S
Straight Talk
What does some users willingness to wrangle around have to do with the
fact that there are workarounds to the issue raised?
I fail to see how NAT would protect the rest of us?
What does some users willingness to wrangle around have to do with the
fact that there are workarounds to the issue raised?
I fail to see how NAT would protect the rest of us?
J
jameshanley39
I would use NAT. But i'm wondering, theoretically, and since you say
it's a shame some end users don't use NAT, and ISPs should make it
mandatory.
What end users on DSL, don't use NAT . What devices are they buying,
can you link me to any? presumably you've seen some.
L
Leythos
What work around issues?
By keeping the ignorant masses machines from being compromised
immediately, before they even start using them. It also means that we
don't have the issues of them being FTP, SMTP, etc.. relays.... Come on,
think - if the computer can't be reached then it's going to be harder
for the hackers to abuse it. Yes, I know about phone home malware, but
we're talking about all the idiots that leave their computer, without a
password, connected to a public IP with file/printer sharing enabled.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
L
Leythos
Every DSL device I've seen can be setup for NAT or Routed mode - it's in
the DSL Maintenance screen on their devices. I know a bunch of people,
like SBS/Yahoo DSL that get public IP from their DSL service.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
J
jameshanley39
A
Ari
Kerio 2.15 free and works great.
L
Leythos
Many users want firewall functions that don't have to include NAT as one
of them - they might have public facing servers and just want to protect
them.
The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
by the ISP's device, you route traffic between them using rules.
So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
You can do this with as many IP as you want - the condition being that
one combination of IPORT can only be routed to one destination.
Many people don't get it, many DSL providers have their routers set to
NAT by default.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
S
Straight Talk
Not work around issues. Workarounds to the issue.
Post SP2 this is becoming much less of a problem. The biggest problem
still is malware spread through websites, e-mail and file sharing.
Your suggestion won't seriously protect us from the "ignorant masses".
S
Straight Talk
Your idea that since the "ignorant masses" aren't immediately able to
cope with a concept doesn't mean the concept itself is bad. The WF is
a very good concept. It's the way it's used that causes the problem.
The other firewalls mentioned earlier continue to promote and support
the idea of running as admin. And *that* is a bad concept.
L
Leythos
Actually, depending on the NAT device, you can block downloads of many
malware infectors via HTTP. Not much one can do about SMTP type
infectors unless they have their own mini-mail server or a standard
server as other firewall products can clean SMTP sessions.
So, again, the NAT device provides MORE/Better protection than Windows
Firewall in all cases.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
L
Leythos
And in the real world it means that it's just a bad product.
And other firewalls, while still able to compromise them, have a much
better reporting/alert system than the report-nothing WF does.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
J
jameshanley39
Many users want firewall functions that don't have to include NAT as one
of them - they might have public facing servers and just want to protect
them.
The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide
by the ISP's device, you route traffic between them using rules.
So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while
x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.
You can do this with as many IP as you want - the condition being that
one combination of IP
Oddly enough, what you describe as not using NAT, looks like NAT, one
ip for the router, you could've said that there isn't an ip on the
router's ports(which would make sense also because what is going on in
that area uses ports and isn't routing!). Infact, it looks like NAT
and PAT !
Furthermore, In the system you describe, a machine on the LAN or on
the DMZ would still need a unique ip address though, distinct from
the firewall-router appliance.
If the computers (on the DMZ or LAN ) had private addresses, then it
really looks like NAT now!
If a DSL user doesn't have one of these firewall-router appliances,
then in that instance, would he need 2 different public ips, one for
his router and one for his computer ?
Then their DSL service does provide a public IP. Their router gets
it.
L
Leythos
H
Hexalon
J
jameshanley39
L
Leythos
Ok, depending on the level of the person I try and word my text
accordingly - so I may not have presented it the way that you needed it.
When I said: "their DSL service doesn't provide a public ip". it means
that the User, directly connected to the ISP's device, does not get a
Public IP at their device and that the ISP device is providing a non-
routable private IP to them. So, for their purpose, they don't have a
public IP as the inbound in blocked like every other cheap NAT Router.
If the Firewall has the same IP on all jacks, then it's not NAT.
As an example, I can have 16 IP on the WAN jack of my firewall, the same
16 IP are on the DMZ and LAN jacks of the same firewall. The connection
between WAN>LAN or WAN>DMZ is routing, not NAT, and is controlled by
firewall rules.
From the LAN I can take a public IP and connect it to a NAT Router and
provide my internal LAN with a private IP scheme.
In some cases, speed, a Drop-In configured device will be faster than
one that does NAT - think of a Web Farm behind a firewall - they don't
need private addresses for the web servers, they use public IP on the
server NIC's and let the firewall do it's job without doing NAT.
There are cases where I might want to put a firewall between two
departments, on the same network, with the same subnet, but block all
nodes from the nodes in Accounting - a drop-in firewall works great
here, no nat, same subnet, transparent except for the blocking rules.
In the case of most small businesses and home users, a Drop-In (or 1:1
NAT) is not going to work well, they don't have the additional hardware
and want to share a single IP with multiple devices, so traditional NAT
devices work great.
So, again, some DSL providers provide a device that implements NAT to
the customer, so the customer never sees a public IP for their hardware,
others provide no-nat and the customer is directly connected to the
public IP.
I understand you now, didn't before, that's why I asked. I'm ok if you
are.
I hope I explained it above well enough, if not, just let me know where
I missed the mark for you.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(e-mail address removed) (remove 999 for proper email address)
S
Straight Talk
You are being very persistent. Now you're bringing firewalling
technology into the game also, even though it has nothing to do with
NAT.
S
Straight Talk
So you prefer gap-stopping technology with fancy alerting systems to
technology that works by concept. I thought so.
G
Guest
Why do you keep posting multiple questions with the same subject line?
if it's the same subject , then stay within your original message.
by the way, when posting using unknown as a name, your message is not
readable, please use a screen name.
if it's the same subject , then stay within your original message.
by the way, when posting using unknown as a name, your message is not
readable, please use a screen name.
J
jameshanley39
ok. I see. Makes sense now you mention using NAT Routers connected to
it. so you didn't mean no NAT in the system. just no NAT in the
firewall appliance thing.
indeed..Though when I said about 'no nat' I meant, examples of no NAT
anywhere.
I haven't seen a DSL user with such a device. - maybe a PCI DSL modem
- maybe, I can't remember, though I suspect that they, or that one I
had, gave a private ip too actually.
Even the router/modems with one LAN port, tend to do NAT! (with the
DHCP server, handing out its 1 ip, to the NIC/NI of the device/comp
connected)
I thought you had seen such examples and wondered if you could link me
to them. or name them ?
By the way., what is an example of make/model of such a firewall
appliance that can do so-called routing amongst its physical ports all
of whome have the same ip?
can that firewall appliance sort of routing thing be used in a system
with no NAT at all? If the physical ports have ips then I think not.
'cos that'd be the only ip available on each physical port's subnet
you mentioned about ISPs making NAT mandatory.
But, when it comes to DSL, who doesn't?
Your firewall appliance thing is designed for a NAT situation, as you
said, NAT routers are connected to it.
ok, you have a different way of thinking to me. I'd think of 'the
router/modem' as the user's hardware too, and they can see its public
ip by going to www.whatismyip.com !
doing fine, thanks!