nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Chris Adams <cmadams () hiwaay net>
Date: Mon, 14 Dec 2009 13:11:53 -0600
Once upon a time, Owen DeLong <owen () delong com> said:
I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them.
Well, "any applet a user clicks on" should not have permission to talk to random devices on the network (for example, Java applets can't do that), so I don't think it quite as bad as you make it out to be. I also don't really find the "computer is already compromised" case all that interesting, as at that point, all bets are off (since with C&C servers, compromised computers are already accessible to the outside world without UPnP). A firewall protects against unwanted inbound connections to things like file/print sharing, DNS proxies, etc. You also don't get port scans and such (even with a few open ports, the majority being "drop" slows down scanners significantly). You can also configure it to prevent certain outbound connections (e.g. connecting to random mail servers from desktop PCs). I would hope that you can configure firewall rules to override UPnP requests. -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 16)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Matthew Moyle-Croft (Dec 02)