Why aren't there ANY firewalls?

Forgive my naivete (and perhaps excessive subject) but it seems to me that internet communication all comes into a PC though a single port at a time and therefore through a "bottleneck".

Is there some reason we can't just have a blacklist and a whitelist with tick boxes against plain text strings to block or allow specific things passing through that route?

Perhaps you'd need one for text itself eg

formatting link
or

123.123.123.123 and another set for commands (ie block ICMP or block ARP / HTTP) along with logical AND and OR linking if required (eg
formatting link
AND HTTP or whatever) . The use of wildcard should be possible too.

That seems to me to eminently controlable and understandable. If anything that isn't listed comes in/out it should ask for what to do and add to the list of tick boxes as appropriate.

I've just been looking at Norton.symantic and it just looks like a total mess to me. They couldn't have made it any more complicated and less controlable if they tried. (Or perhaps they did and thats the idea to keep people paying out - A real firewall surely should last decades)

Norton is all very pretty and technical looking but I've spent all day on norton and I havn't got a clue what might still get though and what cant.

As far as I can see there is no way for a reasonably literate but novice "net user" to gain any form of firewall. They all come configured with so many holes they seem effectively pointless.

Try to block google or microsoft and you may as well just chuck the PC in the bin. And that I suspect is very telling about the overall state of security.

Perhaps there is something like that that works on vista but I havn't found it.

At the risk of sounding even more like a newbe ... sigh.

Reply to
spamdrew
Loading thread data ...

Most of the problem is that you're looking for a very simple solution to realities that are pretty complex.

What's your goal? Block "bad sites"? Be safe at the local coffee shop on their open wireless network?

Reply to
Regis

A single port - but there are 65500 of them for TCP, 65500 more for UDP, and many more than one may be open or having a conversation at a time.

How big is the display you're looking at? Can you even find a single tick box in a sea of several thousand? Or are you expecting to see filters based on RFC3514?

3514 The Security Flag in the IPv4 Header. S. Bellovin. April 1 2003. (Format: TXT=11211 bytes) (Status: INFORMATIONAL)

Perhaps it would also help if you read RFC1925

1925 The Twelve Networking Truths. R. Callon. April 1 1996. (Format: TXT=4294 bytes) (Status: INFORMATIONAL)

especially points 6 through 11.

Blocking ARP only works on the local wire. As of about a week ago, there were 3160102088 (3160 million) IPv4 addresses allocated or assigned around the world, in 105007 networks. Are you going to block each one individually? What about IPv6? Thats a lot of check boxes.

No, that's the problem of the user who doesn't want to read any instructions - they just want to click some icon and have everything fix itself. The world doesn't work that way. Looking at the headers in your news article, it shows:

X-Trace: newsfe19.ams2 1287669064 213.48.36.3 (Thu, 21 Oct 2010 13:51:04 UTC) X-Newsreader: Forte Agent 1.93/32.576 English (American)

So it's virginmedia.com/Telewest in the UK, and yet your news reader is configured for American English. That's just one example of people expecting things to work without them checking or understanding anything.

Old guy

Reply to
Moe Trin

No - a single input port. one chip. ports are created by software later.

several thousand? Hardly. if that were the case all so called firewals would have that issue.

not interested. asking here.

rubbish. and really not the issue. respond to the issue. nonesense counts again.

the headers in my article are rewritten by an anonymous re-poster. I have to read a message back to even know what they are myself. personal attacks are idiotic and unhelpful to say the least.

yes - I just want to click an icon but only if i have to. exactly right. there is no reason why not. none whatsoever.

and your obvious lack of understanding of what you are talking about hidden in a bunch of nonesense youve half read on some wiki somewhere doesnt help anyone.

mouthing off about things you obviously dont and cant possibly understand is pretty stupid.

if you cant relate to the questions asked keep it shut and stop wasting peoples time.

Reply to
spamdrew

Actually I don't believe it to be as complex as it's made out to be. I think there is a LOT of money in making it SEEM complex though.

Start with this:

The goal is to not let the computer send anything out I havn't specifically requested to send and to only send to the destination I specifically told it to connect to. And to recieve only from those locations specifically requested.

Anything not specifically enabled should not happen. That's a firewall.

Reply to
spamdrew
  • snipped-for-privacy@nandrew.cum :

Stopped reading here. You're not just clueless -- which would be fine -- but also a d*****ad. Get lost.

Reply to
Felix Palmen

Buy a hardware FIREWALL (the real deal) to monitor that chokepoint. Note that it even protects during your PC power up stage. BUT cheap firewalls do not protect against viruses you download, so you need a resident scanner too........

Reply to
RickMerrill

It's actually complex. But don't take my word for it just yet...

Your life will get quick is the problem.

Please provide an example of something specifically you'd like to allow. I posit that very quickly, the complexity of modern websites and the interconnectedness of them, from relying on third party api's for a site to even function, will make things complex quickly.

Please name an internet based site, or service you'd put on your whitelist, and we can illuminate from there.

Reply to
Regis

Actually, you're wrong.

If you had even some basic understanding of modern computer systems or networking communication, you'd KNOW that those matters really ARE rather complex. There's no need to make them seem that way. As a matter of fact, most operating systems try to make them seem LESS complex than they actually are.

And now try to enforce this on an operating system that has a boatload of automation mechanisms. For instance: how would your supposed firewall know that your web browsers communication was initiated by the user and not some other application?

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

You don't have the slightest idea of how TCP/IP works. Fix that. Otherwise all your speculation about firewalls and network traffic are moot.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Training issue. Many Internet users know it's not wise to click on any/every icon they happen to see - especially one like

------------------------------ | Click Here | | to get your system screwed | ------------------------------

Or have you set your browser to auto-load every URL it finds because clicking on them manually is to hard? That's probably not a good way to go. Or is that the way your browser was set up by default because the installer knew you wouldn't know how to get on the web otherwise, and wouldn't want to expend any effort to learn how/why? Hmmm, did someone sell you a firewall for your telephone so that you don't get screwed over the phone?

"I don't want to work - do everything for me" No.

Old guy

Reply to
Moe Trin

Honestly, software firewalls do a surprisingly good job of simplifying what actually goes on over the wire.

There's a number of software firewalls that can run in default-block-all basis, but it's an obnoxious way to operate.

To start with, typical websites involve loading content from multiple (sometimes dozens) of hostnames, usually with 2-4 connections per hostname (not all of which will necessarily hit the same IP either). Not all of these requests will be useful, but will seeing a list of IPs and ports tell you anything useful? Do you really want to click "Allow" 20+ times just to bring up cnn.com?

And this assumes you've managed to write rules to allow a DHCP request, offer and accept to go through to get you an IP at all, rules to allow ARP so that you can find your default gateway and your default gateway can find you, allowed queries to your local DNS server, etc.

It's generally far simpler to only install software that does what you want, rather than guessing at the firewall level.

Reply to
DevilsPGD

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.