Firewall for Laptop

It's not that some simple port-blocking rules would be sufficient. Most real firewall rules can't be defined on most routers' firewall implementations.

With 30 rules, this is usually too limiting.

is still a problem. Need a test? Take a look at . The lists of submitted results is still small, but should give you a clue. And it's just one variant. About any implementation I've seen had one or more "heuristic forwarding" fuckups implemented without any possibility of disabling.

So, now you're talking about Firewalls, we were discussing NAT in relation to personal firewall solutions.

Not really, as you can block most of what's needed with the limited set of rules that many of those devices provide, others allow much more than

And it seems that it doesn't have anything to do with NAT itself - even CheckPoint1 is impacted on a poorly secured network/server. So, again, NAT doesn't really have anything to do with it as it would have the same issue if it wasn't behind a NAT solution.

Try again - show me where NAT provides less protection to the home users/laptop user than Windows Firewall or where NAT is at the root cause of the security problem - again, you don't seem to be able too.

Personal Firewalls? I thought we were talking about serious security measures.

You didn't get the point? This is about how new inbound connections are forwarded by NAT.

Read again.

Then how did it start with Windows Firewall and ZoneAlarm? I was under the impression that we were talking about protecting Windows computers while online for home users. And with that, I said that I would trust a PFW over Windows Firewall, and I would trust a NAT solution over both of those.

But those examples didn't have anything to do with NAT, the same issue would have been possible without NAT - understand now?

I think you're missing the point and have fallen for several hyped exploits that have been patched since, impacted few people/systems, and generally don't apply at this time.

I already diregarded PFWs as nonsense, so we were just keeping on discussing about the benefits and common misbelieves of NAT.

And still you can't really tell why. Windows Firewall does its job. NAT does its job, but its job is not security. Personal Firewalls don't do their jobs.

You really didn't read it? The problem is that someone can trigger such NAT behaviour passively.

Hint: Download Firefox

Some NAT routers accept connections from _any_ server on port 53 when they expect a DNS reply.

Some open all ports from 1024 to 32767 for a certain time (5 minutes) when the user created a H.32x connection.

The lists continues.

So far nothing has been patched and the producers didn't learn anything.

I keep seeing things like "Some" and "list", but I don't see a list of devices and firmware revisions to indicate what "Some" and "List" define.

I don't trust Windows Firewall because users can install software that reconfigured it without their knowing about it. If you setup a simple NAT solution, and change the default password, you're not accidentally going to install software that will modify the NAT Router port forwarding rules.

Want to help building and maintaining a list?

Bullshit. Members of the Users group don't have any privilege to modify the Windows Firewall settings.

Software like a webbrowser?

Nope, I have enough to do on my own, running a I.T. Company.

LOL, and just how many of those Windows computer, in the group of people we're talking about, are running as a local User? Heck, even the default install of Windows XP + SP2 installs the first user as a Administrator.

Actually, there were exploits that could, from a clients browser, that could map port forwards if a Linksys router was left in the default subject and the default password.

But, in most cases, a home user, behind a NAT Appliance, can wipe/reinstall XP and run for ages without being compromised - the same isn't true of those without the NAT appliance.

But you're posting on Usenet, so somehow your point is not that convincing. :-)

Without the entire discussion about this point is useless and Personal Firewalls are no way different.

A NAT device doesn't stop them from downloading warez and installing the malware directly or browsing the web with the WindowsUpdate client (MSIE). This is the most common cause of malware infection today.

I post on Usenet, as I have since 84, in order to give back to the community that has helped me over the years. I find usenet to be a great way to share technical information.

I run as a local admin on all of my XP laptops and workstation and have never encountered a problem, but I also have my computers setup securely (with that exception) and when I'm outside my protected networks I use a PFW to protect my computer. I also plan on purchasing one of the new single point NAT routers for laptops so that I can be more secure in Hotels, unsecured networks, etc....

And neither would a personal firewall and you know as well as I do that Windows Firewall would not even think about blocking it - so that means that a NAT Appliance would provide the protection needed to get them online safely to start with.

Jupp. And as a Usenetizen you should know the common definition. Usenet: I have too much free time.

Seems like you didn't take any detailed look on things, or never encountered anything related to the problem.

So far any modern malware easily shuts down any Personal Firewall with ease.

LOL. Get a serious configuration and maybe a good host-based packet filter.

A NAT Appliance doesn't either.

Once again: It's trivial to get Windows no offer any unwanted services without breaking anything. You don't need either a host-based packet filter or a NAT device, neither are they any replacement for such a configuration. You can get behind NAT, you can trivially get behind Personal Firewalls, you might get behind a serious host-baesd packet filter - but a non-existent service cannot be attacked.

Maybe for you, but instead of watching TV or doing other unconstructive things, when I need a break I look over at the console running the Usenet client and interact with it when needed. If you find Usenet interaction to be a waste of time, then why are you here?

And that would include the Windows Firewall that VB seems to be sooooo keen on. Fact is that I can setup ZoneAlarm on a dialup system, leave the user alone for a year or more and come back to a clean machine when it's time to upgrade. I've never been able to do that when people use the Windows Firewall only.

One other thing - I've never seen any personal firewalls disabled/shutdown on anyone's machine, ever. I have seen them punch holes through them, manually, or via accepting a PERMIT without understand it, but I've not seen a machine get malware that disabled the firewall.

Again, unless you can point to vendor part numbers and firmware versions that were exploited, while some of those issues are a problem, we don't have any idea how old/unfixed the problems are. So, in general, I'm going to trust a NAT Appliance over Windows Firewall every time.

What part of inbound protection did you miss? Since your typical user can't installed their OS and patch it BEFORE they are compromised, the NAT Router gives them the ability to install/patch without being compromised as long as all they do is install/patch without browsing to unnecessary sites.

While doesn't mean crap, as most users have no idea how to disable services, how to filter, how to do anything other than use the default setup. So, since experience shows that people behind a NAT Appliance have a significantly better level of security, what are you suggesting?

It's rather simple - users with a NAT Appliance are magnitudes more likely to remain safe on a default system than those trusting a personal firewall solution. Additionally, users running a third-party PFW are magnitudes more likely to remain secure than those running Windows Firewall.

Both NAT and PFW solutions have holes, but the NAT solution has less holes than PFW solutions, and third-party solutions have fewer exposure points than Windows Firewall does. This is the important part.

Since '84 and still not knowing the most common Usenet jokes? ;-)

Right. So, what's your point against WF?

Now I prefer staying in this parallel universe.

Because most don't? At most for stupid reasons.

OK, why didn't you write that you lack of real world experience in first place?

The part that a NAT Appliance reliably does so? The part that this part is about that inbound connections are not the major problem?

Why didn't you tell that you simply want to sell NAT Routers? You can easily do the same without one, for free, so your point being?

That's what your job is. Give'em a script and no only-sometimes-working NAT Router workaround

But you're suggesting the usage of Personal Firewalls? Get serious!

That's you're readjusting your view on reality. Your so-called experience obviously isn't worth anything.

In which parallel univserse?

I think that is a matter of exactly how one defines disabled. The average user would consider a firewall to be enabled if the icon appears on the taskbar. ;)

Getting back to the subject, if a user were to punch a hole in the firewall or permit a connection without understanding what they have permitted, by my definition the PF would be considered disabled even though that required human intervention.

Another problem with personal firewalls is that other apps/services can initialise before the firewall does. As a for instance, a customer wanted a clean install of Win2K, along with with Sygate and RealPlayer. After a clean Win2k install with all the updates, I installed Sygate, then Realplayer. After the reboot, I watched realschedule.exe initiate a connection to realnetworks before Sygate had finished loading.

*Disclaimer: Sygate was what that customer wanted, so no others were tested. I do not know that any of the other personal firewalls would behave any differently.

The end result is that if a legitimate app can open a connection before the firewall is up and running, then it stands to reason that malware can do the same. In that situation I would consider the personal firewall to be effectively disabled.

It's really a shame that you don't appear to know more than what you've learned from VB or your own personal home, minimal, experiences.

Real world experience shows that even a cheap NAT router provides more protection to home users than Windows Firewall or even other PFW apps.

Yes, I agree, but you're talking outbound in this example. What I'm talking about is general security for people with computers connected to the internet - no Windows Firewall or PFW will properly protect them against unwanted inbound connections seeking to exploit the many holes in windows (patched or unpatched), but a router at least gives them a fighting chance, more than WF or any other PFW.

I would also say that I've seen Tiny and ZAP protect computers that were on dial-up or a direct connection to the Internet or an infected LAN, in fact I've seen ZAP work for users for years without any updates and without their machines being compromised.

People can say that none of those PFW work all the want, they can site the exploits, they can rant and rave about it, but the real world use by many people shows that while things may have holes in some specific settings, that many people don't experience those exact settings and they remain protected.

What a bullshit.

The real world is that those system are usually messed up exactly the same way.

My bad, I missed your point. I agree that I have never seen a properly configured NAT router disabled by an inbound connection. I'll not say that it won't/can't happen, just that I have not personally seen it happen myself.