nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Joe Greco <jgreco () ns sol net>
Date: Fri, 11 Dec 2009 08:34:08 -0600 (CST)
Once upon a time, Joe Greco <jgreco () ns sol net> said:Everyone knows a NAT gateway isn't really a firewall, except more or less accidentally. There's no good way to provide a hardware firewall in an average residential environment that is not a disaster waiting to happen.I don't think hardware vs. software makes a "real" firewall. A NAT gateway has to have all the basic functionality of a stateful firewall, plus packet mangling. Typical home NAT gateways don't have all the configurability of an SSG or such, but the same basic functionality is there.
You can blow away the firmware of your NAT gateway and load something like DD-WRT. This gives you a hardware firewall (an external hardware device that acts as a deliberate firewall; i.e. you can firewall 1.2.3.4 from 5.6.7.8). It is not filtering packets in silicon, which is an alternate definition for "hardware firewall" that many in this group could use, but in common usage, it is the distinctness from the protected host(s) and the ability to implement typical firewalling rules and methods, with or _without_ NAT, that makes it a "hardware firewall." Your existing NAT gateway firmware may well be based on Linux and may have portions implemented by a Linux firewalling subsystem, but in most cases, you cannot really drill down to any significant level of detail, and quite frequently the main "anti-forwarding" protection offered is simply the difficulty in surmounting the artificial barrier created by the NAT addressing discontinuity. While this might technically count as "the same basic functionality," functionality that cannot be accessed or used might as well not be there for the purposes of this discussion. So I'll pass on considering your average NAT gateway as a "hardware firewall." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Valdis . Kletnieks (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 12)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)