 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Eric wrote, On 09/25/2004 12:45 PM: > http://www.linuxinsider.com/story/36837.html > He says, "Think about that; am I being naive or wouldn't just not > starting the service have the same effect without incurring the > overheads associated with the firewall?" > > I don't know about that. Mmmnnn, it's nice being able to use something > and not have others access it. I was using webmin to play with > webalizer yesterday, and I like the fact that my firewall won't let > people outside my lan play passphrase games on it. Overhead? A firewall? I hope he was being glib, and not as stupid as he sounds. My counters: - He asks "Why can't we have guaranteed unspoofable source addresses on packets". Several answers to this one, but the two that come to mind first are: (1) Most computers on the internet don't have real unique internet-routable email addresses; they're behind some other computer doing network address translation. Many of those that do have real addresses only hold on to them for a little while using DHCP. (2) You could not really guarantee unspoofable source addresses unless EVERY SINGLE DEVICE ANYWHERE IN THE WORLD capable of routing packets to the internet had code built into it to enforce it. Unless you were satisfied with narrowing it down to the ISP, in which case you still have several million users to finger in some cases. This buys you nothing. - He says "The number of major carriers and ISPs involved is relatively small". A quick SWAG based on looking at some ISP rating websites indicates somewhere around 5000 that are big enough to advertise on such a thing. Adding MomAndPop ISP's might bring that to 6000. Adding web host, colo, business, and hotspot, and you probably have aroun 7000. Wait, that's just in the US! Now you need to add all the other countries. Fugetaboutit! - He says "Why don't firewalls stop email worms?" Duh. The Firewalls most people and companies use are designed to make sure you only get connections to services from valid places, and under the right conditions. They don't scan your emails. They don't, in general, filter content. The reason worms spread so fast and pervasively is because Microsoft has deemed that users are best served by having all incoming content (from email or web pages, for example) deployed automatically, or at most with a single click, and that the last few letters following the last few dots, indicating the type of file, would confuse the user, so they're better off not seeing them. Yes, these options can be changed to some extent, but most of the MSFT users out there don't know how, or why. - Enabling or disabling a service is NOT the same thing as opening or closing the port on a firewall. The firewall can do more, like ensure that incoming packets are only allowed in response to a connection sent out (SYN/ACK checking), disallowing new incoming connections to the higher (>1024) ports, disallowing connections from know evil parties, etc. -- DDDD David Kramer david at thekramers.net http://thekramers.net DK KD DKK D As far as the laws of mathematics refer to reality, they are DK KD not certain; and as far as they are certain, they do not refer DDDD to reality -Albert Einstein
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
