didn`t have
>> > port forwarding set up to port 5900, where his VNC server got the
>> > connection. Let`s assume that he checked afterwards to make sure the
>> > port was not forwarded.
>>
>> > So, how did it happen?
>>
>> He did have port forwarding enabled, not 5900, but he was hosting
>> services.
>>
>> So, any number of things could have exposed his network and then the
>> hacker could use anything they wanted. Simple, really, exploit a hole in
>> service X, add your own app or use one installed, get access to other
>> things.
>>

>And just as this flamewar dies out, I'd like to pitch in again. I
>cannot be absolutely certain what caused the issue as I had little
>logging enabled, but as I have previously stated, I'm pretty confident
>that this issue was due to a "Active FTP NAT Helper", as originally
>suggested by Sebastian G and illustrated with Micheal Ziegler's help.
>As a result of this issue I upgraded my home router to the latest
>Tomato firmware (1.11), in which the author has kindly added an option
>to disable the NAT helper.

>The test page I linked somewhere above for the NAT Helper
>"vulnerability" now happily shows that nothing gets through, with
>status "500 Go away (PORT IP mismatch).".

>Leythos, if exploiting a hole in any service X is as simple as you
>seem to think (without you knowing anything about the services
>involved), it's truly amazing to me that the internet still more or
>less works

If service X has a hole, then service X can be exploited. Clearly the
attacker knows which services to try since those are the ports you have
open. And exploiting service X means they have entry to your machine. And
if they have entry to your machine, then they can do what they want.
Why exactly do you say that the internet works? There are probably millions
of machines out there that are owned by outsiders- ie on which outsiders
can do what they want. They primarily use them for launching phishing and
spam attacks on the world. Your definition of "works" needs upgrading.


>Thanks,
>Tao

"" <> writes:

>On 18 Oct, 19:14, Leythos <v...@nowhere.lan> wrote:
>> In article <LWNRi.11385$GO5.3118@edtnps90>, unruh-s...@physics.ubc.ca
>> says...
>>
>>
>>
>> > Yes, agreed. But that is irrelevant. The question is not whether or not a
>> > firewall is more flexible than a NAT router, it is. The question is whether
>> > there is a difference in security against unsolicited outside attacks
>> > between a firewall which blocks all unsolicited outside connections, and a
>> > NAT router with no port holes punched through (Ie no ports forwarded).
>>
>> Yes, there is a difference.
>>
>> All quality firewalls have certifications from independent authorities
>> that will state how they work and that they are actually providing xyz.

I am sorry, but you regard paper as a valid computer defense. Who cares if
they have a piece of paper attached? The question is not who has the paper
trail, but who has the security.

>>
>> NAT Routers have no certification (at least in the class we're talking
>> about) and have been shown, many times, to have exploits that allow
>> Unsolicited inbound traffic to pass through - even with no rules set by
>> the owner.

As have firewalls as times.


>>

>Where has it been shown many times?

>( Not shown [many times] in this newsgroup. I first heard of any such
>issue from a few months ago perhaps, from Sebastian, on this
>newsgroup, and since by Volker. In a thread where you were advocating
>NAT for - I thought - blocking incoming )

On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
> <jameshanle...@yahoo.co.uk> wrote in message
<snip>
>
> > That page does talk of a firewall as sitting between 2 networks.
> > perhaps, as oppose to an individual computer from a network.
>
> To keep it simplistic for you, the Internet is a massive/giant network the
> Wide Area Network being protected from by the firewall. The network being
> protected by the FW is the Local Area Network.
>

What is the complicated way then?

note- a firewall blocking certain outgoing can help protect other
people on the internet from a compromised machine. Leythos is keen on
blocking certain outgoing so he`d probably know of some examples.


> > It does not mention about if a concept may be flawed.. like running a
> > software firewall on a non dedicated machine.
>
> Your concept of a FW is flawed. A FW must separate two networks. The network
> it is protecting from, and the network it is protecting. A FW must have at
> least two network interfaces. One interface must face the WAN, and the other
> interface must face the LAN. In the case of a software FW running on a
> secured host computer, the computer must have two NIC(s) with one facing the
> WAN and the other one facing the LAN.
>
> If a software solution is not using two NIC(s), it's not a FW, but rather,
> it's a machine level packet filter protecting at the machine level.-

makes sense, thanks.

In article <aaf5ac3a-9b60-451a-b03e-36c03533b841
@w73g2000hsf.googlegroups.com>, says...
> Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.

SMTP, SQL Command, Windows File Sharing, IM......

I don't allow outbound SMTP from workstations ever.

I don't allow outbound SQL Command from anything, ever.

Windows File Sharing, DNS, etc... never from the local workstations..

IM - only from approved workstations....

While DNS is not a easy exploit the others permit LAN machines to spread
malware to people on the net with exposed machines.

--

Leythos - (remove 999 to email me)

Fight exposing kids to porn, complain about sites like PCBUTTS 1.COM
that create filth and put it on the web for any kid to see: Just take a
look at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

<> wrote in message
news:aaf5ac3a-9b60-451a-b03e-...
> On Nov 18, 7:17 pm, "Mr. Arnold" <MR. Arn...@Arnold.com> wrote:
>> <jameshanle...@yahoo.co.uk> wrote in message
> <snip>
>>
>> > That page does talk of a firewall as sitting between 2 networks.
>> > perhaps, as oppose to an individual computer from a network.
>>
>> To keep it simplistic for you, the Internet is a massive/giant network
>> the
>> Wide Area Network being protected from by the firewall. The network being
>> protected by the FW is the Local Area Network.
>>
>
> What is the complicated way then?


>
> note- a firewall blocking certain outgoing can help protect other
> people on the internet from a compromised machine. Leythos is keen on
> blocking certain outgoing so he`d probably know of some examples.

The proper thing would be to block all outbound traffic, and only allow
outbound traffic for those applications or services that need outbound
traffic. That would mostly apply to a solution such as a FW appliance,
packet filtering FW router or a software FW running on a secured gateway
computer that could implement the solution poperly by creating packet
filtering rules.


>
>
>> > It does not mention about if a concept may be flawed.. like running a
>> > software firewall on a non dedicated machine.
>>
>> Your concept of a FW is flawed. A FW must separate two networks. The
>> network
>> it is protecting from, and the network it is protecting. A FW must have
>> at
>> least two network interfaces. One interface must face the WAN, and the
>> other
>> interface must face the LAN. In the case of a software FW running on a
>> secured host computer, the computer must have two NIC(s) with one facing
>> the
>> WAN and the other one facing the LAN.
>>
>> If a software solution is not using two NIC(s), it's not a FW, but
>> rather,
>> it's a machine level packet filter protecting at the machine level.-
>
> makes sense, thanks.

When segmenting networks, a FW limits the damage that can be spread from one
network to another network, like a firedoor or firewall.

>
>