So? A machine with no OS won't come up as *any* kind of a router. What's your point?
I don't think we are.
Well, we've given the OP a lot of ideas, but there has been no further response. That is not uncommon.
However, the point of this type of thread is *not* just to query the OP and get specifics. It is more beneficial as an archived discussion that the next 100 people with the same question will read and get an answer from without ever having to post a word.
snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:
No Linksys router has a FW. The NAT router has SPI maybe and some other FW like features. And it can be used as part of a total FW solution as a border device. But it's not an appliance that is running FW software, even if it is running SPI.
Duane :)
Implied ;)
You're right but so far, i've never been able to take a machine out of the bin with no OS (or wrong OS) on it and just plug it in and have it come up as a configured Linux router. :)
I think we're getting way off the point here, it would have been worthwhile asking the question first to see if the chap had other machines and skill set/interest level to do what is required or just point him to a little box to plug in, just like that amazing linux powered WRT54G.
David.
Just to play devils advocate here, depends if that little Linksys router is running other software, after all it's just a linux box ;)
David.
David Taylor wrote in news: snipped-for-privacy@news.cable.ntlworld.com:
If the little Linksys router can meet the specs below, then it's an appliance running FW software. If it cannot meet the specs, then it's not an appliance running FW software. And that's no matter what other firmware is replacing the original firmware.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
The above is what I consider FW software whether or not it's running on an appliance as a hardware solution on as a software solution running on a gateway computer.
Let's knock the NAT out of the box. My low-end Watchguard FW appliance has NAT too.
Impostors
When discussing firewalls, packet screening methods, and how firewalls function, there are a few misconceptions that need to be addressed.
Network Address Translation (NAT) One technology that is commonly thought to act as a firewall solution is Network Address Translation (NAT). NAT translates "internal" IP addresses on one network to "external" IP addresses on another network. There are three methods NAT uses to accomplish address translation.
Static NAT - maps a specific single address to another specific single address.
Example:
10.0.0.1 -mapped to- 168.13.1.1Pooled NAT- dynamically maps all specific single addresses to a pool or range of external addresses.
Example:
10.0.0.1-10.0.0.254 -mapped to- 168.13.1.1-168.13.1.254Port Level NAT- dynamically maps all specific single internal addresses to a specific single external address. The internal address is mapped or identified by the specific external address in combination with a unique port number.
Example:
10.0.0.1 -mapped to- 168.13.1.1:1084 10.0.0.2 -mapped to- 168.13.1.1:1085 10.0.0.3 -mapped to- 168.13.1.1:1086By comparing the way NAT functions between two networks, and the way packet screening methods function between two networks, you can see that NAT does not adhere to the firewall definition. NAT does not control access between the networks. Some may argue that NAT does control access because you cannot "see" the internal network. NAT does this not by using rules or filters, however, but through concealment. It hides the network from outside users.
Duane :)
*Everything* has to be installed in the first place. What else is new. You *buy* the WRT54G with LInux pre-installed.
That is simply not true. For every one person who actually posts such a question there are thousands who simply use google.
I'll second (or third, or fourth) the
Where in the specification of the question does it say that adding a second computer is a problem? :)
Barry ===== Home page
That's my point! A comment was made that a linux router (in this case a WRT54G) just needs to be switched on but it has to be installed in the first place.
Doesn't happen, Google for them doesn't exist, it's easier to just come along and ask again and again and again. MS even have a KB article on it.
:)
If you're going to dial up, trust me, 10Mbps network interface and
802.11b is NOT a limitation.David.
No NAT router is running FW software in the traditional sense. The manufactures of the product can hype it all they want as being a solution that's running FW software.
I suggest that you drop a line at comp.security.firewalls about a WRT54G or any other NAT (no FW) router being used in the home to people that make a living at it about this.
If the WRT54G can meet all the specs below, then it's an appliance running FW software. If the WRT54G cannot meet the specs, then it's not an appliance that's running FW software. I know that the low-end Watchguard Firebox III SOHO 6 firewall appliance that I use meets those specs. I know that the 54G or anyother Linksys NAT router or any NAT router for home usage period is not running FW software. The NAT routers are good enough in the protection as long as one is not doing high risk things like port forwarding.
What does a firewall do?
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
Duane :)
Lots of words, but what do you mean? What, for example, is "the traditional sense"? I'm really hard pressed to see how the Linux firewall is not a firewall...
Well, I *did* got read comp.security.firewalls and searched with google for articles about the WRT54G. I've seen a *lot* of recommendations that say the WRT54G is a fine firewall...
So tell us just what "spec" below is not fully met by the standard Linux firewall in a WRT54G? And, please explain what difference it makes whether it is an "appliance" or not?
Why do you say that? I found one message where *you* provide a URL, which says the WRT's firewall is "an advanced form of firewall". I seem to recall where *you* had good things to say about the firewall in Suse Linux.
You do realize that the WRT54G runs Linux and has the same firewall built into the kernel as any other Linux, right? Do you have a WRT54G, and/or know what is in it?
Please explain what you mean. And be specific about how it applies to a Linux router.
So what part of that is not being done in the WRT54G firewall?
I am certainly no expert on firewalls, but I just don't see a thing in that list which the WRT54G doesn't do.
Quite, i'm not sure what the issue is here when you're agreeing with me. I have yet to pick an old PC with a pre-configured linux firewall/wireless router out of a bin though. There's always a first time eh? :)
In the grand scheme of things sure but often not.
David.
snipped-for-privacy@apaflo.com (Floyd L. Davidson) wrote in news: snipped-for-privacy@barrow.com:
The traditional sense being that packet filtering rules cannot be set on the router that can stop both inbound and outbound traffic by port, protocol, or IP.
I can set a rule with the Watchguard to do the following:
Rule stop outbound traffic
1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound 2) Protocol HTTP 3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60Or rule to stop inbound
1) Remote IP 207.222.777.66 inbound 2) Port 119 3) LAN IP(s) 192,168.111.7 through 192.168.111.10That's an example where I can set filtering rules with the Watchguard that I cannot do with the 54g.
The 54G cannot set those rules.
I don't think the TOP Guns in that NG will consider the WRT54G to be an appliance that's running a FW. If you have read something that indicates that the 54G or any Linksys router is running FW software, then those posts were by posters such as yourself with the misconception that a Linksys router is running FW software or a NAT router for home usage is running FW software. So again, I ask you to drop a line in the FW NG about a Linksys NAT 54G or otherwise router as to it or them being an appliance that's running FW software by those that use the product solutions as part of their livelihood.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.
The specs being that a FW solution whether it's running on an appliance or a host solution running on a gateway computer using the specs above can set filtering rules to *stop* inbound or outbound traffic by port, protocol, IP or packet attribute.
So tell me where in the Wrt54g manual that the NAT router can set those rules.
The software FW running on Suse Linux and the firmware running on the 54G even though they are Linux solutions are not the same thing.
And I don't know where you got that about me saying that a WRT has an advanced FW. If I did say it, then it was do to my ignorance about FW(s) which as been corrected by the TOP Guns in the FW NG. The 54g has FW like features but is not running FW software.
I also had good things to say about Vicomsoft's Windows Server based network FW solution too.
Heck the BEFW11S4 v1 router I had was running a Linux solution.
Again I ask you to drop a line and ask the question to the Top Guns in the FW NG about a Linksys NAT router running FW software. And is far as that is concerned, my Watchguard is running Linux too.
When I port forward 80 to an IP/machine behind the Watchguard that has a Web server running, I am insured that only HTTP traffic comes down that port or if it was 20 and 21 that only FTP traffic comes down the ports, dropping all other traffic that tries to come down the ports, as an example.
Rule stop outbound traffic
1) LAN IP(s) 192.168.111.2 through 192.168.111.5 outbound 2) Protocol HTTP 3) Remote destination IP(s) 207.169.222.56 through 207.169.222.60 Internet IP(s)Or rule to stop inbound
1) Remote IP 207.222.777.66 inbound Internet IP(s) 2) Port 119 3) LAN IP(s) 192,168.111.7 through 192.168.111.10Stop outbound from a LAN IP
1) LAN IP 192.168.111.3 2) Ports 1-66535 TCP, UDP or protocol number 3) Destination LAN IP(s) *ANY* 4) OR 192.168.111.5 through 192.168.111.10The link may help in understanding FW solutions and a packet filtering router is no match to FW appliance, even a low-end FW appliance.
Again a NAT router is a border device and is good in the protection for the average home user; until high risk things are done with the router then all bets are off.
Duane :)
I am no expert on firewalls, but as near as I can tell this example:
I don't see why not. As noted, I'm not much on firewalls, but what I read in the man page for iptables seems to say that all of the above can be done.
Hmmm... here is what you wrote, two years ago, in Message-ID:
"That WRT54G doesn't have a firewall. It has NAT and SPI. A router with a true firewall start at about $500 and up.
"Stateful packet inspection (SPI)
*Some* *NAT* *routers* *have* *an* *advanced* *form* *of* *firewall* *built* *in* *that* *does* *'stateful* *packet* *inspection'*. ... SPI is a general term that can describe a router that filters more kinds of attacks than basic NAT by closely examining packet data structures.Okay... So you at least know that the WRT54G does indeed have both NAT and SPI. Some people at least say that SPI in itself constitutes an "advanced" firewall. In fact though, what is described as SPI might be different from one model/manufacturer to another.
Here is a URL with a definition, and which *clearly* indicates that the Linux implementation is indeed and "advanced form of firewall".
Yes yes, but the question was about just what part of that spec is not fully met by a WRT54G. Near as I can tell, it does everything on your list.
Read the man page for /iptables/, which configures the kernel firewall functionality.
...
They are *identical*.
Did it have the kernel firewall modules enabled?
And just what comparisons can you draw from "your" Watchguard running Linux compared to other equipment (also running Linix). Does your particular Watchguard use iptables?
In fact I don't think that is true. But to whatever degree it is true, the *exact* same functionality is available to the WRT54G via iptables as is available to your Watchguard. In any case I don't think it is examining the *data* load of a packet and trying parse whether it is indeed valid for any given protocol.
So you actually think that iptables cannot do the same things?
How does tht apply to our conversation about the firewall provided by Linux?
But NAT is not the only facility provide, right?
You didn't know that the WRT54G comes with iptables??? Out of the box! Every time...
I am talking out of the box...
You were entirely wrong then, and don't seem to know much about Linux or the WRT54G as a firewall now either.
Have I said the definition of a firewall you posted was not good??? No... but you have yet to point out any way in which the WRT54G does *not* fit that definition precisely.
The Linksys firmware uses iptables. Out of the box...
I haven't claimed that the Linksys documentation was good.
Could it be that I actually know what the Linksys firmware does? Hmmm...
Hmmm... cluelessness?
These various parts of this conversation are what *you* brought up, not me. The odd thing is that you don't seem to actually know anything about the relationship between them.
Ask them then. (I'm not guessing, BTW.)
The firmware out of the box has that capability; however, I don't have any problem at all with using third party firmware which provides a better interface to the already existing firewall capability.
Could it be that you injected it, under the false assumption that it was going to make your point?
Except that it does.
I see no problem with recommending that people purchase a WRT54G with the intent to upgrade to a third party firmware release. It is *not* some giant technical chasm that only some can leap.
Actually, in some cases it may be significantly better, the same, or perhaps only equal.
And what you haven't yet understood is that they *all* use the same firewall modules.
So?
Your generic descriptions are useful for a generic understanding, which you do appear to have.
Specific equipment, however, requires specific knowledge.
What does IPtables have to do with the out of the box firmware of a WRT54G NAT router? OH, could it be that you're talking about firmware that is not the out of the box firmware?
What does IPtables have to do with the out of the box firmware of a WRT54G NAT router? OH, could it be that you're talking about firmware that is not the out of the box firmware?
That's frekin two years ago and is based on my knowledge then at the time.
Yeah, yeah true an the operative word there is *form* of a FW built in and SPI alone doesn't make it an appliance running FW software in the traditional sense. And you'll notice even then I was not calling the 54G a something that was running *true* FW software.
Yeah I know that.
So somehow you're going to tell me that NAT and SPI is a total FW solution right and NAT is FW software.
What does IPtables have to do with the out of the box firmware of a WRT54G NAT router? OH, could it be that you're talking about firmware that is not the out of the box firmware?
I read the user manual for the Linksys WRT54G about its FW cababilities the one out of the box. And I see nowhere that rules for inbound and outbound traffic can be set like it can be set for packet filtering like they can be for the WG. I see no ability to set a FW service for the Linksys like it can be set for the WG.
What does IPtables have to do with the out of the box firmware of a WRT54G NAT router? OH, could it be that you're talking about firmware that is not the out of the box firmware?
What does IPtables have to do with the out of the box firmware of a WRT54G NAT router? OH, could it be that you're talking about firmware that is not the out of the box firmware?
The 11S4 V1 router cameout the door with SPI and that was removed from the firmware long ago because Linksys couldn't get it to work properly and it was removed for all version of the 11S4 router the lastime I looked. SPI was the only FW like feature the 11S4 routers had that I knew about the last time I looked.
What are you talking about here? How in the HELL did this conversation turn from a WRT54G NAT router and its firmware out of the box to a WRT54G is now running iptables? And I what does iptables have to do with the WG that I am using. I could care less about the WG using iptables. I could care less about it using Linux as far as that is concerned. As long is the WG is doing what I am asking it to do with the ability to set the rules I need and it's other abilities, I could care less about it. It could be the Mickey Mouse kernel I could care less about it. :)
Well you're wrong about it and I am going to go with what I have been told by others who are *FW experts*, which you have indicated that you're not one and they do make a living at and I suspect know more than you or I about it.
What are you talking about here? I looked at the user manual for the WRT54G as it comes right out of the box. You show me where it's doing the above. OH, could it be that you're talking about firmware that is not the out of the box firmware?
How did the conversation period come away from the firmware that comes with the WRT545G NAT router out of the box? OH, could it be that you're talking about firmware that is not the out of the box firmware?
Yeah my WG uses NAT too. So what?
It's just like anyting else, software can be implemented in a device to enhance its abilities. The firmware that comes with the Linksys Wrt54g out of the box doesn't meet the specs for something that's running FW software, which is what I am talking about. I do know that the 54g has some 3rd party firmware solutions that can be implemented that's apparently using iptables and I am happy for you.
And I doubt that the 3rd party firmware that's running on the 54g using iptables can match the abilities of my low-end WG firewall appliance or a high-end one that cost thousands of dollars.
And most devices such as routers and FW appliances run Linux.
Definitions of IPtables on the Web:
The Linux *packet filtering* tool that is used by SmoothWall to provide firewalling capabilities. Top
In computer networking, netfilter, along with its companion iptables, are collectively a software extension to the Linux operating system that implements a stateful firewall framework. It also enables other networking features such as network address translation (NAT). Although netfilter is an extension to Linux, it is included in all major Linux distributions that use the 2.4 or 2.6 kernel. Netfilter does not work with Linux kernels older than version 2.4. en.wikipedia.org/wiki/Iptables
Or you can go read the information in the link I provided, which is snipped below and packet filters has strength and weakness. I am able to make the adjustments and understand the differences between a packet filtering NAT router and a FW appliance.
Packet Filtering Router
A packet filtering router is a router configured to screen packets between two networks. It routes traffic between the two networks and uses packet filtering rules to permit or deny traffic. Implementing security with a router is usually not that easy. Most routers were designed to route traffic, not to provide firewall functionality, so the command interface used for configuring rules and filters is neither simple nor intuitive.
Dual-homed Gateway
A dual-homed gateway typically sits behind the gateway (usually a router) to the untrusted network and most often is a host system with two network interfaces. Traffic forwarding on this system is disabled, thereby forcing all traffic between the two networks to pass through some kind of application gateway or proxy. Only gateways or proxies for the services that are considered essential are installed on the system. This particular architecture will usually require user authentication before access to the gateway/proxy is allowed. Each proxy is independent of all other proxies on the host system.
Firewall Appliance
A firewall appliance typically sits behind the gateway (usually a router) to the untrusted network. This architecture resembles the *packet filtering* router and *dual-homed Gateway* architectures in that all traffic must pass through the appliance. In most instances these appliances come pre-configured on their own box. They may also have other services built in, such as Web servers and e-mail servers. Because they usually don't need the extensive configuration that other firewalls often require, they are touted as being much simpler and faster to use. Some manufacturers market them as "plug-and-play" firewall solutions.
Can I muddy the waters with my opinions?
Ever wonder why the terms "firewall" and "router" are different and haven't been combined into one? You don't hear about anyone selling a "firewall router" or some similar conglomeration. That's because the common definitions have changed somewhat since Cisco first invented routers and are difficult to isolate.
These days, a firewall is anything that keeps the barbarians out of a protected LAN. It can be NAT, PAT, SPI, dual bastion host, manual inspection, or a dog sniffing packets, and still be considered a functional firewall. How this is accomplished varies by technique, complexity, topology.
A router is just something that glues two networks together. That was the original purpose of routers and remains the same today. It's assumed to operate at the IP level and make some decisions relating to connecting two (or more) IP networks together. It does this by inspecting the IP headers and sometimes the packet contents, and making decisions based upon their contents.
The problem is that both firewalls and routers inspect packets and make decisions, often in exactly the same way. Yet, their purposes are different. Many of the examples previously offered of what allegedly constitutes a firewall are actually definitions of what constitutes a firewall, are actually examples of router functions. For example, static routes to a remote office are a router function, not a firewall function.
Unfortunately, the large amount of overlap between firewalls and routers are where methinks the problem is hiding. Filtering by service type can be considered both a router and firewall function. Filtering by WAN side IP address is a firewall function. Controlling outgoing traffic from the LAN is pure router. I once saw a list of these features and their classification in a Cisco CCNE book somewhere on my shelf, but I sold those and can't check.
So, how can one tell if it's a firewall, router, or both? Easy, by the function it's performing. Duz the feature in question control access from the WAN to the LAN? If so, it's a firewall feature. Duz the feature in question control the way two networks are connected? If so, then it's a router feature.
In my never humble opinion, any NAT router should be considered a firewall because NAT controls access to the LAN from the WAN. How well it does this, and to what level of control is another question which methinks is at the heart of the current discussion. The WRT54G comes stock with IP Tables which is the basis of most Linux firewall implementations. (Well, I use IP Chains in FreeSCO). Dumping: iptables -L from my WRT54G will results in about 60 lines of definitions, which methinks qualify by their complexity to be a suitable router. In addition, most of these rules deal with internal/external traffic control, which methinks qualifies as firewall functions. One of the things I like about the WRT54G is that the router definitions give me more firewall control than most cheapo routers. For example, I just noticed that I have some filters in place to block IP's of spammers that try dictionary attacks on my mail server, which is a firewall feature.
Please feel free to continue the discussion. I find it interesting. However, I would like to suggest that you both consider the definitions of firewall and router in terms of what they do, rather than in terms of how they function.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.