Re: why run a firewall on a trusted network ?
Carlos E. R. wrote:
On 2023-05-01 17:55, Dave Howorth wrote:
On Mon, 01 May 2023 17:37:25 +0200
I run both nfs server and clients in all my computers in my LAN, and I do want to keep all my machines with an active firewall. This is pretty normal.
I disagree. If the network is trusted, what is the point of a firewall?
I don't see the point in not using it.
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
The problem is that it doesn't know about the dynamic ports it opens. The hack is to make the server use a small range of ports and independently open them.
Oh, you have a problem and you need a hack .... yeah, like I said, don't expect everything to work when you are not adhering to the commonly accepted conditions. Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop. -- Per Jessen, Zürich (12.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-01 17:55, Dave Howorth wrote:
On Mon, 01 May 2023 17:37:25 +0200
I run both nfs server and clients in all my computers in my LAN, and I do want to keep all my machines with an active firewall. This is pretty normal.
I disagree. If the network is trusted, what is the point of a firewall?
I don't see the point in not using it.
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
The problem is that it doesn't know about the dynamic ports it opens. The hack is to make the server use a small range of ports and independently open them.
Oh, you have a problem and you need a hack .... yeah, like I said, don't expect everything to work when you are not adhering to the commonly accepted conditions.
What commonly accepted conditions?
Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop.
Ok. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-01 17:55, Dave Howorth wrote:
On Mon, 01 May 2023 17:37:25 +0200
I run both nfs server and clients in all my computers in my LAN, and I do want to keep all my machines with an active firewall. This is pretty normal.
I disagree. If the network is trusted, what is the point of a firewall?
I don't see the point in not using it.
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
Carlos, instead of snide remarks, why don't you list the reasons for using a firewall on a trusted network.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
Huh? my late mum was smoking illegally ? :-) I presume that is not what you meant, but what else is against the law?
The problem is that it doesn't know about the dynamic ports it opens. The hack is to make the server use a small range of ports and independently open them.
Oh, you have a problem and you need a hack .... yeah, like I said, don't expect everything to work when you are not adhering to the commonly accepted conditions.
What commonly accepted conditions?
Didn't we go over that yesterday? NFS is generally only used on trusted networks.
Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop.
I should really take my own medicine. -- Per Jessen, Zürich (17.9°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-05-02 12:24, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-01 17:55, Dave Howorth wrote:
On Mon, 01 May 2023 17:37:25 +0200
> I run both nfs server and clients in all my computers in my LAN, > and I do want to keep all my machines with an active firewall. > This is pretty normal.
I disagree. If the network is trusted, what is the point of a firewall?
I don't see the point in not using it.
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
Carlos, instead of snide remarks, why don't you list the reasons for using a firewall on a trusted network.
Sorry, it is not a snide remark. It is simply how I see things. I can not understand not running firewalls in all machines.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
Huh? my late mum was smoking illegally ? :-) I presume that is not what you meant, but what else is against the law?
Smoking is against doctor laws, and otherwise it is illegal in many places.
The problem is that it doesn't know about the dynamic ports it opens. The hack is to make the server use a small range of ports and independently open them.
Oh, you have a problem and you need a hack .... yeah, like I said, don't expect everything to work when you are not adhering to the commonly accepted conditions.
What commonly accepted conditions?
Didn't we go over that yesterday? NFS is generally only used on trusted networks.
We have different definitions of that.
Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop.
I should really take my own medicine.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-05-02 12:24, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote: I find the idea of not running it intriguing and naive.
Carlos, instead of snide remarks, why don't you list the reasons for using a firewall on a trusted network.
Sorry, it is not a snide remark. It is simply how I see things.
Maybe I just need to grow some thicker skin, but calling me naive ...
I can not understand not running firewalls in all machines.
Yet you seem unable or (even unwilling?) to explain your reasons for doing so, on a trusted network. In stark contrast, I am perfectly happy to explain why I don't and never have - because "all machines" on my trusted network are trusted. If they weren't, the network wouldn't be trusted. Local machines that I do not trust (usually because they are outside my control) are on a reduced trust network. For instance, all of my son's machines (Windows for gaming, Macbook for work, misc. Nintendos, mobiles and whathaveyou). IoTs, washing machines, hoovers, coffee machines etc are also all separate. I have more separate networks, but that'll do for now. It is the quintessential idea of firewalling - there are trusted and there are untrusted networks. Usually also some semi-trusted networks, like above. Sometimes there are networks you want to keep separate for other reasons, even if they are both trusted.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
Huh? my late mum was smoking illegally ? :-) I presume that is not what you meant, but what else is against the law?
Smoking is against doctor laws, and otherwise it is illegal in many places.
What are "doctor laws" ? Anyway, it was never a problem for my mum, she mostly smoked at home. (has this gone wayyyyy off topic?) -- Per Jessen, Zürich (18.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-05-02 13:02, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-02 12:24, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote: I find the idea of not running it intriguing and naive.
Carlos, instead of snide remarks, why don't you list the reasons for using a firewall on a trusted network.
Sorry, it is not a snide remark. It is simply how I see things.
Maybe I just need to grow some thicker skin, but calling me naive ...
Not intended as name calling or offensive, sorry.
I can not understand not running firewalls in all machines.
Yet you seem unable or (even unwilling?) to explain your reasons for doing so, on a trusted network.
Because to me it is the natural thing to do. It is you who should explain why not!
In stark contrast, I am perfectly happy to explain why I don't and never have - because "all machines" on my trusted network are trusted. If they weren't, the network wouldn't be trusted.
Any machine can eventually go rogue. In an enterprise environment, most successful attacks come from inside. Obviously, if most of them think the same way, not running firewalls inside, that explain why attacks succeed that easy.
Local machines that I do not trust (usually because they are outside my control) are on a reduced trust network. For instance, all of my son's machines (Windows for gaming, Macbook for work, misc. Nintendos, mobiles and whathaveyou). IoTs, washing machines, hoovers, coffee machines etc are also all separate. I have more separate networks, but that'll do for now.
Well, instead of having a separate network (I don't have the hardware for that), I use firewalls.
It is the quintessential idea of firewalling - there are trusted and there are untrusted networks. Usually also some semi-trusted networks, like above. Sometimes there are networks you want to keep separate for other reasons, even if they are both trusted.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
Huh? my late mum was smoking illegally ? :-) I presume that is not what you meant, but what else is against the law?
Smoking is against doctor laws, and otherwise it is illegal in many places.
What are "doctor laws" ? Anyway, it was never a problem for my mum, she mostly smoked at home. (has this gone wayyyyy off topic?)
My doctor says something akin to "do not smoke, or else." :-P I have always obeyed. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-05-02 13:02, Per Jessen wrote:
I can not understand not running firewalls in all machines.
Yet you seem unable or (even unwilling?) to explain your reasons for doing so, on a trusted network.
Because to me it is the natural thing to do. It is you who should explain why not!
I'm sorry, I thought I had. Because they are trusted machines on a trusted network. In your case, you obviously don't trust your own network, which is a bit odd, but you know best.
In stark contrast, I am perfectly happy to explain why I don't and never have - because "all machines" on my trusted network are trusted. If they weren't, the network wouldn't be trusted.
Any machine can eventually go rogue.
Maybe that is natural state of things to you, but not to me. My machines do exactly what I tell them.
In an enterprise environment, most successful attacks come from inside.
Those are socially engineered attacks. A firewall is not intended to nor capable of dealing with those. -- Per Jessen, Zürich (18.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-05-02 13:52, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-05-02 13:02, Per Jessen wrote:
I can not understand not running firewalls in all machines.
Yet you seem unable or (even unwilling?) to explain your reasons for doing so, on a trusted network.
Because to me it is the natural thing to do. It is you who should explain why not!
I'm sorry, I thought I had. Because they are trusted machines on a trusted network.
In your case, you obviously don't trust your own network, which is a bit odd, but you know best.
I don't trust the router, and I was right. I don't have a separate network for guests. Anything can go rogue one day. I have some machines with Windows. Including virtual ones. By the way, Windows firewall is ON by default. <https://security.stackexchange.com/questions/225658/does-it-make-sense-to-put-a-firewall-within-a-lan-to-protect-sensitive-informati>
In stark contrast, I am perfectly happy to explain why I don't and never have - because "all machines" on my trusted network are trusted. If they weren't, the network wouldn't be trusted.
Any machine can eventually go rogue.
Maybe that is natural state of things to you, but not to me. My machines do exactly what I tell them.
Till they don't. There can come a trojan or virus one day. I haven't had one since 1987 or thereabouts, but who knows.
In an enterprise environment, most successful attacks come from inside.
Those are socially engineered attacks. A firewall is not intended to nor capable of dealing with those.
Depends. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 5/2/23 03:13, Carlos E. R. wrote:
Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop.
Ok.
That' a good point. One might be able to assume "trust" on a small home network consisting of a desktop and a printer. But can you make the same assumption about a /20 (IPv4) non-natted subnet with hundreds (maybe thousands) of different kinds of connected things? Windows, MAC's, Linux/UNIX (various versions) SAN's, NAS'es, printers, scanners, etc. The risk is there even if the network is professionally managed with all state of the art security controls and processes. Not running host-based firewalls is folly. Again, security must be in depth to be effective. But the mention of a printer reminds me of a security breech we had around 1989 IIRC. A HP printer was compromised by a Russian actor and was used as a vector to try to gain access to the network. No damage was done, we caught it right away, but it does illustrate the problem. Rhetorical question: Can one have a "trusted" network where WiFi access is possible? Regards, Lew
Lew Wolfgang wrote:
On 5/2/23 03:13, Carlos E. R. wrote:
Anyway, enough of that - when we can't agree on what a trusted network is, I think it's best to stop.
Ok.
That' a good point. One might be able to assume "trust" on a small home network consisting of a desktop and a printer.
You know what they say about "assume" :-) If the home/hobby/wannabe admin is genuinely concerned about the safety of her network, she should not be making assumptions. She should determine what "trusted" means and whether those conditions are met.
But can you make the same assumption about a /20 (IPv4) non-natted subnet with hundreds (maybe thousands) of different kinds of connected things? Windows, MAC's, Linux/UNIX (various versions) SAN's, NAS'es, printers, scanners, etc.
I'll be happy to provide an answer, but what is your billing address? For security consultancy, I charge 2000/day. Okay, simple answers are 100/word. To maybe drum up some business, the free answer is "no". Non-free: a) don't make assumptions. b) don't make assumptions about security topics c) no, a /20 without access limitations cannot be ass-u-me'd to be trusted. d) don't make assumptions. That's about 20 words, (d) was for free.
The risk is there even if the network is professionally managed with all state of the art security controls and processes.
No it isn't. If the latter applies, there won't be any "Windows, MAC's, Linux/UNIX (various versions), SAN's, NAS'es, printers, scanners, etc. connected.
Not running host-based firewalls is folly.
I've already told you that you and Carlos are kindred nutt .... uh spirits. Same water.
But the mention of a printer reminds me of a security breech we had around 1989 IIRC.
At that time, all I knew about networking was SNA. I could IML an NCP, whichever one.
Rhetorical question: Can one have a "trusted" network where WiFi access is possible?
Yes, I don't see an issue in that, provided no trusted machines access the wifi. -- Per Jessen, Zürich (17.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Well, i do not find it anywhere in the net, but there was about 1990? a nice joke, what is a save computer? and it was something like this : if i have a computer i will put it into the middle of my cellar, i will switch it off, i will put out the door and will use concrete to fit into the door-hole, will cut all power lines off... but even then i am not 100% sure. and by the way, there was a myth, i never get if it was true, that in commodore amiga computer there was a virus programmed which was able to use the battery of the clock to get resistant inside the memory. so, why discussing here about save NETWORKS ?????? a network is per definition ALWAYS unsafe. this is written from a guy who do not use use a wifi, only for guests with a extra internet router, not connected to the main network. and i do not own a own mobile phone because of all the insecure stuff (but i am thinking about a fairphone or something like this with a opensuse on it). ..... and my brother tell me always, even if you not have a mobile phone the mossad, the chinese and the usa know where you are. really? : yes, the check where is no mobile phone in germany and exact this is your position i am lost.... ;-((( simoN ps: i always run firewalls in my networks, and i use nfs to get through this firewalls, using fixed ports, even nfsv3 could work with fixed ports, (it was not necessary with susefirewall), but now with firewalld. i think i remember, i have written it somewhere here in the useres@ list how to do. -- www.becherer.de
On 2023-05-02 04:13, Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
If you feel you need a firewall on a trusted network, perhaps you really need a more robust set of rules on your external firewall.
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
Does in no way imply it was the right thing to do. My late mum smoked a couple of packets of cigarettes every day for decades, no issues.
Oh, yes, it is the right thing to do. Your example is against the law.
Smoking 2 packs a day is illegal?
On 2023-05-02 19:06, Darryl Gregorash wrote:
On 2023-05-02 04:13, Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
If you feel you need a firewall on a trusted network, perhaps you really need a more robust set of rules on your external firewall.
As it is, the current external firewall, which belongs to the ISP (and can not be replaced by one of my own, so don't ask again), claims to firewall but does nothing at all. This became known when they activated IPv6 a week ago for a Beta test. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-05-02 12:45, Carlos E. R. wrote:
On 2023-05-02 19:06, Darryl Gregorash wrote:
On 2023-05-02 04:13, Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
If you feel you need a firewall on a trusted network, perhaps you really need a more robust set of rules on your external firewall.
As it is, the current external firewall, which belongs to the ISP (and can not be replaced by one of my own, so don't ask again), claims to firewall but does nothing at all. This became known when they activated IPv6 a week ago for a Beta test.
Now you have me really confused. How is the external firewall in any way relevant to issues relating to internal firewalls? If you have/learn of security issues with that external firewall, you could simply put your own firewall/router (a separate computer running Linux) between the ISP's equipment and your local network(s). In fact, I had assumed this is exactly what you had done, the moment you noticed problems with the ISP's firewall. BTW, that personal router/firewall could not be considered part of any trusted network. At best, it would be part of a DMZ, though I personally would treat it as part of the external net.
On 2023-05-02 23:13, Darryl Gregorash wrote:
On 2023-05-02 12:45, Carlos E. R. wrote:
On 2023-05-02 19:06, Darryl Gregorash wrote:
On 2023-05-02 04:13, Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
If you feel you need a firewall on a trusted network, perhaps you really need a more robust set of rules on your external firewall.
As it is, the current external firewall, which belongs to the ISP (and can not be replaced by one of my own, so don't ask again), claims to firewall but does nothing at all. This became known when they activated IPv6 a week ago for a Beta test.
Now you have me really confused. How is the external firewall in any way relevant to issues relating to internal firewalls?
Because it forced me to upgrade the internal firewalls to cope with new issues.
If you have/learn of security issues with that external firewall, you could simply put your own firewall/router (a separate computer running
Again: I said I can not, and please do not argue. I'm tired of saying this. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-05-02 15:18, Carlos E. R. wrote:
On 2023-05-02 23:13, Darryl Gregorash wrote:
On 2023-05-02 12:45, Carlos E. R. wrote:
On 2023-05-02 19:06, Darryl Gregorash wrote:
On 2023-05-02 04:13, Carlos E. R. wrote:
On 2023-05-02 08:44, Per Jessen wrote:
Carlos E. R. wrote:
It might be easier if you simply listed the reasons for using a firewall on a trusted network. I find the idea intriguing.
I find the idea of not running it intriguing and naive.
If you feel you need a firewall on a trusted network, perhaps you really need a more robust set of rules on your external firewall.
As it is, the current external firewall, which belongs to the ISP (and can not be replaced by one of my own, so don't ask again), claims to firewall but does nothing at all. This became known when they activated IPv6 a week ago for a Beta test.
Now you have me really confused. How is the external firewall in any way relevant to issues relating to internal firewalls?
Because it forced me to upgrade the internal firewalls to cope with new issues.
If you have/learn of security issues with that external firewall, you could simply put your own firewall/router (a separate computer running
Again: I said I can not, and please do not argue. I'm tired of saying this.
OK, I give up. For whatever reason, you are not able to set up your network(s) the way most norm^H^H^H^H people would do it, namely a single point of contact between the ISP's gateway and a single robustly firewalled system acting as an internal gateway for each internal network you need (a DMZ, if you will) -- and a single point of contact between each of your internal networks and the DMZ. However you want to colour it, I'm out of this discussion, so no response is necessary.
participants (5)
-
Carlos E. R. -
Darryl Gregorash -
Lew Wolfgang -
Per Jessen -
Simon Becherer