PDA

View Full Version : Why aren't there ANY firewalls?



spamdrew@nandrew.cum
10-21-10, 08:51 AM
Forgive my naivete (and perhaps excessive subject)
but it seems to me that internet communication all comes
into a PC though a single port at a time and therefore through
a "bottleneck".

Is there some reason we can't just have a blacklist and a whitelist
with tick boxes against plain text strings to block or allow specific
things passing through that route?

Perhaps you'd need one for text itself eg www.spam.net or
123.123.123.123
and another set for commands (ie block ICMP or block ARP / HTTP)
along with logical AND and OR linking if required (eg www.spam.net AND
HTTP or whatever) .
The use of wildcard should be possible too.

That seems to me to eminently controlable and understandable.
If anything that isn't listed comes in/out it should ask for what to
do and add to the list of tick boxes as appropriate.

I've just been looking at Norton.symantic and it just looks like a
total mess to me. They couldn't have made it any more complicated
and less controlable if they tried. (Or perhaps they did and thats the
idea to keep people paying out - A real firewall surely should last
decades)

Norton is all very pretty and technical looking but
I've spent all day on norton and I havn't got a clue what might still
get though and what cant.

As far as I can see there is no way for a reasonably literate but
novice "net user" to gain any form of firewall. They all come
configured with so many holes they seem effectively pointless.

Try to block google or microsoft and you may as well
just chuck the PC in the bin. And that I suspect is very telling
about the overall state of security.

Perhaps there is something like that that works on vista
but I havn't found it.

At the risk of sounding even more like a newbe ... sigh.

Regis
10-21-10, 02:38 PM
spamdrew@nandrew.cum writes:

> Forgive my naivete (and perhaps excessive subject)
> but it seems to me that internet communication all comes
> into a PC though a single port at a time and therefore through
> a "bottleneck".
>
> Is there some reason we can't just have a blacklist and a whitelist
> with tick boxes against plain text strings to block or allow specific
> things passing through that route?
>
> Perhaps you'd need one for text itself eg www.spam.net or
> 123.123.123.123
> and another set for commands (ie block ICMP or block ARP / HTTP)
> along with logical AND and OR linking if required (eg www.spam.net AND
> HTTP or whatever) .
> The use of wildcard should be possible too.
>
> That seems to me to eminently controlable and understandable.
> If anything that isn't listed comes in/out it should ask for what to
> do and add to the list of tick boxes as appropriate.
>
> I've just been looking at Norton.symantic and it just looks like a
> total mess to me. They couldn't have made it any more complicated
> and less controlable if they tried. (Or perhaps they did and thats the
> idea to keep people paying out - A real firewall surely should last
> decades)
>
> Norton is all very pretty and technical looking but
> I've spent all day on norton and I havn't got a clue what might still
> get though and what cant.
>
> As far as I can see there is no way for a reasonably literate but
> novice "net user" to gain any form of firewall. They all come
> configured with so many holes they seem effectively pointless.
>
> Try to block google or microsoft and you may as well
> just chuck the PC in the bin. And that I suspect is very telling
> about the overall state of security.
>
> Perhaps there is something like that that works on vista
> but I havn't found it.
>
> At the risk of sounding even more like a newbe ... sigh.

Most of the problem is that you're looking for a very simple solution
to realities that are pretty complex.

What's your goal? Block "bad sites"? Be safe at the local coffee
shop on their open wireless network?

Moe Trin
10-21-10, 03:01 PM
On Thu, 21 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
<92g0c65ajgk3fkmipiv87755tuubn2upud@4ax.com>, spamdrew@nandrew.cum wrote:

>Forgive my naivete (and perhaps excessive subject)
>but it seems to me that internet communication all comes
>into a PC though a single port at a time and therefore through
>a "bottleneck".

A single port - but there are 65500 of them for TCP, 65500 more for
UDP, and many more than one may be open or having a conversation at
a time.

>Is there some reason we can't just have a blacklist and a whitelist
>with tick boxes against plain text strings to block or allow specific
>things passing through that route?

How big is the display you're looking at? Can you even find a single
tick box in a sea of several thousand? Or are you expecting to see
filters based on RFC3514?

3514 The Security Flag in the IPv4 Header. S. Bellovin. April 1 2003.
(Format: TXT=11211 bytes) (Status: INFORMATIONAL)

Perhaps it would also help if you read RFC1925

1925 The Twelve Networking Truths. R. Callon. April 1 1996. (Format:
TXT=4294 bytes) (Status: INFORMATIONAL)

especially points 6 through 11.

>Perhaps you'd need one for text itself eg www.spam.net or
>123.123.123.123 and another set for commands (ie block ICMP or block
>ARP / HTTP) along with logical AND and OR linking if required (eg
>www.spam.net AND HTTP or whatever) .

Blocking ARP only works on the local wire. As of about a week ago,
there were 3160102088 (3160 million) IPv4 addresses allocated or
assigned around the world, in 105007 networks. Are you going to block
each one individually? What about IPv6? Thats a lot of check boxes.

>As far as I can see there is no way for a reasonably literate but
>novice "net user" to gain any form of firewall. They all come
>configured with so many holes they seem effectively pointless.

No, that's the problem of the user who doesn't want to read any
instructions - they just want to click some icon and have everything
fix itself. The world doesn't work that way. Looking at the headers
in your news article, it shows:

X-Trace: newsfe19.ams2 1287669064 213.48.36.3 (Thu, 21 Oct 2010 13:51:04 UTC)
X-Newsreader: Forte Agent 1.93/32.576 English (American)

So it's virginmedia.com/Telewest in the UK, and yet your news reader is
configured for American English. That's just one example of people
expecting things to work without them checking or understanding anything.

Old guy

spamdrew@nandrew.cum
10-22-10, 08:19 AM
On Thu, 21 Oct 2010 15:01:39 -0500,
ibuprofin@painkiller.example.tld.invalid (Moe Trin) wrote:

>On Thu, 21 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
><92g0c65ajgk3fkmipiv87755tuubn2upud@4ax.com>, spamdrew@nandrew.cum wrote:
>
>>Forgive my naivete (and perhaps excessive subject)
>>but it seems to me that internet communication all comes
>>into a PC though a single port at a time and therefore through
>>a "bottleneck".
>
>A single port - but there are 65500 of them for TCP, 65500 more for
>UDP, and many more than one may be open or having a conversation at
>a time.
>

No - a single input port. one chip. ports are created by software
later.


>>Is there some reason we can't just have a blacklist and a whitelist
>>with tick boxes against plain text strings to block or allow specific
>>things passing through that route?
>
>How big is the display you're looking at? Can you even find a single
>tick box in a sea of several thousand? Or are you expecting to see
>filters based on RFC3514?
>

several thousand? Hardly. if that were the case all so called
firewals would have that issue.


> 3514 The Security Flag in the IPv4 Header. S. Bellovin. April 1 2003.
> (Format: TXT=11211 bytes) (Status: INFORMATIONAL)
>
>Perhaps it would also help if you read RFC1925
>
> 1925 The Twelve Networking Truths. R. Callon. April 1 1996. (Format:
> TXT=4294 bytes) (Status: INFORMATIONAL)
>
>especially points 6 through 11.
>

not interested. asking here.

>>Perhaps you'd need one for text itself eg www.spam.net or
>>123.123.123.123 and another set for commands (ie block ICMP or block
>>ARP / HTTP) along with logical AND and OR linking if required (eg
>>www.spam.net AND HTTP or whatever) .
>

>Blocking ARP only works on the local wire. As of about a week ago,
>there were 3160102088 (3160 million) IPv4 addresses allocated or
>assigned around the world, in 105007 networks. Are you going to block
>each one individually? What about IPv6? Thats a lot of check boxes.
>

rubbish.
and really not the issue. respond to the issue. nonesense counts
again.


>>As far as I can see there is no way for a reasonably literate but
>>novice "net user" to gain any form of firewall. They all come
>>configured with so many holes they seem effectively pointless.
>

>No, that's the problem of the user who doesn't want to read any
>instructions - they just want to click some icon and have everything
>fix itself. The world doesn't work that way. Looking at the headers
>in your news article, it shows:

the headers in my article are rewritten by an anonymous re-poster. I
have to read a message back to even know what they are myself.
personal attacks are idiotic and unhelpful to say the least.

yes - I just want to click an icon but only if i have to. exactly
right. there is no reason why not. none whatsoever.

and your obvious lack of understanding of what you are talking about
hidden in a bunch of nonesense youve half read on some wiki somewhere
doesnt help anyone.

>
>X-Trace: newsfe19.ams2 1287669064 213.48.36.3 (Thu, 21 Oct 2010 13:51:04 UTC)
>X-Newsreader: Forte Agent 1.93/32.576 English (American)
>
>So it's virginmedia.com/Telewest in the UK, and yet your news reader is
>configured for American English. That's just one example of people
>expecting things to work without them checking or understanding anything.
>
> Old guy

mouthing off about things you obviously dont and cant possibly
understand is pretty stupid.

if you cant relate to the questions asked keep it shut and stop
wasting peoples time.

spamdrew@nandrew.cum
10-22-10, 08:27 AM
On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:

>
>Most of the problem is that you're looking for a very simple solution
>to realities that are pretty complex.
>

Actually I don't believe it to be as complex as it's made out to be.
I think there is a LOT of money in making it SEEM complex though.

>What's your goal? Block "bad sites"? Be safe at the local coffee
>shop on their open wireless network?

Start with this:

The goal is to not let the computer send anything out I havn't
specifically requested to send and to only send to the destination I
specifically told it to connect to. And to recieve only from those
locations specifically requested.

Anything not specifically enabled should not happen.
That's a firewall.

Felix Palmen
10-22-10, 08:43 AM
* spamdrew@nandrew.cum <spamdrew@nandrew.cum>:
> rubbish.
> and really not the issue. respond to the issue. nonesense counts
> again.

Stopped reading here. You're not just clueless -- which would be fine --
but also a ********. Get lost.

--
Felix Palmen (Zirias) + [PGP] Felix Palmen <felix@palmen-it.de>
web: http://palmen-it.de/ | http://palmen-it.de/pub.txt
my open source projects: | Fingerprint: ED9B 62D0 BE39 32F9 2488
http://palmen-it.de/?pg=pro + 5D0C 8177 9D80 5ECF F683

RickMerrill
10-22-10, 10:26 AM
spamdrew@nandrew.cum wrote:
>
> Forgive my naivete (and perhaps excessive subject)
> but it seems to me that internet communication all comes
> into a PC though a single port at a time and therefore through
> a "bottleneck".

Buy a hardware FIREWALL (the real deal) to monitor that chokepoint.
Note that it even protects during your PC power up stage. BUT cheap
firewalls do not protect against viruses you download, so you need
a resident scanner too........

Regis
10-22-10, 10:33 AM
spamdrew@nandrew.cum writes:

> On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
>
>>
>>Most of the problem is that you're looking for a very simple solution
>>to realities that are pretty complex.
>>
>
> Actually I don't believe it to be as complex as it's made out to be.
> I think there is a LOT of money in making it SEEM complex though.

It's actually complex. But don't take my word for it just yet...

>>What's your goal? Block "bad sites"? Be safe at the local coffee
>>shop on their open wireless network?
>
> Start with this:
>
> The goal is to not let the computer send anything out I havn't
> specifically requested to send and to only send to the destination I
> specifically told it to connect to. And to recieve only from those
> locations specifically requested.
>
> Anything not specifically enabled should not happen.
> That's a firewall.

Your life will get quick is the problem.

Please provide an example of something specifically you'd like to
allow. I posit that very quickly, the complexity of modern websites
and the interconnectedness of them, from relying on third party api's
for a site to even function, will make things complex quickly.

Please name an internet based site, or service you'd put on your
whitelist, and we can illuminate from there.

Ansgar -59cobalt- Wiechers
10-22-10, 01:29 PM
spamdrew@nandrew.cum wrote:
> On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
>> Most of the problem is that you're looking for a very simple solution
>> to realities that are pretty complex.
>
> Actually I don't believe it to be as complex as it's made out to be.

Actually, you're wrong.

> I think there is a LOT of money in making it SEEM complex though.

If you had even some basic understanding of modern computer systems or
networking communication, you'd KNOW that those matters really ARE
rather complex. There's no need to make them seem that way. As a matter
of fact, most operating systems try to make them seem LESS complex than
they actually are.

>> What's your goal? Block "bad sites"? Be safe at the local coffee
>> shop on their open wireless network?
>
> Start with this:
>
> The goal is to not let the computer send anything out I havn't
> specifically requested to send and to only send to the destination I
> specifically told it to connect to. And to recieve only from those
> locations specifically requested.
>
> Anything not specifically enabled should not happen.
> That's a firewall.

And now try to enforce this on an operating system that has a boatload
of automation mechanisms. For instance: how would your supposed firewall
know that your web browsers communication was initiated by the user and
not some other application?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Ansgar -59cobalt- Wiechers
10-22-10, 01:34 PM
spamdrew@nandrew.cum wrote:
> On Thu, 21 Oct 2010 15:01:39 -0500, Moe Trin wrote:
>> On Thu, 21 Oct 2010, spamdrew@nandrew.cum wrote:
>>> Forgive my naivete (and perhaps excessive subject) but it seems to
>>> me that internet communication all comes into a PC though a single
>>> port at a time and therefore through a "bottleneck".
>>
>> A single port - but there are 65500 of them for TCP, 65500 more for
>> UDP, and many more than one may be open or having a conversation at a
>> time.
>
> No - a single input port. one chip. ports are created by software
> later.

You don't have the slightest idea of how TCP/IP works. Fix that.
Otherwise all your speculation about firewalls and network traffic are
moot.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Moe Trin
10-22-10, 02:57 PM
On Fri, 22 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
<i633c6djiic8jt4frphg32sgpfjhb6jvqu@4ax.com>, spamdrew@nandrew.cum wrote:

>several thousand? Hardly. if that were the case all so called
>firewals would have that issue.

Training issue. Many Internet users know it's not wise to click on
any/every icon they happen to see - especially one like

------------------------------
| Click Here |
| to get your system screwed |
------------------------------

Or have you set your browser to auto-load every URL it finds because
clicking on them manually is to hard? That's probably not a good way
to go. Or is that the way your browser was set up by default because
the installer knew you wouldn't know how to get on the web otherwise,
and wouldn't want to expend any effort to learn how/why? Hmmm, did
someone sell you a firewall for your telephone so that you don't get
screwed over the phone?

>not interested. asking here.

"I don't want to work - do everything for me" No.

Old guy

DevilsPGD
10-22-10, 07:37 PM
In message <9s33c6deh7kdhft6v13stgfhour8m0ls6m@4ax.com>
spamdrew@nandrew.cum was claimed to have wrote:

>On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
>
>>
>>Most of the problem is that you're looking for a very simple solution
>>to realities that are pretty complex.
>>
>
>Actually I don't believe it to be as complex as it's made out to be.
>I think there is a LOT of money in making it SEEM complex though.

Honestly, software firewalls do a surprisingly good job of simplifying
what actually goes on over the wire.

>>What's your goal? Block "bad sites"? Be safe at the local coffee
>>shop on their open wireless network?
>
>Start with this:
>
>The goal is to not let the computer send anything out I havn't
>specifically requested to send and to only send to the destination I
>specifically told it to connect to. And to recieve only from those
>locations specifically requested.

There's a number of software firewalls that can run in default-block-all
basis, but it's an obnoxious way to operate.

To start with, typical websites involve loading content from multiple
(sometimes dozens) of hostnames, usually with 2-4 connections per
hostname (not all of which will necessarily hit the same IP either). Not
all of these requests will be useful, but will seeing a list of IPs and
ports tell you anything useful? Do you really want to click "Allow" 20+
times just to bring up cnn.com?

And this assumes you've managed to write rules to allow a DHCP request,
offer and accept to go through to get you an IP at all, rules to allow
ARP so that you can find your default gateway and your default gateway
can find you, allowed queries to your local DNS server, etc.

It's generally far simpler to only install software that does what you
want, rather than guessing at the firewall level.