since we were yapping about firewalls

David Kramer david at thekramers.net
Sat Sep 25 20:05:01 EDT 2004 

Eric wrote, On 09/25/2004 12:45 PM:
> http://www.linuxinsider.com/story/36837.html
> He says, "Think about that; am I being naive or wouldn't just not
> starting the service have the same effect without incurring the
> overheads associated with the firewall?"
> 
> I don't know about that.  Mmmnnn, it's nice being able to use something
> and not have others access it.  I was using webmin to play with
> webalizer yesterday, and I like the fact that my firewall won't let
> people outside my lan play passphrase games on it.  Overhead?  A firewall?

I hope he was being glib, and not as stupid as he sounds.  My counters:

- He asks "Why can't we have guaranteed unspoofable source addresses on 
packets".  Several answers to this one, but the two that come to mind first are:
(1) Most computers on the internet don't have real unique internet-routable 
email addresses; they're behind some other computer doing network address 
translation.  Many of those that do have real addresses only hold on to them 
for a little while using DHCP.
(2) You could not really guarantee unspoofable source addresses unless EVERY 
SINGLE DEVICE ANYWHERE IN THE WORLD capable of routing packets to the internet 
had code built into it to enforce it.  Unless you were satisfied with 
narrowing it down to the ISP, in which case you still have several million 
users to finger in some cases.  This buys you nothing.

- He says "The number of major carriers and ISPs involved is relatively 
small".  A quick SWAG based on looking at some ISP rating websites indicates 
somewhere around 5000 that are big enough to advertise on such a thing. 
Adding MomAndPop ISP's might bring that to 6000.  Adding web host, colo, 
business, and hotspot, and you probably have aroun 7000.  Wait, that's just in 
the US!  Now you need to add all the other countries.  Fugetaboutit!

- He says "Why don't firewalls stop email worms?" Duh.  The Firewalls most 
people and companies use are designed to make sure you only get connections to 
services from valid places, and under the right conditions.  They don't scan 
your emails.  They don't, in general, filter content.  The reason worms spread 
so fast and pervasively is because Microsoft has deemed that users are best 
served by having all incoming content (from email or web pages, for example) 
deployed automatically, or at most with a single click, and that the last few 
letters following the last few dots, indicating the type of file, would 
confuse the user, so they're better off not seeing them.  Yes, these options 
can be changed to some extent, but most of the MSFT users out there don't know 
how, or why.

- Enabling or disabling a service is NOT the same thing as opening or closing 
the port on a firewall.  The firewall can do more, like ensure that incoming 
packets are only allowed in response to a connection sent out (SYN/ACK 
checking), disallowing new incoming connections to the higher (>1024) ports, 
disallowing connections from know evil parties, etc.

-- 
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD
DKK D  As far as the laws of mathematics refer to reality, they are
DK KD  not certain; and as far as they are certain, they do not refer
DDDD   to reality                                           -Albert Einstein

More information about the Discuss mailing list