On 2019-02-02 5:51 p.m., Dave Howorth wrote:
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
My router does have a basic firewall as well as NAT and I don't have online gaming or any other fancy features enabled. I use a POTS line (with an unpowered handset for power failure scenarios).
I run one of two things, either a Thompson cable router that is an 'all in one' which offers the NAT to 4 Ethernet + wifi, or a Thompson cable router the offers a singe Ethernet port that I then run to a Netgear ProSafe Firewall/switch which I can make look like a NAT. I plug a Linksys wifi router into that. What this amounts to, however I cook it, boils down to Cable -> router -> NAT(Ethernet, wifi) We can drown arguing over details. like you I don't have any special ports open for gaming, though I keep thinking about mapping through to Postfix and/or Apache if I ever resurrect my DynDNS account. But lets leave that out of the discussion. James correctly points out that NAY is not a security mechanism. Well he's correct in absolute terms; NAT can't be relied on for security. But that doesn't mean that the routers which incorporate NAT can't be made more robust. I'm not saying that they will withstand any kind of determined attack, only that they can be configured so as not the be in CFM mode and not open to automated drive-by scans for glaring weaknesses. And, to be honest, that's an aspect of the router software rather than anthing to with NAT. Of course there's also stuff like https://wiki.dd-wrt.com/wiki/index.php/Main_Page and the main advantage of DD-WRT is that it is easier to install updates than most vendor's systems! Don't scoff - that is very much a security advantage. https://wiki.dd-wrt.com/wiki/index.php/KRACK_Vulnerability_and_DD-WRT And DD-WRT provides additional security features such as iptables as well as add-on features to monitor the traffics and utilization. And Pi? https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi The basic Pi only has 1 ethernet port so its not possible to be used as router. But there are other boards that use ARM processors that have more on the board. Go google. ========================================= As I said above, real world routers do more that just NAT. My Thompson can do packet inspection on web traffic: Web Content Filter : This page allows certain Web-oriented cookies, java scripts, and pop-up windows to be blocked by the firewall. A list of "trusted computers" can also be defined that are not subject to any filters configured. Specific Firewall features can also be enabled. It is highly recommended that the Firewall is left enabled at all times for protection against Denial of Service attacks. Go to the Parental Control page to block internet access to specific sites. It then goes on to list: Web Features Filter Proxy [] Enable Filter Cookies [] Enable Filter Java Applets [] Enable Filter ActiveX [] Enable Filter Popup Windows [] Enable Block Fragmented IP Packets [] Enable Port Scan Detection [] Enable IP Flood Detection [] Enable Firewall Protection [] Enable One presumes the argument is that you have all that CPU power, why not do something with it? After all, that is a 'security' feature that one does find on firewalls. Now the above or something similar may or may not be available on your specific hardware, but what you might have, probably have, is some kind of filtering, be it by IP port/range or by MAC address. That may require a bit of thought about address assignment , and some of it seems to be denial of specifics rather than allowing specifics. YMMV. Again this is a form of security we sometimes see on firewalls and it has nothing to do with NAT. My advice? Go directly to OpenWrt or DD-WRT (but maybe not with a Pi) and install a full-featured router with NAT AND stuff like iptables, which is familiar and for which there is a lot of support. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org