On 05/10/2015 01:36 PM, Bob Williams wrote:
On 10/05/15 17:37, James Knott wrote:
On 05/10/2015 10:30 AM, Bob Williams wrote:
And presumably I choose 'Internal Zone'?
There you're talking about a firewall protecting a network, rather than one protecting a single computer. The zone refers to which side of the firewall you're talking about. External would be the interface connected to the Internet and internal, your local lan. If you're protecting a single computer, then everything else is external. However, if you have a firewall facing the Internet, do you really need one on computer connected to your local network?
This is where my old brain finds it difficult to understand the concepts.
I can't say I blame you. For a long time now vendors have abused terminology and have made claims about functionality in the sake of of getting people to buy by means of increasing their expectations. Classically a firewall was a portal between two networks made up of a host managing two routers. Compare this with a simple single point access control such as TCPWrappers
The firewalls I'm talking about are on each machine in the house connected to the NAT router,
In many ways, that 'front end' is TCPWrappers write large, implemented in the IP stack rather than the application layer. http://udel.edu/~grim/tcp_wrapper.pdf http://www.slashroot.in/linux-access-control-using-tcp-wrappers Has a nice illustration of the layering Also show an answer to your Q ... If you were using TCPWrappers :-) http://www.aboutlinux.info/2005/10/using-tcp-wrappers-to-secure-linux.html
which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings.
Again I see that as abuse of terminology for the purpose of marketing. I have a Netgear that makes similar claims. No, its not really a firewall, not in the classical sense.
I also understand that the process of 'Network Address Translation' causes rejection of any unsolicited packets from outside, which constitutes a sort of firewall. Are you saying I can rely on that?
I depends on what you mean by "Rely". BAT is just that, address translation. TCP is stateful and the NAT software tracks the state of an established link and does address translation. But this only makes sense for outgoing TCP connections. UDP is stateless and there are a few guesses to make DNS work. More to the point, NAT will not allow an incoming TCP _request_. That doesn't mean its secure. There are ways of piggy-backing on established connections. The famous Mitnick vs Tsutomu Shimomura case documented as the book and movie "Takedown" was based on such a technique. We've made adjustment to the way TCP initiation & packet sequencing is done that makes such an attack very difficult, but its not impossible. See also http://tools.ietf.org/html/rfc1948 So in order to run certain services, which may not apply in your case but seems all too prevalent in the way much commercial software for Windows has been designed, "holes" in that have to be opened up. Either a TCP or UDP link for a certain port is "forwarded" to a particular host. You can see, pretty easily, how this would apply for a web server on the inside of the NAT "firewall". But even so, there are MANY ways a NAT firewall won't protect you. There are many ways that something on the inside can be made to initiate a session outbound. It may be javascript in a web site or even a HTML laden email. Lets face it. HTML email is redundant and potentially EVIL! So if you ask me, the answer is NO YOU CANNOT RELY ON A NAT TO ACT AS A SECURITY DEVICE. But to be fail, the way most "personal" or "host-based" firewalls are configured, the same applies. No host-based firewall is going to stop the user reading email or browsing the web. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org