firewall on budget ?

Yes.

There are ways around that.

Probably true, but that calls for education, not damage control.

Actually, the windows firewall is a bad concept from the start - people think they are protected, but many machines have file/printer sharing enabled and an exception for it, and many people run as local admin, so, it's easy to subvert the firewall with simple malware, even non-malware apps subvert it without warning.

The general rule is that your computer does not need a direct wired connection to the internet at all.

And the routers logs will provide a more accurate indication as they can't really be screwed with like software on your PC can.

Not in every case, at least not with users that are willing to wrangle around it on a daily basis - you know human nature, it's what gets people compromised in the first place.

But, until they get educated, and we've had security threats for more than a decade and fewer and fewer people are educated, we need a measure that will protect the ignorant masses from harming the rest of us - ISP Mandated NAT implemented at the users gateway device would be a first real help.

Can you link me to some devices for DSL internet, that -don't- use NAT?

I looked once on ebay.co.uk but didn't find any. There was a 1 port westell router/modem which I was told didn't use NAT, but it turned out that it did.

I reckon, maybe, maybe, a PCI DSL modem doesn't use NAT. And maybe an ISP's cable modem e.g. NTL cable modem when not used with a NAT router. But i'm interested in any others. DSL devices that don't use NAT

A DSL device that doesn't use NAT is so hard to find, I don't know anybody in the UK that has one.

I'm asking this as a theoretical question , in the sense that i'm not considering recommending them over NAT, so you needn't fear that!

You don't want to look at cheap devices then, you want to use a Firewall Appliance in "Drop-In" mode - it still filters traffic based on rules, but it allows all ports (jacks) to have the same public IP.

There is also 1:1 NAT, so that a single PUBLIC IP is routed to a single LAN IP.

Why would you not want NAT?

Hi,

All Ciscos, for example? The can use NAT, though.

Cheers, Jens

What does some users willingness to wrangle around have to do with the fact that there are workarounds to the issue raised?

I fail to see how NAT would protect the rest of us?

I would use NAT. But i'm wondering, theoretically, and since you say it's a shame some end users don't use NAT, and ISPs should make it mandatory.

What end users on DSL, don't use NAT . What devices are they buying, can you link me to any? presumably you've seen some.

What work around issues?

By keeping the ignorant masses machines from being compromised immediately, before they even start using them. It also means that we don't have the issues of them being FTP, SMTP, etc.. relays.... Come on, think - if the computer can't be reached then it's going to be harder for the hackers to abuse it. Yes, I know about phone home malware, but we're talking about all the idiots that leave their computer, without a password, connected to a public IP with file/printer sharing enabled.

Every DSL device I've seen can be setup for NAT or Routed mode - it's in the DSL Maintenance screen on their devices. I know a bunch of people, like SBS/Yahoo DSL that get public IP from their DSL service.

Comodo firewall is free. Avast is free. Spybot-Search & Destroy is free.

I use these and all is well. I do not have a hardware based firewall for the moment and I seem to be OK.

However, the two people who use our PC don't run as admin.

(I have a PIX but cannot connect it for the moment because the ISP uses PPPoA and only provide clients with a USB modem. Grr - I digress.)

Simon.

Why can't you buy own modem that's approved to run on the ISP's network?

if it's set for Routed mode(by this you mean no NAT). Do you then need a public IP for your router, and a (different) public ip for the computer connected to it?

Do you have in mind such end users - that have 2 public ips?

BTW, you mention you know people that "get public IP from their DSL service". Who has an ISP and doesn't get that?

Kerio 2.15 free and works great.

Many users want firewall functions that don't have to include NAT as one of them - they might have public facing servers and just want to protect them.

The ports (WAN, LAN, DMZ) on the firewall all have the same IP provide by the ISP's device, you route traffic between them using rules.

So x.y.c.v:80 on WAN can be routed to x.y.c.v:80 on LAN while x.y.c.v:443 can be routed to x.y.c.v:443 on DMZ.

You can do this with as many IP as you want - the condition being that one combination of IP:PORT can only be routed to one destination.

Many people don't get it, many DSL providers have their routers set to NAT by default.

Not work around issues. Workarounds to the issue.

Post SP2 this is becoming much less of a problem. The biggest problem still is malware spread through websites, e-mail and file sharing. Your suggestion won't seriously protect us from the "ignorant masses".

Your idea that since the "ignorant masses" aren't immediately able to cope with a concept doesn't mean the concept itself is bad. The WF is a very good concept. It's the way it's used that causes the problem.

The other firewalls mentioned earlier continue to promote and support the idea of running as admin. And *that* is a bad concept.

Actually, depending on the NAT device, you can block downloads of many malware infectors via HTTP. Not much one can do about SMTP type infectors unless they have their own mini-mail server or a standard server as other firewall products can clean SMTP sessions.

So, again, the NAT device provides MORE/Better protection than Windows Firewall in all cases.

And in the real world it means that it's just a bad product.

And other firewalls, while still able to compromise them, have a much better reporting/alert system than the report-nothing WF does.