Results 1 to 12 of 12

Thread: Why aren't there ANY firewalls?

  1. #1
    spamdrew@nandrew.cum
    Guest

    Why aren't there ANY firewalls?


    Forgive my naivete (and perhaps excessive subject)
    but it seems to me that internet communication all comes
    into a PC though a single port at a time and therefore through
    a "bottleneck".

    Is there some reason we can't just have a blacklist and a whitelist
    with tick boxes against plain text strings to block or allow specific
    things passing through that route?

    Perhaps you'd need one for text itself eg www.spam.net or
    123.123.123.123
    and another set for commands (ie block ICMP or block ARP / HTTP)
    along with logical AND and OR linking if required (eg www.spam.net AND
    HTTP or whatever) .
    The use of wildcard should be possible too.

    That seems to me to eminently controlable and understandable.
    If anything that isn't listed comes in/out it should ask for what to
    do and add to the list of tick boxes as appropriate.

    I've just been looking at Norton.symantic and it just looks like a
    total mess to me. They couldn't have made it any more complicated
    and less controlable if they tried. (Or perhaps they did and thats the
    idea to keep people paying out - A real firewall surely should last
    decades)

    Norton is all very pretty and technical looking but
    I've spent all day on norton and I havn't got a clue what might still
    get though and what cant.

    As far as I can see there is no way for a reasonably literate but
    novice "net user" to gain any form of firewall. They all come
    configured with so many holes they seem effectively pointless.

    Try to block google or microsoft and you may as well
    just chuck the PC in the bin. And that I suspect is very telling
    about the overall state of security.

    Perhaps there is something like that that works on vista
    but I havn't found it.

    At the risk of sounding even more like a newbe ... sigh.



  2. #2
    Regis
    Guest

    Re: Why aren't there ANY firewalls?

    spamdrew@nandrew.cum writes:

    > Forgive my naivete (and perhaps excessive subject)
    > but it seems to me that internet communication all comes
    > into a PC though a single port at a time and therefore through
    > a "bottleneck".
    >
    > Is there some reason we can't just have a blacklist and a whitelist
    > with tick boxes against plain text strings to block or allow specific
    > things passing through that route?
    >
    > Perhaps you'd need one for text itself eg www.spam.net or
    > 123.123.123.123
    > and another set for commands (ie block ICMP or block ARP / HTTP)
    > along with logical AND and OR linking if required (eg www.spam.net AND
    > HTTP or whatever) .
    > The use of wildcard should be possible too.
    >
    > That seems to me to eminently controlable and understandable.
    > If anything that isn't listed comes in/out it should ask for what to
    > do and add to the list of tick boxes as appropriate.
    >
    > I've just been looking at Norton.symantic and it just looks like a
    > total mess to me. They couldn't have made it any more complicated
    > and less controlable if they tried. (Or perhaps they did and thats the
    > idea to keep people paying out - A real firewall surely should last
    > decades)
    >
    > Norton is all very pretty and technical looking but
    > I've spent all day on norton and I havn't got a clue what might still
    > get though and what cant.
    >
    > As far as I can see there is no way for a reasonably literate but
    > novice "net user" to gain any form of firewall. They all come
    > configured with so many holes they seem effectively pointless.
    >
    > Try to block google or microsoft and you may as well
    > just chuck the PC in the bin. And that I suspect is very telling
    > about the overall state of security.
    >
    > Perhaps there is something like that that works on vista
    > but I havn't found it.
    >
    > At the risk of sounding even more like a newbe ... sigh.


    Most of the problem is that you're looking for a very simple solution
    to realities that are pretty complex.

    What's your goal? Block "bad sites"? Be safe at the local coffee
    shop on their open wireless network?


  3. #3
    Moe Trin
    Guest

    Re: Why aren't there ANY firewalls?

    On Thu, 21 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
    <92g0c65ajgk3fkmipiv87755tuubn2upud@4ax.com>, spamdrew@nandrew.cum wrote:

    >Forgive my naivete (and perhaps excessive subject)
    >but it seems to me that internet communication all comes
    >into a PC though a single port at a time and therefore through
    >a "bottleneck".


    A single port - but there are 65500 of them for TCP, 65500 more for
    UDP, and many more than one may be open or having a conversation at
    a time.

    >Is there some reason we can't just have a blacklist and a whitelist
    >with tick boxes against plain text strings to block or allow specific
    >things passing through that route?


    How big is the display you're looking at? Can you even find a single
    tick box in a sea of several thousand? Or are you expecting to see
    filters based on RFC3514?

    3514 The Security Flag in the IPv4 Header. S. Bellovin. April 1 2003.
    (Format: TXT=11211 bytes) (Status: INFORMATIONAL)

    Perhaps it would also help if you read RFC1925

    1925 The Twelve Networking Truths. R. Callon. April 1 1996. (Format:
    TXT=4294 bytes) (Status: INFORMATIONAL)

    especially points 6 through 11.

    >Perhaps you'd need one for text itself eg www.spam.net or
    >123.123.123.123 and another set for commands (ie block ICMP or block
    >ARP / HTTP) along with logical AND and OR linking if required (eg
    >www.spam.net AND HTTP or whatever) .


    Blocking ARP only works on the local wire. As of about a week ago,
    there were 3160102088 (3160 million) IPv4 addresses allocated or
    assigned around the world, in 105007 networks. Are you going to block
    each one individually? What about IPv6? Thats a lot of check boxes.

    >As far as I can see there is no way for a reasonably literate but
    >novice "net user" to gain any form of firewall. They all come
    >configured with so many holes they seem effectively pointless.


    No, that's the problem of the user who doesn't want to read any
    instructions - they just want to click some icon and have everything
    fix itself. The world doesn't work that way. Looking at the headers
    in your news article, it shows:

    X-Trace: newsfe19.ams2 1287669064 213.48.36.3 (Thu, 21 Oct 2010 13:51:04 UTC)
    X-Newsreader: Forte Agent 1.93/32.576 English (American)

    So it's virginmedia.com/Telewest in the UK, and yet your news reader is
    configured for American English. That's just one example of people
    expecting things to work without them checking or understanding anything.

    Old guy

  4. #4
    spamdrew@nandrew.cum
    Guest

    Re: Why aren't there ANY firewalls?

    On Thu, 21 Oct 2010 15:01:39 -0500,
    ibuprofin@painkiller.example.tld.invalid (Moe Trin) wrote:

    >On Thu, 21 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
    ><92g0c65ajgk3fkmipiv87755tuubn2upud@4ax.com>, spamdrew@nandrew.cum wrote:
    >
    >>Forgive my naivete (and perhaps excessive subject)
    >>but it seems to me that internet communication all comes
    >>into a PC though a single port at a time and therefore through
    >>a "bottleneck".

    >
    >A single port - but there are 65500 of them for TCP, 65500 more for
    >UDP, and many more than one may be open or having a conversation at
    >a time.
    >


    No - a single input port. one chip. ports are created by software
    later.


    >>Is there some reason we can't just have a blacklist and a whitelist
    >>with tick boxes against plain text strings to block or allow specific
    >>things passing through that route?

    >
    >How big is the display you're looking at? Can you even find a single
    >tick box in a sea of several thousand? Or are you expecting to see
    >filters based on RFC3514?
    >


    several thousand? Hardly. if that were the case all so called
    firewals would have that issue.


    > 3514 The Security Flag in the IPv4 Header. S. Bellovin. April 1 2003.
    > (Format: TXT=11211 bytes) (Status: INFORMATIONAL)
    >
    >Perhaps it would also help if you read RFC1925
    >
    > 1925 The Twelve Networking Truths. R. Callon. April 1 1996. (Format:
    > TXT=4294 bytes) (Status: INFORMATIONAL)
    >
    >especially points 6 through 11.
    >


    not interested. asking here.

    >>Perhaps you'd need one for text itself eg www.spam.net or
    >>123.123.123.123 and another set for commands (ie block ICMP or block
    >>ARP / HTTP) along with logical AND and OR linking if required (eg
    >>www.spam.net AND HTTP or whatever) .

    >


    >Blocking ARP only works on the local wire. As of about a week ago,
    >there were 3160102088 (3160 million) IPv4 addresses allocated or
    >assigned around the world, in 105007 networks. Are you going to block
    >each one individually? What about IPv6? Thats a lot of check boxes.
    >


    rubbish.
    and really not the issue. respond to the issue. nonesense counts
    again.


    >>As far as I can see there is no way for a reasonably literate but
    >>novice "net user" to gain any form of firewall. They all come
    >>configured with so many holes they seem effectively pointless.

    >


    >No, that's the problem of the user who doesn't want to read any
    >instructions - they just want to click some icon and have everything
    >fix itself. The world doesn't work that way. Looking at the headers
    >in your news article, it shows:


    the headers in my article are rewritten by an anonymous re-poster. I
    have to read a message back to even know what they are myself.
    personal attacks are idiotic and unhelpful to say the least.

    yes - I just want to click an icon but only if i have to. exactly
    right. there is no reason why not. none whatsoever.

    and your obvious lack of understanding of what you are talking about
    hidden in a bunch of nonesense youve half read on some wiki somewhere
    doesnt help anyone.

    >
    >X-Trace: newsfe19.ams2 1287669064 213.48.36.3 (Thu, 21 Oct 2010 13:51:04 UTC)
    >X-Newsreader: Forte Agent 1.93/32.576 English (American)
    >
    >So it's virginmedia.com/Telewest in the UK, and yet your news reader is
    >configured for American English. That's just one example of people
    >expecting things to work without them checking or understanding anything.
    >
    > Old guy


    mouthing off about things you obviously dont and cant possibly
    understand is pretty stupid.

    if you cant relate to the questions asked keep it shut and stop
    wasting peoples time.






  5. #5
    spamdrew@nandrew.cum
    Guest

    Re: Why aren't there ANY firewalls?

    On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:

    >
    >Most of the problem is that you're looking for a very simple solution
    >to realities that are pretty complex.
    >


    Actually I don't believe it to be as complex as it's made out to be.
    I think there is a LOT of money in making it SEEM complex though.

    >What's your goal? Block "bad sites"? Be safe at the local coffee
    >shop on their open wireless network?


    Start with this:

    The goal is to not let the computer send anything out I havn't
    specifically requested to send and to only send to the destination I
    specifically told it to connect to. And to recieve only from those
    locations specifically requested.

    Anything not specifically enabled should not happen.
    That's a firewall.



  6. #6
    Felix Palmen
    Guest

    Re: Why aren't there ANY firewalls?

    * spamdrew@nandrew.cum <spamdrew@nandrew.cum>:
    > rubbish.
    > and really not the issue. respond to the issue. nonesense counts
    > again.


    Stopped reading here. You're not just clueless -- which would be fine --
    but also a ********. Get lost.

    --
    Felix Palmen (Zirias) + [PGP] Felix Palmen <felix@palmen-it.de>
    web: http://palmen-it.de/ | http://palmen-it.de/pub.txt
    my open source projects: | Fingerprint: ED9B 62D0 BE39 32F9 2488
    http://palmen-it.de/?pg=pro + 5D0C 8177 9D80 5ECF F683

  7. #7
    RickMerrill
    Guest

    Re: Why aren't there ANY firewalls?

    spamdrew@nandrew.cum wrote:
    >
    > Forgive my naivete (and perhaps excessive subject)
    > but it seems to me that internet communication all comes
    > into a PC though a single port at a time and therefore through
    > a "bottleneck".


    Buy a hardware FIREWALL (the real deal) to monitor that chokepoint.
    Note that it even protects during your PC power up stage. BUT cheap
    firewalls do not protect against viruses you download, so you need
    a resident scanner too........

  8. #8
    Regis
    Guest

    Re: Why aren't there ANY firewalls?

    spamdrew@nandrew.cum writes:

    > On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
    >
    >>
    >>Most of the problem is that you're looking for a very simple solution
    >>to realities that are pretty complex.
    >>

    >
    > Actually I don't believe it to be as complex as it's made out to be.
    > I think there is a LOT of money in making it SEEM complex though.


    It's actually complex. But don't take my word for it just yet...

    >>What's your goal? Block "bad sites"? Be safe at the local coffee
    >>shop on their open wireless network?

    >
    > Start with this:
    >
    > The goal is to not let the computer send anything out I havn't
    > specifically requested to send and to only send to the destination I
    > specifically told it to connect to. And to recieve only from those
    > locations specifically requested.
    >
    > Anything not specifically enabled should not happen.
    > That's a firewall.


    Your life will get quick is the problem.

    Please provide an example of something specifically you'd like to
    allow. I posit that very quickly, the complexity of modern websites
    and the interconnectedness of them, from relying on third party api's
    for a site to even function, will make things complex quickly.

    Please name an internet based site, or service you'd put on your
    whitelist, and we can illuminate from there.


  9. #9
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Why aren't there ANY firewalls?

    spamdrew@nandrew.cum wrote:
    > On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
    >> Most of the problem is that you're looking for a very simple solution
    >> to realities that are pretty complex.

    >
    > Actually I don't believe it to be as complex as it's made out to be.


    Actually, you're wrong.

    > I think there is a LOT of money in making it SEEM complex though.


    If you had even some basic understanding of modern computer systems or
    networking communication, you'd KNOW that those matters really ARE
    rather complex. There's no need to make them seem that way. As a matter
    of fact, most operating systems try to make them seem LESS complex than
    they actually are.

    >> What's your goal? Block "bad sites"? Be safe at the local coffee
    >> shop on their open wireless network?

    >
    > Start with this:
    >
    > The goal is to not let the computer send anything out I havn't
    > specifically requested to send and to only send to the destination I
    > specifically told it to connect to. And to recieve only from those
    > locations specifically requested.
    >
    > Anything not specifically enabled should not happen.
    > That's a firewall.


    And now try to enforce this on an operating system that has a boatload
    of automation mechanisms. For instance: how would your supposed firewall
    know that your web browsers communication was initiated by the user and
    not some other application?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  10. #10
    Ansgar -59cobalt- Wiechers
    Guest

    Re: Why aren't there ANY firewalls?

    spamdrew@nandrew.cum wrote:
    > On Thu, 21 Oct 2010 15:01:39 -0500, Moe Trin wrote:
    >> On Thu, 21 Oct 2010, spamdrew@nandrew.cum wrote:
    >>> Forgive my naivete (and perhaps excessive subject) but it seems to
    >>> me that internet communication all comes into a PC though a single
    >>> port at a time and therefore through a "bottleneck".

    >>
    >> A single port - but there are 65500 of them for TCP, 65500 more for
    >> UDP, and many more than one may be open or having a conversation at a
    >> time.

    >
    > No - a single input port. one chip. ports are created by software
    > later.


    You don't have the slightest idea of how TCP/IP works. Fix that.
    Otherwise all your speculation about firewalls and network traffic are
    moot.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  11. #11
    Moe Trin
    Guest

    Re: Why aren't there ANY firewalls?

    On Fri, 22 Oct 2010, in the Usenet newsgroup comp.security.firewalls, in article
    <i633c6djiic8jt4frphg32sgpfjhb6jvqu@4ax.com>, spamdrew@nandrew.cum wrote:

    >several thousand? Hardly. if that were the case all so called
    >firewals would have that issue.


    Training issue. Many Internet users know it's not wise to click on
    any/every icon they happen to see - especially one like

    ------------------------------
    | Click Here |
    | to get your system screwed |
    ------------------------------

    Or have you set your browser to auto-load every URL it finds because
    clicking on them manually is to hard? That's probably not a good way
    to go. Or is that the way your browser was set up by default because
    the installer knew you wouldn't know how to get on the web otherwise,
    and wouldn't want to expend any effort to learn how/why? Hmmm, did
    someone sell you a firewall for your telephone so that you don't get
    screwed over the phone?

    >not interested. asking here.


    "I don't want to work - do everything for me" No.

    Old guy

  12. #12
    DevilsPGD
    Guest

    Re: Why aren't there ANY firewalls?

    In message <9s33c6deh7kdhft6v13stgfhour8m0ls6m@4ax.com>
    spamdrew@nandrew.cum was claimed to have wrote:

    >On Thu, 21 Oct 2010 14:38:27 -0500, Regis <ordsec@gmail.org> wrote:
    >
    >>
    >>Most of the problem is that you're looking for a very simple solution
    >>to realities that are pretty complex.
    >>

    >
    >Actually I don't believe it to be as complex as it's made out to be.
    >I think there is a LOT of money in making it SEEM complex though.


    Honestly, software firewalls do a surprisingly good job of simplifying
    what actually goes on over the wire.

    >>What's your goal? Block "bad sites"? Be safe at the local coffee
    >>shop on their open wireless network?

    >
    >Start with this:
    >
    >The goal is to not let the computer send anything out I havn't
    >specifically requested to send and to only send to the destination I
    >specifically told it to connect to. And to recieve only from those
    >locations specifically requested.


    There's a number of software firewalls that can run in default-block-all
    basis, but it's an obnoxious way to operate.

    To start with, typical websites involve loading content from multiple
    (sometimes dozens) of hostnames, usually with 2-4 connections per
    hostname (not all of which will necessarily hit the same IP either). Not
    all of these requests will be useful, but will seeing a list of IPs and
    ports tell you anything useful? Do you really want to click "Allow" 20+
    times just to bring up cnn.com?

    And this assumes you've managed to write rules to allow a DHCP request,
    offer and accept to go through to get you an IP at all, rules to allow
    ARP so that you can find your default gateway and your default gateway
    can find you, allowed queries to your local DNS server, etc.

    It's generally far simpler to only install software that does what you
    want, rather than guessing at the firewall level.

Similar Threads

  1. And speaking of firewalls...
    By MetalGuru in forum comp.security.firewalls
    Replies: 1
    Last Post: 03-06-10, 03:03 AM
  2. Low cost hardware firewalls?
    By Davej in forum comp.security.firewalls
    Replies: 5
    Last Post: 01-12-10, 09:14 AM
  3. Powerful firewalls
    By YeOldeStonecat in forum Marketplace - Buy/Sell/Trade/Hot Deals
    Replies: 0
    Last Post: 09-29-08, 10:15 AM
  4. Network Rendering with Nat firewalls?
    By tomce in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 05-05-08, 05:18 PM
  5. Firewalls -do Ineed 2 Running
    By AX1234 in forum Wireless Networks & Routers
    Replies: 2
    Last Post: 03-20-07, 12:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •