On 05/26/2016 02:28 AM, Per Jessen wrote:
Mathias Homann wrote:
Am Mittwoch, 25. Mai 2016, 16:58:36 schrieb James Knott:
Of course the big improvement for users is the ability to directly access a computer behind the firewall, without messing with port forwarding.
Or in other words: instead of ONE good firewall for the enterprise you need thousands, one for each end user's personal PC.
What makes you think that? Every network will have a default router, that's where you put the firewall. Just like today.
Classically, to quote Steve Bellovin, "The firewall is the network's response to poor host security". So yes, the firewall at the choke-point, the router makes sense. In that context a NAT amounts to a DENY ALL INCOMING REQUESTS firewall. so far so ... good. But then James talks about port forwarding and that opens up a can of worms. In effect he's saying that this permits home users behind the NAT to run a server. it might be a web server, might be a open mail server, each of which could be subverted, or it could be a peer-to-peer-peer style game server. Maybe, just many, the user behind the NAT has adequate sysadmin capability to prevent this turning into a catastrophe, and adequate tame and resources. There's a reason even people who are well skill make use of ISPs got their web site and email services. Those entities have the staff, time, capability to implement regular and proper backups, malware scans, updates and all, things the rest of us 'working joes' have to take time out of us 'home time' to do[1][2]. IF AND ONLY IF the NAT port forwarding *ALSO* has all the filtering one would expect of a firewall for that services (AV, email black hole, 'content inspection' and a pile of other things) then OK. But I've not seen a NAT'ing device that that does. None of the ones I have or have installed or dealt with in a casual-for-friends-and-relatives or professional or semi-professional capacity have, but I can't claim to have dealt with every last device and every last software revision in the whole wide world. I did have a g/f who had some day-trading trading s/w that support required her to open up what seemed like half a hundred ports in her NAT. She lost a lot of money and I don't think it was all to trades. Yes the company was a fly-by-night. Later I asked her if she'd ever closed up all those port and removed the software after it all went to vapour. That's, to me, obvious "sanitation". She gave me a puzzled look. She was, other than he gullibility about day-trading, an intelligent woman who had a high paying job (higher than me) before she retired early. But then I'm paranoid about many computer issues. Perhaps not all, and perhaps its disproportionate. There are other pertinent observations (on both sides) in this thread. I'll deal with them each in turn so this doesn't become TL;DR []1 lets face it, I _could_ change the oil in my car myself, but I can't buy it at preferential volume rates that the "Mr Oil" franchise can; the city wo 't let me pour the old oil down the drain and "Mr Oil" has an agreement with a recycling agency, so its worth my while to se "Mr Oil" rather than do it myself. There are a LOT of professional services like that. The $50 or so is about what it would cost me for parts, and I don't get oil over my hands and clothes. Adam Smith's "division of labour" and specialized skills ends up "more so" when the specialists also carry specialist tools and resources. [2] I'm not knocking the idea of 'hobby' and 'learning', just pointing out that those folks have a focused interest in getting it right and making it easy for the people who don't want to make it into a hobby. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org