Cisco had an excellent TV commercial. A CEO type -who presumably has plenty of access from his PC- was suddenly told about a breach which was detected by the Cisco infrastructure before it could make any damage. They were wondering where it came from, when the daughter of the CEO, all of 7 years old, came out of his office: "Dad, I found a site with many cool games!" or she brought a CD from home or something.
-Ramon
I you trying to tell us that you cannot possibly grasp the concept of a question being philosophical while being technical?
I find hard to believe that you cannot accept such simultaneity. Ever heard of the wave-particle dual nature of light? Do you also have problem accepting it?
-Ramon
Looking up in the calendar, it's not the 50s anymore, it's 2007. Light is neither a wave nor a particle, it's a quantum object that, when measures, shares some properties of a wave and some properties of a particle.
At any rate, your analogy is bullshit. Malware running on your PC is like children with god-like powers, they're free to ignore anything that is not imposed hard. Network traffic filtering isn't even nearby a hard imposture, the malware is free to simply hijack an already trusted application to make it deliver the network traffic on its behalf - that's the point where you lose.
Strange, if I had malware with its own SMTP engine running on a infected PC, with a proper firewall in place that malware could not send emails to the world directly - since the firewall limits outbound SMTP to the mail server only, since it would alert on a node trying, since the firewall knows the difference between SMTP and just port 25 traffic.
Sebastian:
I setup Cisco firewalls for a living, while you obviously don't.
When we talk about a "firewall" you do understand that -by definition- they have to be in a separate box with an specialized/customized OS, don't you? You wouldn't build a car firewall with the same materials as the rugs and seats, would you?
If you are talking about the crap that Windopes use inside their PCs, then I have absolutely nothing to discuss, except smile disdainfully smugly. :-\\
-Ramon
Right. I'm building them myself, and when not I sure know how to avoid Cisco and Netgear stuff as much as possible.
Right, but we already talking about application-level filtering. Which means discretionary and/or mandatory access control mechanisms on processes and sockets.
We could also talk about SELinux. It's the same thing there.
Or we could step back a bit and talk about application-layer filtering. Basically the same issue, any malware can impersonate or even spoof legitimate clients.
Was that a measured 150 watts? That's an enormous amount of power for a pc being used as a firewall. By chance, did that also include a monitor or display of some kind?
With obvious limitations, sure.
It's probably going to be a lot harder now, as the old stuff has largely disappeared. The firewall at home (cable, dialout backup, masquerading a number of systems on the LAN) is what is left of a 386SX-16 laptop of uncertain origins (may be an Acer), with 8 Megs of RAM and an ancient
420 Meg disk. No case, no keyboard, no display. It's drawing about 15 VA, most of which is in that hard disk. I believe in running the absolute minimum of services _on_ the firewall, so the DNS and NTP servers are actually on the secondary file server.--------------------- "Emacs is a great OS. The only thing it lacks is a decent editor."
------- It's actually Emacs that is the OS and GNU/Linux the device-driver.
------- Actually I tried Emacs, but it kept asking for my credit card details to buy a better computer to run on.
------- Computers tend to come with at least 512Mb RAM these days. Half for X, half for emacs, what's the problem?
---------------------
Everyone is always banging away at emacs, but
--------------------- "Thanks to the joint efforts of OpenOffice, Mozilla, and a few others, Emacs officially entered the category of lightweight utilities." -- kalifa on /.
---------------------
For a _standalone_ firewall, where you have the chance of windoze boxes behind it getting 0wn3d, a rule that blocks _OUTBOUND_ SMTP except to the ISP's smart server would not be unreasonable, although you look to be comcast, and at least _some_ sections of the comcast network are finally blocking it for you. "tcptraceroute", "hping3" (or hping2) and "mtr" can be used to check this.
[compton ~]$ whatis traceroute tcptraceroute hping2 hping3 mtr traceroute (8) - print the route packets take to network host tcptraceroute (8) - A traceroute implementation using TCP packets hping2 (8) - send (almost) arbitrary TCP/IP packets to network hosts hping3 (8) - send (almost) arbitrary TCP/IP packets to network hosts mtr (8) - a network diagnostic tool [compton ~]$Old guy
Are you really that lost? You attempt to imply (here, and in other groups like comp.mail.sendmail, comp.os.linux.(misc|security) some expertise, but your technical philosophical answer totally misses the boat.
I've no idea why you feel that may have even the most remote connection with the question that was posted. Oh, and on your comp.mail.sendmail question, use the search engine you are posting from to look through recent posts to the newsgroup "news.admin.net-abuse.blocklisting" and you may discover some of what is being used now.
Old guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.