Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] DHCPv6-PD request
On 05/26/2016 02:28 AM, Per Jessen wrote:
Mathias Homann wrote:

Am Mittwoch, 25. Mai 2016, 16:58:36 schrieb James Knott:

Of course the big improvement for users is the
ability to directly access a computer behind the firewall, without
messing with port forwarding.

Or in other words: instead of ONE good firewall for the enterprise you
need thousands, one for each end user's personal PC.

What makes you think that? Every network will have a default router,
that's where you put the firewall. Just like today.

Classically, to quote Steve Bellovin, "The firewall is the network's
response to poor host security". So yes, the firewall at the
choke-point, the router makes sense. In that context a NAT amounts to a
DENY ALL INCOMING REQUESTS firewall.

so far so ... good.

But then James talks about port forwarding and that opens up a can of worms.

In effect he's saying that this permits home users behind the NAT to run
a server. it might be a web server, might be a open mail server, each
of which could be subverted, or it could be a peer-to-peer-peer style
game server. Maybe, just many, the user behind the NAT has adequate
sysadmin capability to prevent this turning into a catastrophe, and
adequate tame and resources.

There's a reason even people who are well skill make use of ISPs got
their web site and email services. Those entities have the staff, time,
capability to implement regular and proper backups, malware scans,
updates and all, things the rest of us 'working joes' have to take time
out of us 'home time' to do[1][2].

IF AND ONLY IF the NAT port forwarding *ALSO* has all the filtering one
would expect of a firewall for that services (AV, email black hole,
'content inspection' and a pile of other things) then OK. But I've not
seen a NAT'ing device that that does. None of the ones I have or have
installed or dealt with in a casual-for-friends-and-relatives or
professional or semi-professional capacity have, but I can't claim to
have dealt with every last device and every last software revision in
the whole wide world.

I did have a g/f who had some day-trading trading s/w that support
required her to open up what seemed like half a hundred ports in her
NAT. She lost a lot of money and I don't think it was all to trades.
Yes the company was a fly-by-night. Later I asked her if she'd ever
closed up all those port and removed the software after it all went to
vapour. That's, to me, obvious "sanitation". She gave me a puzzled
look. She was, other than he gullibility about day-trading, an
intelligent woman who had a high paying job (higher than me) before she
retired early.

But then I'm paranoid about many computer issues. Perhaps not all, and
perhaps its disproportionate.

There are other pertinent observations (on both sides) in this thread.
I'll deal with them each in turn so this doesn't become TL;DR







[]1 lets face it, I _could_ change the oil in my car myself, but I can't
buy it at preferential volume rates that the "Mr Oil" franchise can; the
city wo 't let me pour the old oil down the drain and "Mr Oil" has an
agreement with a recycling agency, so its worth my while to se "Mr Oil"
rather than do it myself. There are a LOT of professional services like
that. The $50 or so is about what it would cost me for parts, and I
don't get oil over my hands and clothes. Adam Smith's "division of
labour" and specialized skills ends up "more so" when the specialists
also carry specialist tools and resources.

[2] I'm not knocking the idea of 'hobby' and 'learning', just pointing
out that those folks have a focused interest in getting it right and
making it easy for the people who don't want to make it into a hobby.
--
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups